An Internet Primer: DNS Vulnerabilities - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

An Internet Primer: DNS Vulnerabilities

Description:

An Internet Primer: DNS Vulnerabilities – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 25
Provided by: kend77
Category:

less

Transcript and Presenter's Notes

Title: An Internet Primer: DNS Vulnerabilities


1
An Internet PrimerDNS Vulnerabilities
  • Ken Dick
  • College of IST
  • University of Nebraska _at_ Omaha

2
What Is It?
  • Not a single network
  • A network of networks
  • Governance provided by ICANN
  • Internet Corporation for Assigned Names and
    Numbers, www.icann.org
  • A current source of International Intrigue

3
Whos Who On The Backbone(2001)
  • 27.9 - UUNET/WorldCom/MCI (verizon)
  • 10.0 - ATT (sbc)
  • 6.5 - Sprint
  • 6.3 - Genuity (level 3)
  • 4.1 - PSINet (cogent)
  • 3.5 - Cable Wireless
  • 2.8 - XO Communications (chapter 11)
  • 2.6 - Verio (ntt)
  • 1.5 - Qwest
  • 1.3 - Global Crossing (chapter 11 2002)

4
Another View Of The Internet
http//www.caida.org/analysis/topology/as_core_net
work/
5
Internet History
6
ARPANET Growth
  • Dec 1969
  • Jul 1970
  • Mar 1971
  • Apr 1972
  • Sep 1972

7
Growth Of The Internet
8
Name Space Distribution
  • An example partitioning of the DNS name space,
    including Internet-accessible files, into three
    layers.

9
DNS Implementation
  • An excerpt from the DNS database for the zone
    cs.vu.nl.

10
DNS Root Servers
http//www.root-servers.org/
11
DNS Vulnerability
This vulnerability was discovered by Kaminsky in
the summer of 2008. Suffice it to say that it
involves poisoning the cache. This allows the
redirecting of the traffic to a counterfeit
server. There are patches out for this but
there is a better way
http//www.unixwiz.net/techtips/iguide-kaminsky-dn
s-vuln.html
12
.gov Response
When you file your taxes online, you want to be
sure that the Web site you visit -- www.irs.gov
-- is operated by the Internal Revenue Service
and not a scam artist. By the end of next year,
you can be confident that every U.S. government
Web page is being served up by the appropriate
agency. Thats because the feds have launched
the largest-ever rollout of a new authentication
mechanism for the Internets DNS. All federal
agencies are deploying DNS Security Extensions
(DNSSEC) on the .gov top-level domain, and some
expect that once that rollout is complete, banks
and other businesses might be encouraged to
follow suit for their sites. DNSSEC prevents
hackers from hijacking Web traffic and
redirecting it to bogus sites.
http//www.networkworld.com/news/2008/092208-gover
nment-web-security.html
13
DNS Resolving
Question www.cnn.com
.
www.cnn.com A ?
dns.cs.umass.edu
lab.cs.umass.edu
resolver
ask .com server the ip address of .com server
stub resolver
www.cnn.com A ?
.com
www.cnn.com A ?
xxx.xxx.xxx.xxx
ask cnn.com server the ip address of cnn.com
server
add to cache
www.cnn.com A ?
xxx.xxx.xxx.xxx
cnn.com
www.cnn.com
A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
14
DNS Data flow
Zone administrator
Zone file
master
resolver
slaves
Dynamic updates
stub resolver
A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
15
DNS Vulnerabilities
Cache impersonation
Corrupting data
Impersonating master
Zone administrator
master
resolver
Zone file
Dynamic updates
slaves
stub resolver
Cache pollution by Data spoofing
Unauthorized updates
Data Protection
Server Protection
A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
16
Why DNSSEC
  • DNSSEC protects against data spoofing and
    corruption
  • DNSSEC also provides mechanisms to authenticate
    servers and requests
  • DNSSEC provides mechanisms to establish
    authenticity and integrity

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
17
PK-DNSSEC (Public Key)
  • The DNS servers sign (digitally encrypt) the hash
    of resource record set with its private keys
  • Resource record set The set of resource records
    of the same type.
  • Public KEYs can be used to verify the SIGs
  • The authenticity of public KEYs is established by
    a SIGnature over the keys with the parents
    private key
  • In the ideal case, only one public KEY needs to
    be distributed off-band (the roots public KEY)

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
18
DNSSEC new RRs
  • 2 Public key related RRs
  • SIG signature over RRset made using private key
  • KEY public key, needed for verifying a SIG over a
    RRset, signed by the parents private key
  • One RR for internal consistency (authenticated
    denial of data)
  • NXT RR to indicate which RRset is the next one in
    the zone
  • For non DNSSEC public keys CERT

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
19
SIG RRs
  • Cover each resource record set with a public-key
    signature which is stored as a resource record
    called SIG RR
  • SIG RRs are computed for every RRset in a zone
    file and stored
  • Add the corresponding pre-calculated signature
    for each RRset in answers to queries
  • Must include the entire RRset in an answer,
    otherwise the resolver could not verify the
    signature

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
20
SIG(0)
  • Use public-key signature to sign the whole
    message each time the server responds to the
    queries
  • Provide integrity protection and authentication
    of the whole message
  • Can be scaled to provide authentication of query
    requests
  • May not be practical to use on a large scale
    environment

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
21
Compare SIG RRs with SIG(0)
  • More computation on DNS server caused by SIG(0)
  • More network traffic caused by SIG RRs
  • More storage need by SIG RRs

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
22
Verifying the tree
Question www.cnn.com
. (root)
www.cnn.com A ?
dns.cs.umass.edu
lab.cs.umass.edu
resolver
ask .com server SIG(the ip address and PK of
.com server) by its private key
stub resolver
www.cnn.com A ?
.com
www.cnn.com A ?
xxx.xxx.xxx.xxx
transaction signatures
ask cnn.com server SIG(the ip address and PK of
cnn.com server) by its private key
add to cache
slave servers
www.cnn.com A ?
SIG(xxx.xxx.xxx.xxx) by its private key
transaction signatures
www.cnn.com
cnn.com
A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
23
Verifying
  • Verify a SIG over data using the public KEY
  • DNS data is signed with the private key
  • Verify the SIG with the KEY mentioned in the SIG
    record
  • The key can be found in the DNS or can be locally
    configured

A New Approach to DNS Security (DNSSEC) Giuseppe
Ateniese, Stefan Mangard
24
An Internet PrimerDNS Vulnerabilities
  • Ken Dick
  • College of IST
  • University of Nebraska _at_ Omaha
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "An Internet Primer: DNS Vulnerabilities" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!