Dnssec restoring trust in dns roland van rijswijk roland vanrijswijk at surfnet nl
This presentation is the property of its rightful owner.
Sponsored Links
1 / 51

DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl. In cooperation with:. About us. High quality and high bandwith network for higher education and research Shared ICT innovation centre for academia

Download Presentation

DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Dnssec restoring trust in dns roland van rijswijk roland vanrijswijk at surfnet nl

DNSSECRestoring trust in DNSRoland van Rijswijkroland.vanrijswijk [at] surfnet.nl

In cooperation with:


About us

About us

High quality and high bandwith network for higher education and research

Shared ICT innovation centre for academia

Over 180 connected institutions (universities, polytechnics, vocational education, hospitals, research institutions) with 1 million end-users

Independent consultancy company

Cryptography expertise

Internet security expertise

SURFnet. We make innovation work


Overview

Overview

  • First half:

    • Attacks on DNS

  • Second half:

    • DNSSEC in detail

  • Questions: please ask!

SURFnet. We make innovation work


Dns roadsigns for the net

DNS: Roadsigns for the net

SURFnet. We make innovation work


Dns insecurity by design

DNS: insecurity by design?

  • DNS was designed in the early Internet era

  • Everybody more or less knew everybody else

  • And everybody trusted everybody else

  • Bottom line: Security was not a design criterion

SURFnet. We make innovation work


Threats to dns

Threats to DNS

  • Availability

    • If DNS is not available, the internet is broken (users think)

    • A typical DNS resolver services 100000+ end users

    • Some authoritative servers host over 8 million zones

  • Exploitation

    • On an exploited server availability and integrity are broken

    • Plus the attacker can gain access to all other software on the same server/client

  • Integrity

    • DNS gives the wrong answer and sends you the wrong way

      Slide content courtesy of Bert Hubert (PowerDNS)

SURFnet. We make innovation work


Why attack dns

Why attack DNS?

DNS is everywhere:

In your phone, in your laptop, in your PC…

But also in your car, in an ATM, in your elevator, …

It is very hard to protect DNS against attacks (currently)

It is very easy to attack a lot of users

6

SURFnet. We make innovation work


Let s start simple

www.piggybank.dom A?

Referral to auth.

www.piggybank.dom A?

www.piggybank.dom

A: 123.45.67.89

www.piggybank.domA: 123.45.67.89

www.piggybank.dom A?

Answer: a man in the middle attack

Let’s start simple

Question: name a general attack model that is applicable to this setup


Beyond m i t m spoofing

Beyond M-i-t-M: spoofing


Cache poisoning

www.piggybank.dom A?

Referral to auth.

www.piggybank.dom A?

www.piggybank.dom

A: 123.57.89.15

www.piggybank.domA: 123.57.89.15

www.piggybank.dom A?

Cache poisoning

Question: how can I target a specific name?

Answer: introduce a rogue client


So where do we go today

So where do we go today? ;-)

SURFnet. We make innovation work


Is it really a threat

Is it really a threat?

Yes because:

Source port randomisation was not common practice before Kaminsky

Query ID randomisation wasn’t common practice either

No because:

You can only attempt to poison a name a few times per day (why?)

11

SURFnet. We make innovation work


Cache poisoning1

Cache poisoning++

  • Dan Kaminsky published an attack at last year’s Black Hat conference

  • No need to wait for a resolver to take initiative, no need to wait for TTL expiry…

SURFnet. We make innovation work


Preparing for kaminsky

Preparing for Kaminsky


Attack in action

QID=1234

12345.piggybank.dom A???

go to piggybank auth.

12345.piggybank.dom A???

12345.piggybank.dom A???

12345.piggybank.domA: 123.45.67.89

QID=1235

Additional: NS piggybank.dom

Attack in action

QID=1234

QID=1233

QID=1235

Success!


Spoofed additional section

Spoofed additional section

;; QUESTION SECTION:

;abcde.piggybank.dom. IN A

;; ANSWER SECTION:

abcde.piggybank.dom. 582 IN A 123.45.67.89

;; AUTHORITY SECTION:

piggybank.dom. 3161 IN NS ns1.piggybank.dom.

piggybank.dom. 3161 IN NS ns2.piggybank.dom.

;; ADDITIONAL SECTION:

ns1.piggybank.dom. 604800 IN A 123.45.67.1

ns2.piggybank.dom. 604800 IN A 123.45.67.2

SURFnet. We make innovation work


Attack in action1

www.piggybank.dom

A: 123.45.67.89

www.piggybank.dom A?

www.piggybank.dom A?

Attack in action

www.piggybank.dom

A: 123.45.67.89


So it s even worse

So it’s even worse!

