CmpE 526 Operating System and Network Security, Spring 2005

1
CmpE 526 Operating System and Network Security,
Spring 2005

• Presentation onDNS Security

Demet AYVAZ 07/04/2005
2
OUTLINE

• DNS Overview
• DNS Security Threats
• Securing DNS
• Server-Client Security(DNSSEC)
• Server-Server Security(TSIG)
• Conclusion

3
DNS OVERVIEWWhat is DNS?
Root

• Distributed, hierarchical System mapping
• Host Names to IP addresses
• IP addresses to host names
• Data organized as tree structure calledDomain
  Name Space

edu
mil
com
darpa
isi
cisco
usmc
nge
quantico
4
DNS OVERVIEWDNS Components

• The Database
• Domain name space (DNS Tree)
• Resource Records
• The Server
• Name Server
• The Client
• Resolvers

5
DNS OVERVIEWName Servers

• Manages some portion of DomainName Space (Zone)
• Assists clients in finding informationwithin the
  DNS tree
• Multiple name servers can be authoritivefor one
  zone
• Primary server Server on which actual changes
  for zone data takes
  place.
• Secondary server Server which maintains copies
  of primary servers
  zone database

6
DNS OVERVIEWResource Records

• Contain data associated with domainnames
• A Resource Record (RR) has 6 fields
• NAME name of the owner
• TYPE the type of data hold
• CLASS class info (IN for internet)
• TTL Time period to cache record
• RD Length Length of data
• RDATA Resource data

7
DNS OVERVIEWResource Record Types
Record Type Description Usage
A Address Record Maps an FQDN into an IP adress
PTR Pointer Record Maps an an IP adress into FQDN
NS Name Server Record Denotes a name server for a zone
SOA Start of authority Record Specify attributes of a zone
8
DNS OVERVIEWResolver and Resolution
Primary name server
User program
Name resolver
Cache
Local machine
Name server
Name server
9
DNS OVERVIEWCaching

• Speeds up the resolution process
• If answer is not in the cache, a recursive query
  is initiated
• Resource Records kept in cachefor a limited time
  (TTL)

10
DNS Security ThreatsDNS Vulnerabilities

• Original DNS design focused on data availability
  and did not include security
• DNS zone data is replicated at multiple servers
• Access to domain name space is not restricted
• But the DNS design included no authentication
• Any DNS response is generally believed
• No attempt to distinguish valid data from invalid

11
DNS Security Threats Weaknesses of DNS

• Cache Poisoning
• Client Flooding
• Dynamic Update Vulnerability
• Information Leakage

12
DNS Security Threats Cache Poisoning

• A weakness of DNS
• DNS server has incorrect informationintentionally
  or nonintentionally
• A result of trusting non authoritative
  information
• Malicious cache poisoning is DNSspoofing

13
DNS Security Threats Cache Poisoning Example
14
DNS Security Threats Client Flooding

• A client makes a query and receivesand accepts
  thousonds of DNS responses
• Result of Lack of Authentication
• Client can not verify the origin of theresponses

15
DNS Security Threats DNS Dynamic Update

• Original DNS designs assumesmanual updates on
  zone files
• DNS dynamic update protocal is a modification
• Vulnerable to threats such asIP spoofing
• Attacks Deleting records malicious
  redirection

16
DNS Security Threats Man in the Middle Attack
Root DNS Server
www.darpa.mil A?
www.darpa.mil A 192.5.18.19
Caching DNS Server
mil DNS Server
Client
www.darpa.mil A 128.9.128.127
darpa.mil DNS Server
First response wins. Second response is silently
dropped on the floor.
17
SECURING DNS

• It is necessary to have the security built into
  DNS systems
• TSIG Transactions
• Enhancements to secure Server-Server
  transactions
• DNS Security Extensions (DNSSEC)
• Enhancements to secure Server-Client
  transactions

18
SECURING DNSDNS Data Flow

• Every flow is a potensial source of threat

19
DNSSECWhat is DNSSEC?

• DNSSEC work group is formed in 1994 by IETF
• Group designed security extensionsto DNS
  Protocol called DNSSEC

20
DNSSEC Services Provided by DNSSEC

• DNS provides
• Data Origin Authentication
• Data Integrity Assurance
• DNSSEC is designed to be interoperable with
  non-securityawere implementations

21
DNSSEC Changes to DNS Protocol

• DNSSEC adds four new RRs
• SIGRR Signiture resource record
• KEYRR(DNSKEY) Key Resource Record
• DS Delegation Signer
• NXTRR(NSEC) Next Secure
• Two new message header bits
• CD Checking Disabled
• AD Authenticated Data

