domain name system (dns) and dns security
TRANSCRIPT
| 1
Domain Name System (DNS) and DNS Security
August 2017Asia Pacific Internet Governance Academy 2017
Jia-Rong Low | Vice President and Managing DirectorAsia Pacific, ICANN
| 2
Unique Identifiers
• Names• Numbers• Protocol Parameters
| 3
Names – Easier way for humans
193.0.6.1482001:610:240:22::c100:694
196.216.2.12001:42d0::200:2:1
192.149.252.752001:500:4:13::80
200.3.14.102001:13c7:7002:4000::10
202.12.29.2112001:dc0:2001:11::211
193.0.6.1392001:610:240:22::c100:68b
212.110.167.1572001:41c8:20::19
192.0.32.72620:0:2d0:200::7
203.119.42.1332001:dc0:21f:f3ff:fed5
www.nro.netwww.afrinic.net
www.arin.net
www.lacnic.net
www.apnic.net
www.ripe.net
www.isoc.org
www.icann.org
| 4
Domain Name’s Structure
4
mail.nicta.gov.pg.
Top-level
Second level
Third level
Fourth level
The Root
| 5
Names in country-code TLDsNames in generic Top Level Domains
DNS Structure
• A domain is a node in the Internet name space– A domain includes all its descendants
• Domains have names– Top-level domain (TLD) names are generic or country-
specific
– TLD registries administer domains in the top-level
– TLD registries delegate labels beneath their top level delegation .
org
icann ncfta
www ssac
gov
irs
com ...
ftc google msn
AF ... ZW
co
| 6
DNS Operation
User DNS Server
Query: What is www.icann.org?
Answer: 192.0.32.7
| 7
DNS Resolution
Role Play
| 8
DNS Operation
User
ISP
Root
.org
icann .org icann .org icann.org
.org
Root Root
| 9| 9
DNS Security
9
| 10
Reflection attack
• Attacker sends DNS messages to recursorfrom spoofed IP address of target
• Recursorsends response to targeted host
• Response delivered to targeted host
Attacker Open Recursor
DNS QueryDNS Query
Spoof source IP of target: 10.0.0.1
Targeted host IP: 10.0.0.1
| 11
Reflection and Amplification attack• Attacker sends
DNS messages to recursorfrom spoofed IP address of target
• Recursorsends LARGE responses to targeted host
• Amplified responses delivered to targeted host consume resources faster
Attacker Open Recursor
DNS QueryDNS Query
Spoof source IP of target: 10.0.0.1
Targeted host IP: 10.0.0.1
| 12
Distributed reflection and amplification attack (DDoS)
• Launch reflection and amplification attack from 1000s of origins
• Reflect through open recursor
• Deliver 1000s of large responses to target
AttackersOpen Recursor
All sources spoof source IP of target: 10.0.0.1
Targeted host IP: 10.0.0.1
DNS QueryDNS
Query
DNS QueryDNS
Query
DNS QueryDNS
Query
| 13
Basic Cache Poisoning
Attacker
– Launches a spam campaign where spam message contains http://loseweightfastnow.com
– Attacker’s name server will respond to a DNS query for loseweightnow.com with malicious data about ebay.com
– Vulnerable resolvers add malicious data to local caches
– The malicious data will send victims to an eBay phishing site for the lifetime of the cached entry
13
What is the IPv4 address for
loseweightfastnow.com
What is the IPv4 address for
loseweightfastnow.com
My Mac
My local resolver
ecrime nameserver
loseweightfastnow.comIPv4 address is 192.168.1.1 ALSO www.ebay.com is at
192.168.1.2
loseweightfastnow.comIPv4 address is 192.168.1.1 ALSO www.ebay.com is at
192.168.1.2
I’ll cache this response… and
update www.ebay.com
I’ll cache this response… and
update www.ebay.com
| 14
Query Interception (DNS Hijacking)
8/17/2017 14
• A man in the middle (MITM) or spoofing attack forwards DNS queries to a name server that returns forge responses– Can be done using a DNS proxy, compromised access router
or recursor, ARP poisoning, or evil twin Wifi access point
Bank Web SiteIntended path for online banking transactions
Redirected path
FakeBank Web Site
EvilTwinAP
Attacker’sresolverEvil twin AP or
compromised router redirects DNS queries
to attacker’s name server
Evil twin AP or compromised router
redirects DNS queries to attacker’s name
server
Attacker’s name server returns fake bank web site address
Attacker’s name server returns fake bank web site address
| 15
Securing DNS
• There are two aspects when considering DNS Security– Server protection
– Data protection
• Server protection– Protecting servers
• Make sure your DNS servers are protected (i.e. physical security, latest DNS server software, proper security policies, Server redundancies etc.)
– Protecting server transactions• Deployment of TSIG, ACLs etc. (To secure transactions against server
impersonations, secure zone transfers, unauthorized updates etc.)
• Data protection– Authenticity and Integrity of Data
• Deployment of DNSSEC (Protect DNS data against cache poisoning, cache impersonations, spoofing etc.)
| 16| 16
DNS Security Extensions (DNSSEC)
| 17
DNSSEC – simplified
| 18
DNSSEC – simplified
| 19
DNSSEC – simplified
DNSSEC uses digital signatures to assure that information is correct, and came from the right place.
| 20
What is DNSSEC?
¤ DNSSEC = “DNS Security Extensions”
¤ DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS)
¤ DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names
¤ Result of over a decade of community based, open standards development