Dnssec 101
Download
1 / 13

DNSSEC 101 - PowerPoint PPT Presentation


  • 61 Views
  • Uploaded on

DNSSEC 101. Kevin Miller. DNS Underpins Everything. Email. VoIP. CMS. IM. Enterprise Systems. Web. DNS Underpins Everything. Email. VoIP. Inbound Email Volume. CMS. IM. Enterprise Systems. Web. Received Email Spam, virus filtering using DNS. 10+ DNS Queries Per Message.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'DNSSEC 101' - tuari


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Dnssec 101

DNSSEC 101

Kevin Miller


Dns underpins everything
DNS Underpins Everything

Email

VoIP

CMS

IM

Enterprise

Systems

Web


Dns underpins everything1
DNS Underpins Everything

Email

VoIP

Inbound Email Volume

CMS

IM

Enterprise

Systems

Web

Received Email

Spam, virus filtering using DNS

10+ DNS Queries

Per Message


Risks from dns attacks
Risks from DNS Attacks

  • Impersonate your web site

  • Redirect your phone calls

  • Man-in-the-middle (password theft)

  • Reroute or block your email

  • Disrupt your network, application services

  • Attack vectors for malware (data theft)

  • Denial of service

Diagram source: Internet Storm Center


Dns attack cache poisoning
DNS Attack: Cache Poisoning

Where is website.com?

Answer: 67.11.23.9

Also, www.bank.com – 12.1.2.3


Dns attack forgery
DNS Attack: Forgery

Where is educause.edu?

Answer: 198.59.61.65

Answer: 12.1.2.3


Dns attack indirection
DNS Attack: Indirection

Where is educause.edu?

Answer: 12.1.2.3


Dns attack amplification
DNS Attack: Amplification

60 byte request

4000 byte

response


Software defects
Software Defects

Buffer overflow

Other vectors


Risk reduction to date
Risk Reduction To Date

  • Improving weaknesses in DNS software

    • Patching software defects

    • Limiting cache poisoning opportunities

  • Improve operational best practices

    • Restrict access to DNS recursers

    • Install anti-IP spoofing filters

  • Improve host security

    • Anti-virus, anti-malware defenses

Photo source: BCP38


Dnssec
DNSSEC

  • Cryptographically sign DNS records

    • Also the absence of records

  • Maintains DNS architecture

    • Hierarchical, distributed signatures

  • Significant risk reduction, if used widely

    • Protects you (www.school.edu)

    • Protects your users (www.bank.com)


What can be done now
What Can Be Done Now?

  • Discover local implications

    • How do you manage DNS? What tools are used?

    • What impact would DNSSEC have?

    • Do your vendors support it?

    • Can you servers handle DNSSEC overhead?

  • Begin building expertise, experience

    • Sign a test zone

    • Deploy a test DNSSEC recurser

  • Deployment

    • Sign your zones

    • Utilize DNSSEC-enabled recurser with DLV


Additional resources
Additional Resources

  • http://www.dnssec.net

  • http://www.bind9.net

  • http://www.dnsreport.com

  • http://www.dnssec-deployment.org/

  • http://www.uoregon.edu/~joe/port53wars/port53wars.pdf

  • http://www.nanog.org/mtg-0606/damas.html