22
DNSSEC Origin Authentication and Integrity

• Authenticity Is the data published by the
  entity we think is authoritative?
• Integrity Is the data received the same as what
  was published?
• Public Key cryptography is used to answer these
  questions
• signatures are used to check both integrity and
  authenticity of data

23
DNSSEC KEYRR

• Used to store public keys
• Key RR of a name server accompany all its
  responses
• Keeps the public key of a zone, a hostor a user
  in its RDATA field
• Several key algorithms are supported RSA/MD5,
  DSA, Diffie Helmen

24
DNSSEC KEYRR Record Format

• 16 bits FLAGS
• 8 bits protocol
• 8 bits algorithm
• public key of any length
• Example
• Movie.edu. IN KEY 256 3 1 (
• AQOvhvXXU61Pr8sCwELcqqq1g4JJ
• CALG4C9EtraBKVdvGIF/unwigfLOA
• O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)

25
DNSSEC SIG RR

• Stores the private keys signaturefor a zone
• Whenever a name server sends a response to a
  query, it runs it through a hash function and
  encyrpt the result with its private key

26
DNSSEC SIGRR Record Format

• 16 bits type covered
• 8 bits algorithm
• 8 bits labels covered
• 32 bit original TTL

• 32 bit signature expiration
• 32 bit signature inception
• 16 bit key tag
• signers name
• signature field

www.ripe.net. SIG A 1 3 3600 20010504144523
( 20010404144523 3112
ripe.net.
VJ8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN
vhYuAcYKe2X/jqYfMfjfSUrmhPo0/GOZjW
66DJubZPmNSYXw )
27
DNSSEC DS RR

• Essentially a pointer to the next key in the
  chain of trust
• Still in draft but expected to becomepart of the
  standard

28
DNSSEC NXTRR

• Used for non-existent domain names
• Aim is to authenticate the non-existanceof a
  resource record
• Tells which domain name comes after another one
• Example
• Movie.edu. NXT bigt.movie.edu (NX, SOA,
  SIG, NXT)

29
DNSSEC Chain of Trust

• Applied for data origin authentication
• Verification tells the data is correctIt does
  not say anything about trusting or not to data
• Public key is certified by a higher authority

30
DNSSEC chain of trust
.
Root name server of the DNS tree
com.
it.
name server
foo.com.
polito.it.
31
DNSSEC Query and Response Messages
32
TSIGWhat is TSIG?

• A mechanism for protecting a message from
  resolver to server and vice versa
• A keyed-hash is applied (like a digital
  signature) so recipient can verify message
• Based on a shared secret - both sender and
  receiver are configured with it

33
TSIGServices Provided by TSIG

• TSIG provides
• Authentication
• Data Integrity
• For this purpose, It uses
• A one-way hash function called MD5
• symetric cryptography

34
TSIG TSIG Record

• TSIG is a meta record
• Never appears in zone files or caches
• A signer adds TSIG record to a DNS message
• The receiver removes and verifiesthe record

35
TSIG TKEY meta RR

• The key shared by the name serverand the
  resolver
• Not stored or cached in DNS
• Do not appear on zone files
• Usually less than 256 bits

36
TSIG Key Distribution

• Key can be created by the server or resolver
• In the case of server-assigned keying
• Server produses keying material
• Resolver sends a query asking for TKEY RR
• In additional section it sends its ownpublic key
• Server encrypts the keying material
  withresolvers public key

37
CONCLUSION

• The original DNS design is insecure
• It has many weaknesses
• DNSSEC and TSIG are modificationsto the original
  design to add security
• They provide data origin authentication and data
  integrity
• Confidentiality is not considered in extensions

38
REFERENCES

• RFC 2535 Domain Name Security Extensions,
  Donald Eastlake, IBM,March 1999.
• Paul Abitz, Cricket Liu, DNS and BIND,Third
  Edition, OReilley, Sebastopal, CA,1998.
• RFC 3033 Threat Analysis of the Domain Name
  System, D. Atkins, August 2004.
• RFC 4033 Security Introduction and
  Requirements, R. Arends, R. Austin, 2005
• A. Lioy, F. Maino, M. Marian, D. Mazzocchi, DNS
  Security,Terena Networking Conferance, MAy
  22-25, 2000.
• http//compsec101.antibozo.net/papers/dnssec/dnsse
  c.html

39

• Thanks for Listening

40

• QUESTIONS