SURFnet. We make innovation work


Impact on threat level 1

Impact on threat level (1)

  • Kaminsky is happening (we think, but is damn hard to detect):

  • Wide-scale patching has been rolled out

    • But research shows:Poisoning unpatched BIND: ±3 seconds

      Poisoning patched BIND: 1-11 hours (source: NIC.cz)

SURFnet. We make innovation work


Impact on threat level 2

Impact on threat level (2)

  • Kaminsky is happening on our network!

SURFnet. We make innovation work


Impact on threat level 3

Impact on threat level (3)

  • Kaminsky is happening on our network!

SURFnet. We make innovation work


Impact on threat level 4

Impact on threat level (4)

  • Kaminsky is happening on our network!

SURFnet. We make innovation work


The slow attack

The slow attack

  • Brute force attacks are easy to detect

  • But the slow attack is very insidious…

    research by Bert Hubert

    (PowerDNS) shows:

    Graph courtesy of Bert Hubert

SURFnet. We make innovation work


Summary

Summary


Break time

Break time

See you

in

15 minutes


What is dnssec 1

What is DNSSEC?(1)

  • DNSSEC is an extension to DNS specified by the IETF in a number of RFCs

  • Actively developed since 1997

  • According to RFC 4033: “The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System.”

SURFnet. We make innovation work


What is dnssec 2

What is DNSSEC?(2)

  • DNSSEC makes it possible to check the authenticity of DNS records

  • This is accomplished using public key cryptography

  • What DNSSEC does not do:

    • Provide confidentiality

    • Protect against threats to the name server (DDoS, etc.)

    • Guarantee correctness of the DNS data (only authenticity)

    • Protect against phishing, typosquatting, etc.

SURFnet. We make innovation work


Cryptography in dnssec 1

Cryptography in DNSSEC (1)

  • Public key cryptography

    • RSA, DSA, (Elliptic Curve)

  • All based on a common principle: the key-pair

    • Private Key is used to signwell protected, hidden from outsiders

      • Public Key is used to verifymust be widely published

SURFnet. We make innovation work


Cryptography in dnssec 2

Cryptography in DNSSEC (2)

  • Signing takes place at zone level

  • 2-tiered key model:

  • Key Signing Key

    • Large key size (≥ 2048 bits RSA)

    • Long validity (≥ 1 year)

    • Used to sign Zone Signing Key

  • Zone Signing Key

    • Smaller key size (≥ 1024 bits RSA)

    • Short validity (± 1 month)

    • Used to sign the zone (resource records)

SURFnet. We make innovation work


Signing dns zones

Signing DNS zones

  • Additional resource records (RRs)

  • For public keys:

    • DNSKEY, DS

  • For signatures:

    • RRSIG

  • For authenticated denial-of-existence:

    • NSEC, NSEC3

  • Zones become quite a bit larger

SURFnet. We make innovation work


Validating a response

Validating a response

  • Query “www.nist.gov” @ns1.nist.gov

  • INAwww.nist.gov129.6.13.45

  • INRRSIG156 0020502000151804A10623C49E8D53CF7E6046E69737403676F7600...  signature!

  • Validate this signature against the “nist.gov” zone public zone signing key

  • It’s the resolver’s job to do this!

  • How do I find and trust the “nist.gov” key?

SURFnet. We make innovation work


Current deployment

Current deployment

  • Deployed on several TLDs:

    • ccTLD’s: .bg, .br, .cz, .pr, .se

    • generic TLD’s: .org, .gov, .museum

  • Announced for more TLDs:

    • generic TLD’s: .com and .net (2011)(> 65% of all domains!)

  • Good news: root is likely to be signed before end of 2009 (bad news: politics…)

  • Many (cc)TLD’s still to announce strategy

SURFnet. We make innovation work


Trust chain

Trust chain


Islands of trust

Islands of trust

SURFnet. We make innovation work


Finding trust anchors

Finding trust anchors

  • Managing trust anchors by hand is hard work

  • IANA has made the “Interim Trust Anchor Repository” (ITAR) availablehttps://itar.iana.org/

  • ISC has introduced “DNSSEC look-a-side validation” (DLV) and made a repository available

  • No standard way to trust the trust anchors of these repositories

  • These are interim solutions

SURFnet. We make innovation work


Dnssec restoring trust in dns roland van rijswijk roland vanrijswijk at surfnet nl

DLV


Key management 1

Key management(1)

  • Key Signing Key and Zone Signing Key have a limited validity; this requires regular roll-overs:

SURFnet. We make innovation work


Key management 2

Key management (2)

  • Keys need to be stored securely

     off-line, smart card, Hardware Security Module (HSM), ...

