protecting privacy: the evolution of dns security · 2018-05-11 · verisign public dns resolution...
TRANSCRIPT
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign
NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015
Verisign Public
Agenda
DNS Overview
Privacy Risks
Risk Mitigations
Recommendations
Verisign Public
DNS Overview
3
Verisign Public
Domain Name System (DNS) Overview
• Hierarchical, global name space for Internet names, e.g., www.example.com
• DNS records associate IP addresses, other data with domain names
• Authoritative name servers publish records, delegate to other name servers
• Clients typically query via a recursive name server
Verisign Public
DNS Hierarchy - Example
Root
Top Level .com
2nd Level example.com
3rd Level www.example.com
Top Level .gov
2nd Level nsf.gov
2nd Level dhs.gov
Top Level .edu
2nd Level southalabama.edu
Name server either answers query directly, or refers to another name server to which it has delegated its authority
Verisign Public
DNS Resolution
• Resolution is the process of answering a query by following the hierarchy of name servers
• To resolve www.example.com, query root server, then .com, then example.com
• Each refers to next in hierarchy
• Recursive name server optimizes process by caching recent results
Verisign Public
DNS Resolution - Example
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Verisign Public
DNS Privacy Risks
• DNS data may be at risk of disclosure: • Between client and recursive • At recursive name server • Between recursive and authoritative • At authoritative name server
• Data may also be at risk of modification: privacy risk if client misdirected
• Important to consider such risks as part of overall privacy strategy
Verisign Public
Privacy Risks
Verisign Public
Risk 1: Between Client and Recursive
• Client effectively reveals browsing history via DNS traffic to recursive name server
• Adversary must be “on path” to see it, but it’s all in one place
• Risk increases when recursive name server deployed outside organization
• How to protect against eavesdropping?
Verisign Public
Risk 1: Between Client and Recursive
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Eavesdrop
Verisign Public
Risk 2: At Recursive Name Server
• Recursive name server learns client’s browsing history through its DNS traffic
• Adversary may try to compromise server to get this data • Server itself may be “adversary,” misusing data … • How to protect against compromise, misuse?
Verisign Public
Risk 2: At Recursive Name Server
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Misuse
Verisign Public
Risk 3: Between Recursive and Authoritative
• Recursive name server reveals samples of community’s browsing history via DNS traffic to authoritative name servers
• Adversary again must be “on path” to see traffic, but all in one place
• Authoritative name servers by definition deployed outside organization
• How to protect against eavesdropping?
Verisign Public
Risk 3: Between Recursive and Authoritative
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Verisign Public
Risk 4: At Authoritative Name Server
• Authoritative name server learns samples of recursive’s community’s browsing history
• Adversary may again try to compromise server to get this data
• Server itself may again be “adversary” • How to protect against compromise, misuse?
Verisign Public
Risk 4: At Authoritative Name Server
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Misuse
Misuse
Misuse
Verisign Public
Risk 5: Modification
• In addition to risks related to disclosure of DNS traffic, clients’ privacy may also be at risk if DNS responses are modified
• By modifying a DNS response, an adversary can misdirect a client to an incorrect server, facilitating an attack
Verisign Public
Risk 5: Modification
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
93.184.216.34
Modify
Modify
Poison
Attack Server
Misdirected!
12.345.678.90
Modify
Modify
A: 12.345.678.90
A: 12.345.678.90
Verisign Public
Summary of Risks
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
93.184.216.34
Modify
Modify
Poison
Attack Server
Misdirected!
12.345.678.90
Misuse
Misuse
Misuse
Misuse
Eavesdrop
Modify
Modify
Verisign Public
Risk Mitigations
Verisign Public
Mitigating DNS Privacy Risks
• Data handling policies can help mitigate the risks • Technical enhancements to DNS have also been
introduced in recent years to mitigate these risks: • DNS-over-TLS • qname-Minimization • DANE and DNSSEC
Verisign Public
Mitigation 1: Data Handling
• Data handling policies, technologies and audits can mitigate risk of compromise, misuse of data at recursive, authoritative servers
• Root, top-level domain servers generally operate under established agreements
• Other authoritative name servers, recursive name servers may not
Verisign Public
Risks 2 & 4: Misuse
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Misuse
Misuse
Misuse
Misuse
Verisign Public
Mitigation 1: Data Handling
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Protect
Protect
Protect
Protect
Verisign Public
Mitigation 2: DNS-Over-TLS
• Like other Internet protocols, DNS can be made more secure and information disclosure can be reduced by running over Transport Layer Security (TLS)
• IETF DPRIVE working group currently developing DNS-over-TLS specification
• Mitigates eavesdropping (risks 1 & 3) • Also mitigates modification in transit
Verisign Public
Risks 1 & 3: Eavesdropping
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Eavesdrop
Verisign Public
Mitigation 2: DNS-over-TLS
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Encrypt
Encrypt
Encrypt
Encrypt
Verisign Public
Mitigation 3: qname-Minimization
• DNS information disclosure can be reduced by asking authoritative only enough for referral to next server – not full query name (“qname”) each time
• IETF DNSOP working group currently developing qname-minimization spec
• Partially mitigates eavesdropping (risk 3) w/o encryption or changing authoritative
Verisign Public
Risks 1 & 3: Eavesdropping
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Verisign Public
Q: www.example.com?
Q: www.example.com? Q: .com?
Q: example.com?
Mitigation 3: qname-Minimization
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
2
A: ask .com name server 3
4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Minimize
Minimize
Verisign Public
Mitigation 4: DNSSEC and DANE
• DNS Security Extensions (DNSSEC) mitigates modification risk by adding digital signatures to DNS records
• Recursive, client can validate that records are unmodified • DNS-Based Authentication of Named Entities (DANE)
extends validation to include web server keys and certificates
Verisign Public
Risk 5: Modification
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
93.184.216.34
Modify
Modify
Poison
Attack Server
Misdirected!
12.345.678.90
A: 12.345.678.90
A: 12.345.678.90 Modify
Modify
Verisign Public
Mitigation 4: DNSSEC and DANE
Recursive Name Server
Root Name Server
.com Name Server
example.com Name Server
Q: www.example.com? 1
Q: www.example.com?
2
A: ask .com name server 3
Q: www.example.com? 4
A: ask example.com name server
5
6
Q: www.example.com?
A: 93.184.216.34
Internet User (Client)
A: 93.184.216.34
7
8
HTTP Request 9 10
HTTP Response
www.example.com Web Server
93.184.216.34
Sign
Sign
Sign
Validate Validate
Verisign Public
Summary: Risk Mitigation Matrix
Risk
Disclosure or Misuse Modification
Client to Recursive At Recursive
Recursive to Authoritative
At Authoritative
Data Handling Protect Protect + DNS-over-TLS Encrypt Encrypt + qname-minimization Minimize Minimize
DNSSEC and DANE Sign Validate
Mit
igat
ion
Verisign Public
Recommendations
Verisign Public
Recommendations for Privacy Professionals
• If DNS is part of the system you’re protecting ...
• Ask if these risks apply • Ask if existing mitigations are sufficient • Consider how these mitigations can help • Ask your DNS provider about its privacy practices
Verisign Public
Q & A
© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.