1 / 13

DNSSEC 101

DNSSEC 101. Kevin Miller. DNS Underpins Everything. Email. VoIP. CMS. IM. Enterprise Systems. Web. DNS Underpins Everything. Email. VoIP. Inbound Email Volume. CMS. IM. Enterprise Systems. Web. Received Email Spam, virus filtering using DNS. 10+ DNS Queries Per Message.

kasimir-richards
Download Presentation

DNSSEC 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSSEC 101 Kevin Miller

  2. DNS Underpins Everything Email VoIP CMS IM Enterprise Systems Web

  3. DNS Underpins Everything Email VoIP Inbound Email Volume CMS IM Enterprise Systems Web Received Email Spam, virus filtering using DNS 10+ DNS Queries Per Message

  4. Risks from DNS Attacks • Impersonate your web site • Redirect your phone calls • Man-in-the-middle (password theft) • Reroute or block your email • Disrupt your network, application services • Attack vectors for malware (data theft) • Denial of service Diagram source: Internet Storm Center

  5. DNS Attack: Cache Poisoning Where is website.com? Answer: 67.11.23.9 Also, www.bank.com – 12.1.2.3

  6. DNS Attack: Forgery Where is educause.edu? Answer: 198.59.61.65 Answer: 12.1.2.3

  7. DNS Attack: Indirection Where is educause.edu? Answer: 12.1.2.3

  8. DNS Attack: Amplification 60 byte request 4000 byte response

  9. Software Defects Buffer overflow Other vectors

  10. Risk Reduction To Date • Improving weaknesses in DNS software • Patching software defects • Limiting cache poisoning opportunities • Improve operational best practices • Restrict access to DNS recursers • Install anti-IP spoofing filters • Improve host security • Anti-virus, anti-malware defenses Photo source: BCP38

  11. DNSSEC • Cryptographically sign DNS records • Also the absence of records • Maintains DNS architecture • Hierarchical, distributed signatures • Significant risk reduction, if used widely • Protects you (www.school.edu) • Protects your users (www.bank.com)

  12. What Can Be Done Now? • Discover local implications • How do you manage DNS? What tools are used? • What impact would DNSSEC have? • Do your vendors support it? • Can you servers handle DNSSEC overhead? • Begin building expertise, experience • Sign a test zone • Deploy a test DNSSEC recurser • Deployment • Sign your zones • Utilize DNSSEC-enabled recurser with DLV

  13. Additional Resources • http://www.dnssec.net • http://www.bind9.net • http://www.dnsreport.com • http://www.dnssec-deployment.org/ • http://www.uoregon.edu/~joe/port53wars/port53wars.pdf • http://www.nanog.org/mtg-0606/damas.html

More Related