  • Administrators need to plan for emergency key roll-over

  • The parent has to be notified of new keys for a domain (this needs to be automated)

SURFnet. We make innovation work


Future

Future

SURFnet. We make innovation work


Criticism on dnssec

Criticism on DNSSEC

The Top-10 Reasons Why DNSSEC Is the String Theory

of the Internet

10. Adds many new dimensions to an already complex problem

9. Hogs all the research funds

8. Has many careers riding on it

7. Widely hailed by expert and layman alike as the next big thing

6. Responds to shortcomings by reinventing itself and doubling its complexity

5. On its third iteration to succes

4. Attracts the brightest minds of the industry

3. Cult-like following among believers

2. Always on the verge of solving a real world problem

1. Will be ready in 6 months!

Bert Hubert (PowerDNS)

  • Even the critics agree that DNSSEC is the only available solution at the moment

  • That doesn’t mean that DNSSEC is perfect… far from it

  • DNSSEC is hard (especially compared to ‘ordinary’ DNS, which is very forgiving)

  • The (un)availability of easy-to-use tools is hindering deployment of signed zones

SURFnet. We make innovation work


Dnssec software

DNSSEC software

  • But there is light on the tool horizon:

    • OpenDNSSEC (www.opendnssec.org)

    • Secure64 DNS Signer

    • Xelerance DNSX Signer

    • ZKT (Zone Key Tool, www.hznet.de/dns/zkt)

    • PowerDNS + DNSSEC = PowerDNSSEC

    • other vendors have announced products

  • For resolvers it’s a different matter, tools are widely available:

    • Unbound (by NLnetLabs)

    • BIND 9.x and up

    • Windows Server announced (2008 R2, Server 7)

SURFnet. We make innovation work


Alternatives 1

Alternatives(1)

  • Continue patching against attacks (keep using traditional DNS)

    • This is an arms race

    • The race is already being lost!(remember the 6 weeks attack that Bert Hubert talked about yesterday)

  • SSL/TLS

    • Too heavyweight to use on connections to DNS servers

    • Does not secure a domain against cache-poisoning; getting an SSL certificate is easy

SURFnet. We make innovation work


Alternatives 2

Alternatives(2)

  • TSIG/SIG(0)

    • TSIG is based on shared secrets (does not scale)

    • SIG(0) secures transactions (no authentication of records!)

  • DNScurve

    • Based on elliptic curve crypto

    • Can do much more than DNSSEC

    • Only proves authenticity online (forwarder based)

    • No widescale deployment/support

SURFnet. We make innovation work


Alternatives 3

Alternatives(3)

  • DNS 0x20

    • Based on using capitalisation to introduce extra entropy into a query

    • Capitalise parts of the query at random and check that the capitalisation in the answer matches the query

    • Should be compatible with existing DNS infrastructure (RFC 4343)

    • But depends on all name server software to implement literal query copying (most do)

    • Criticism: it’s still an arms race

    • And it doesn’t protect ‘.’

SURFnet. We make innovation work


Summary1

Summary

  • What does DNSSEC do for you?

    • You can prove the authenticity of the records in your domain

    • You can check the authenticity of the records of others

    • You effectively protect yourself against attacks like Kaminsky’s

SURFnet. We make innovation work


What have we done

What have we done?

  • SURFnet’s resolvers perform DNSSEC validation:

SURFnet. We make innovation work


What are we going to do

What are we going to do?

  • Extend our managed DNS service with DNSSEC support

  • Testing DNSSEC appliances as they appear on the market

  • Keep supporting OpenDNSSEC

  • Give talks like this one :-)

SURFnet. We make innovation work


What can you do

What can you do?

  • Gather knowledge on DNSSEC

    • SURFnet DNSSEC white paper (www.dnssec.nu)

    • Available at the end of this class

  • Update/reconfigure your resolvers to support DNSSEC validation and experiment with it

  • Work on an open source tool project!

    • Go to the OpenDNSSEC website and test the software

SURFnet. We make innovation work


Questions

Questions?

?

Thank you for your attention!

Roland van Rijswijk

roland.vanrijswijk [at] surfnet.nl

Rick van Rein

rick [at] openfortress.nl

Presentation released under Creative Commons(http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en)

SURFnet. We make innovation work


Lab work

Lab work

  • You are going to perform the Kaminsky attack

  • Install BIND as a resolver

  • Download the code

    IMPORTANT: The code is provided under embargo, please discard it after the lab work is done

  • We’d like you to finish with a short presentation of your findings


Dnssec restoring trust in dns roland van rijswijk roland vanrijswijk at surfnet nl

URL

  • http://dnssec1.students.os3.nl/DNSspoof.tgz


  • Login