DNSSEC 101

1
DNSSEC 101

• Kevin Miller

2
DNS Underpins Everything
3
DNS Underpins Everything
4
Risks from DNS Attacks

• Impersonate your web site
• Redirect your phone calls
• Man-in-the-middle (password theft)
• Reroute or block your email
• Disrupt your network, application services
• Attack vectors for malware (data theft)
• Denial of service

Diagram source Internet Storm Center
5
DNS Attack Cache Poisoning
Where is website.com?
Answer 67.11.23.9 Also, www.bank.com 12.1.2.3
6
DNS Attack Forgery
Where is educause.edu?
Answer 198.59.61.65
Answer 12.1.2.3
7
DNS Attack Indirection
Where is educause.edu?
Answer 12.1.2.3
8
DNS Attack Amplification
60 byte request
4000 byte response
9
Software Defects
Buffer overflow Other vectors
10
Risk Reduction To Date

• Improving weaknesses in DNS software
• Patching software defects
• Limiting cache poisoning opportunities
• Improve operational best practices
• Restrict access to DNS recursers
• Install anti-IP spoofing filters
• Improve host security
• Anti-virus, anti-malware defenses

Photo source BCP38
11
DNSSEC

• Cryptographically sign DNS records
• Also the absence of records
• Maintains DNS architecture
• Hierarchical, distributed signatures
• Significant risk reduction, if used widely
• Protects you (www.school.edu)
• Protects your users (www.bank.com)

12
What Can Be Done Now?

• Discover local implications
• How do you manage DNS? What tools are used?
• What impact would DNSSEC have?
• Do your vendors support it?
• Can you servers handle DNSSEC overhead?
• Begin building expertise, experience
• Sign a test zone
• Deploy a test DNSSEC recurser
• Deployment
• Sign your zones
• Utilize DNSSEC-enabled recurser with DLV

13
Additional Resources

• http//www.dnssec.net
• http//www.bind9.net
• http//www.dnsreport.com
• http//www.dnssec-deployment.org/
• http//www.uoregon.edu/joe/port53wars/port53wars.
  pdf
• http//www.nanog.org/mtg-0606/damas.html