![Page 1: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/1.jpg)
What We are LearningAbout DNS Security
DNSSEC and Much More
7/27/2011
1
Edward Lewis
Director, Member of Technical Staff
© Neustar Inc. / Proprietary and Confidential
![Page 2: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/2.jpg)
Joseph is unhappy about my talk
8/1/2011
© Neustar Inc. / Proprietary and Confidential2
» This is the first day since
my son was born that I
have not been home
» He's 6 1/2 months old
» When I told him I'd be
away July 27, he had
this frown
» Still, it is an honor to be
invited to speak here
today
» This talk is dedicated to
little Joe
![Page 3: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/3.jpg)
Agenda
»The significance of DNSSEC
»What you should be doing about DDoS
»What you need to do
8/1/2011
© Neustar Inc. / Proprietary and Confidential3
![Page 4: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/4.jpg)
In the Wake of DNSSEC
» The protocol and code has been strengthened
» We've improved the state of operations
» Cooperation has become very important
8/1/2011
© Neustar Inc. / Proprietary and Confidential4
![Page 5: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/5.jpg)
Briefly, What is DNSSEC?
»DNSSEC is an add-on to the DNS protocol
»It adds information to DNS answers that provide
proof that the data is genuine» DNSSEC is like automobile safety belts for DNS
»The greatest benefit is preventing ISP caches from
accepting forged answers, misdirecting customers
8/1/2011
© Neustar Inc. / Proprietary and Confidential5
![Page 6: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/6.jpg)
Protocol Strengthening
» The DNS protocol, as specified, is a very weak
base to secure
» One of the benefits of DNSSEC is that is made us
take a critical look at the protocol
8/1/2011
© Neustar Inc. / Proprietary and Confidential6
DNSSEC
![Page 7: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/7.jpg)
Why securing DNS is so hard
»DNS goals are» global scale, fast response, high availability
»It's a crowd, not one person
8/1/2011
© Neustar Inc. / Proprietary and Confidential7
![Page 8: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/8.jpg)
...and...
»The original specifications are informal, incomplete» Leading to a wide range of interpretations
» And thus a wide range of different implementations
» Rely on the memories of the "old guys"
8/1/2011
© Neustar Inc. / Proprietary and Confidential8
![Page 9: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/9.jpg)
»Security throughout the DNS» Data Loading (EPP & WhoIs-related too)
» Data Replication (zone transfers)
» Queries and Responses (e.g., DNSSEC, TSIG, wild card)
»New code, new code everywhere
»And new ways to operate
Updates to DNS
8/1/2011
© Neustar Inc. / Proprietary and Confidential9
![Page 10: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/10.jpg)
What DNSSEC got right
»DNSSEC is a technical success
»DNSSEC was designed with adoption by transition
in mind» This is what IPv6 lacks
»But adoption by slow transition is not easy and
requires patience, it's a good plan and a lot of
execution» Slow adoption is a beneficial thing, a feature, really!
»And the path to DNSSEC's completion can teach
us much about security improvements
8/1/2011
© Neustar Inc. / Proprietary and Confidential10
![Page 11: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/11.jpg)
Strengthening Cooperation
»When teaching the ISO seven layer protocol
model I came across this in an old textbook» There are times when it is necessary to handle an error in
the layer above the one you are designing
»Translating this into DNS and security events» During times of attack, out-of-band coordination must
have already been established
8/1/2011
© Neustar Inc. / Proprietary and Confidential11
![Page 12: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/12.jpg)
Coordinate?
»Who?: Anyone that teams in a defense» Government and Private Industry
» Competitors
» Across borders and oceans
»When?» Strategic and tactical
» Frequently, openly
» During exercises, events
»Where?» Conferences, workshops
» In-person meetings at offices
» And don't forget - happy hours!
8/1/2011
© Neustar Inc. / Proprietary and Confidential12
![Page 13: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/13.jpg)
Government - Industry cooperation
»Government and Industry relationship is important
»Government learns from experts in industry
»Government always maintains legal authority
»Government provides leadership in mandates and
funding
»Industry provides innovation and takes the risk
8/1/2011
© Neustar Inc. / Proprietary and Confidential13
![Page 14: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/14.jpg)
DDoS
»You can be a target of a DDoS» Solutions include capacity, reserves, and traffic scrubbing
»You can be used to launch a DDoS» Open recursive servers can reflect and amplify an attack
»(You could also be the attacker...;))
8/1/2011
© Neustar Inc. / Proprietary and Confidential14
![Page 15: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/15.jpg)
Anti-DDOS
»Expertise is needed to defend against these
attacks» Target owners, ISPs and other security entities have this
»This is why cooperation, set up ahead of time, is
critical
»If you need to "click here" ... it is too late for you!
8/1/2011
© Neustar Inc. / Proprietary and Confidential15
![Page 16: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/16.jpg)
Failure to set up cooperation
»There are two possible outcomes
»"Fail closed" and not respond adequately» Examples are one person having a password and being
on vacation when the attack happens
»"Fail open" and be open to be fooled (social
engineered) by an attacker» Examples are attackers causing a diversion and then
acting as "first responders"/emergency workers to monitor
damage and adjust attacks
8/1/2011
© Neustar Inc. / Proprietary and Confidential16
![Page 17: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/17.jpg)
Securing the DNS system
»The DNS is spread amongst many elements» Registries, registrars, web hosters, dns operators
» ISPs, open/remote recursive servers
» Policy elements, law enforcement
»Each element can self-secure, but end-to-end
security is also needed
»This is one final push to form cooperative groups!
8/1/2011
© Neustar Inc. / Proprietary and Confidential17
![Page 18: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/18.jpg)
Better DNS & cooperation is not enough
»Attacks will happen
»Defenses will not stop all damage» If a defense stops all attacks, it is probably too tight!
»This makes logging or tracing activity an important
element
8/1/2011
© Neustar Inc. / Proprietary and Confidential18
![Page 19: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/19.jpg)
What do we learn from logging events
»The information left behind by an attack is valuable
»We learn the techniques
»We learn the level of sophistication
»We learn the weaknesses of the attack
»We learn how the attackers are learning
»We learn who the attackers are
»We might even be able to convict and punish them
8/1/2011
© Neustar Inc. / Proprietary and Confidential19
![Page 20: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/20.jpg)
A stronger system
»DNS is becoming a stronger system
»We know it takes more than a good protocol,
because "good" depends on the way you measure
»We know it takes world-wide cooperation and in-
depth cooperation to run a network that opens
communication without letting it be overrun with
abuse
»We want citizens to have access to government
services to help their lives, not gangs like
ANONYMOUS to disrupt lives
8/1/2011
© Neustar Inc. / Proprietary and Confidential20
![Page 21: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/21.jpg)
What You Need to Do to Prepare
»Learn about DNSSEC» It's like getting used to
seatbelts
» It's not scary but it takes work
»And begin to get to know
others in the Industry &
Government» Help defend the network
8/1/2011
© Neustar Inc. / Proprietary and Confidential21
![Page 22: What We are Learning About DNS Security: DNSSEC and Much More](https://reader033.vdocuments.us/reader033/viewer/2022051818/54baf6394a79596d628b456b/html5/thumbnails/22.jpg)
Thank you!
22