130 likes | 212 Views
DNSSEC 101. Kevin Miller. DNS Underpins Everything. Email. VoIP. CMS. IM. Enterprise Systems. Web. DNS Underpins Everything. Email. VoIP. Inbound Email Volume. CMS. IM. Enterprise Systems. Web. Received Email Spam, virus filtering using DNS. 10+ DNS Queries Per Message.
E N D
DNSSEC 101 Kevin Miller
DNS Underpins Everything Email VoIP CMS IM Enterprise Systems Web
DNS Underpins Everything Email VoIP Inbound Email Volume CMS IM Enterprise Systems Web Received Email Spam, virus filtering using DNS 10+ DNS Queries Per Message
Risks from DNS Attacks • Impersonate your web site • Redirect your phone calls • Man-in-the-middle (password theft) • Reroute or block your email • Disrupt your network, application services • Attack vectors for malware (data theft) • Denial of service Diagram source: Internet Storm Center
DNS Attack: Cache Poisoning Where is website.com? Answer: 67.11.23.9 Also, www.bank.com – 12.1.2.3
DNS Attack: Forgery Where is educause.edu? Answer: 198.59.61.65 Answer: 12.1.2.3
DNS Attack: Indirection Where is educause.edu? Answer: 12.1.2.3
DNS Attack: Amplification 60 byte request 4000 byte response
Software Defects Buffer overflow Other vectors
Risk Reduction To Date • Improving weaknesses in DNS software • Patching software defects • Limiting cache poisoning opportunities • Improve operational best practices • Restrict access to DNS recursers • Install anti-IP spoofing filters • Improve host security • Anti-virus, anti-malware defenses Photo source: BCP38
DNSSEC • Cryptographically sign DNS records • Also the absence of records • Maintains DNS architecture • Hierarchical, distributed signatures • Significant risk reduction, if used widely • Protects you (www.school.edu) • Protects your users (www.bank.com)
What Can Be Done Now? • Discover local implications • How do you manage DNS? What tools are used? • What impact would DNSSEC have? • Do your vendors support it? • Can you servers handle DNSSEC overhead? • Begin building expertise, experience • Sign a test zone • Deploy a test DNSSEC recurser • Deployment • Sign your zones • Utilize DNSSEC-enabled recurser with DLV
Additional Resources • http://www.dnssec.net • http://www.bind9.net • http://www.dnsreport.com • http://www.dnssec-deployment.org/ • http://www.uoregon.edu/~joe/port53wars/port53wars.pdf • http://www.nanog.org/mtg-0606/damas.html