dns security extensions (dnssec) ryan dearing. topics history what is dns? dns stats security dnssec...
Post on 22-Dec-2015
243 Views
Preview:
TRANSCRIPT
DNS Security Extensions (DNSSEC)
Ryan Dearing
Topics
History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment
Terminology Zone – contains resource records Resource Record – Record with a name and value, (e.g
www.google.com → IP) Authoritative Server – server that can definitively answer
queries for a zone (non-caching) Master Server – Authoritative server that contains primary
copy of the zone and pushes to slave/secondary server Slave Server – Authoritative server that gets zone
information from master server (also called secondary server)
Recursive/Caching Server – server that caches query responses
Domain Name System
Created in 1983 by Paul Mockapetris Minimal Changes to the core protocol since
1987 Has scaled very well ~190 million domains
DNS Hierarchy and Protocol DNS uses a hierarchical model Root Servers, TLD Servers,
Domain Servers Small Efficient UDP Packets
No State Caching locally and at
recursive Servers Serial number is incremented
when zone information changes
DNS Stats
Verisign hosts DNS servers for .com and .net Receives 52 billion queries per day Peak at 61 billion queries per day 48% Yearly growth 13 Nameservers listed for .com and .net, but
most likely hundreds with load balancing
Security
DNS uses a trust model, popular in the 80s when the Internet was small and computing power was low
If attacker manages to impersonate an authoritative server, they can poison the cache of recursive caching servers
Suddenly BankOfAmerica.com is going to Nigeria
DNSSEC DNSSEC adds signing to a zone's
information Allows DNS responses to be
validated all the way from the root Increases zone and packet size
considerably Already implemented on the root
servers Only useful when zones start
using it
DNSSEC Validationgoogle.com
Request information from root server for .com, verify response based on public key (publicly distributed). Returns key for .com
Request information from .com server for google.com, verify response using key returned from the root. Returns key for google.com
Request information from google.com server, verify with key returned from the .com server.
DNSSEC Validation
DNSSEC Complexities Must tell parent zone when key is changed Changing key must be done very carefully, both
keys are used for a period of time due to caching
Must be careful about zone enumeration Servers will require more memory for holding
additional information (keys, response signatures)
More bandwidth utilization Larger packets (network equipment blocking)
DNSSEC Deployment Status
All root servers now use DNSSEC as of May 5 .com and .net by Q1 of 2011, requires upgrades
for scalability .org already deployed with DNSSEC .gov already deployed with DNSSEC Big zones will need to deploy it too
(google.com, yahoo.com, etc) Large DNS providers need to deploy too
(NeustarDNS, Markmonitor, etc)
Questions?
top related