dns and dnssec - york university€¦ · dns domain name system translates domain names to ip...
TRANSCRIPT
![Page 1: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/1.jpg)
DNS and DNSSecBy: Syed Usman, Jonas Laya, Paul Sison
![Page 2: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/2.jpg)
Overview● What is DNS?● Vulnerabilities and Attacks● DNSSec as a solution
![Page 3: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/3.jpg)
What is DNS?www.yorku.ca
130.63.236.137
![Page 4: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/4.jpg)
DNS
● Domain Name System● Translates domain names to IP
addresses● Motivation
○ Eliminates memorizing IP addresses
● Application Layer Protocol● Operates on UDP port 53
○ Fast and low overhead
“Phonebook of the Internet”
![Page 5: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/5.jpg)
DNS Lookup
https://www.cloudflare.com/learning/dns/what-is-dns/
● DNS Resolver○ Receives DNS queries from applications
such as browsers
● Root Server○ Provides TLD address
● Top-Level-Domain Server○ Provides nameserver address
● Authoritative Name Server○ Provides hostname’s IP address
![Page 6: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/6.jpg)
DNS Hierarchy
https://www.cloudflare.com/learning/dns/glossary/dns-root-server/
![Page 7: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/7.jpg)
Vulnerabilities Attacks
![Page 8: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/8.jpg)
Vulnerabilities
● Use of unsigned, unencrypted UDP packets○ No source authentication○ No data integrity check
● Use of cache for reduced access time○ Cache inconsistency○ Staleness of data
● Stored data (Resource Records) on name servers
![Page 9: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/9.jpg)
Cache Poisoning● Exploit on usage of UDP and a
cache● Method 1: Packet Interception
○ Man-in-the-Middle attack
● Method 2: ID Guessing and Query Prediction○ Old servers used sequential
transaction IDs
● 1996 - InterNIC● 2008 - Kaminsky bug
○ Replaces NS Authority record in cache for target domain
https://youtu.be/lVifa7QSQDY
![Page 10: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/10.jpg)
Cache Poisoning● Exploit on usage of UDP and a
cache● Method 1: Packet Interception
○ Man-in-the-Middle attack
● Method 2: ID Guessing and Query Prediction○ Old servers used sequential
transaction IDs
● 1996 - InterNIC● 2008 - Kaminsky bug
○ Replaces NS Authority record in cache for target domain
https://www.imperva.com/learn/application-security/dnssec/
Cache
![Page 11: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/11.jpg)
Domain Hijacking
● Attackers take control of the domain registration
● Domain information changed to point to a malicious nameserver
● 2008 - icann.org & iana.org○ Social engineering
● 2016 - Brazilian banks○ 6 hours, $27B of assets
● Unpaid registrar bill
https://blog.cloudflare.com/introducing-cloudflare-registrar/
![Page 12: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/12.jpg)
DNS Flood
● DoS attack to deny legitimate requests○ UDP easy to forge, no handshake
required○ Exhaust all available UDP sockets
● 2013 - Spamhaus● 2015 - .tr ccTLD name servers
○ Isolated Turkey from the World
● Poorly-formatted DNS requests○ 14% of queries on root servers
https://www.imperva.com/learn/application-security/dns-flood/
![Page 13: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/13.jpg)
DNSSec
● Provides security for the DNS protocol
● Created in 2005 and made fully usable in 2010 (ICANN)
● Ensures○ Origin Authentication○ Data Integrity○ Authenticated Denial of Existence
![Page 14: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/14.jpg)
How it Works ?
● Asymmetric Key
Cryptography
● Hash Function
![Page 15: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/15.jpg)
How it Works ?● Recursive server has root server’s public key.● Recursive server sends iterative request to root server.● Root server responds back with
○ TLD server details○ TLD server public key encrypted by it’s private key○ Root servers public key record encrypted by it’s private key
● Recursive server uses root servers public key to○ Decrypt these encrypted files○ Gets the public key for the TLD server from decrypted file○ Compare its public key with the one the root server sent
● The same process continues for TLD & Authoritative server.
![Page 16: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/16.jpg)
DNSSec Vulnerabilities
● Increase the query response time
● Root public key injection attack would compromise the chain of trust
● DNSSec requires time synchronisation, if attacker can cause disruption in the
synchronisation then DNSSec fails to work properly
![Page 17: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/17.jpg)
Questions:1. DNS is a protocol on which OSI layer?
2. Can the Internet survive without DNS?
3. How important is DNSSec ?
![Page 18: DNS and DNSSec - York University€¦ · DNS Domain Name System Translates domain names to IP addresses Motivation Eliminates memorizing IP addresses Application Layer Protocol](https://reader036.vdocuments.us/reader036/viewer/2022071219/60543694e2db9b540c4dd9b8/html5/thumbnails/18.jpg)
ReferencesIssues in DNS Security. Online. https://cdn.ttgtmedia.com/rms/pdf/DNS%20Security_Ch%202.pdf
Ariyapperuma & Mitchell. Security Vulnerabilities in DNS and DNSSec. Online. http://web.mit.edu/6.033/www/papers/dnssec.pdf
What is DNS? How DNS Works. Online. https://www.cloudflare.com/learning/dns/what-is-dns/
Domain Name System. Online. https://en.wikipedia.org/wiki/Domain_Name_System
DNS Security - Cache Poisoning. Online. https://www.youtube.com/watch?v=lVifa7QSQDY
Atkins. Threat Analysis of the Domain Name System. 2004. Online. https://tools.ietf.org/html/rfc3833
DNS Flood. Online. https://www.imperva.com/learn/application-security/dns-flood/
DNSSec https://www.keycdn.com/support/dnssec