1 / 17

DNS 安全防護傘 - DNSSEC

DNS 安全防護傘 - DNSSEC. 報告者:劉旭哲. 原因. 2008 駭客年會 Dan Kaminsky 公布重大安全漏洞「 DNS Cache Poisoning 」 雲端運算的興起. Normal DNS. Website. Internet. Master DNS. connect. connect. Update My Cache. Found it in my cache. Not Found in my cache. Query: B.com =?. Res: B.com=2.2.2.2. Query: B.com =?.

yeriel
Download Presentation

DNS 安全防護傘 - DNSSEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS安全防護傘 - DNSSEC 報告者:劉旭哲

  2. 原因 • 2008 駭客年會Dan Kaminsky公布重大安全漏洞「DNS Cache Poisoning」 • 雲端運算的興起

  3. Normal DNS Website Internet Master DNS connect connect Update My Cache Found it in my cache Not Found in my cache Query: B.com =? Res: B.com=2.2.2.2 Query: B.com =? Query: A.com =? Res: A.com=1.1.1.1 Res: B.com=2.2.2.2 Cache Local DNS User

  4. DNSCache Poisoning When I found it… When I’m looking for… If I was same as the original C.com, it’s easy to get info about user Fake C.com Internet Master DNS Hacker Query: C.com = ? Update No use This user will connect to fake C.com Res:C.com = 4.4.4.4 Res:C.com = 3.3.3.3 Query: C.com = ? Cache Local DNS User

  5. Why need DNSSEC? • VeriSign發布的「2010年第二季度域名行業報告」 • .com .net網域總數破億,比第一季增加2% • VeriSign 的DNS查詢量每天625億次,最高峰每天836億次,均較以往提高超過15%

  6. Forrester 調查發現,297名IT決策者中 • 51%遇到過DNS相關攻擊 • 38%遭遇到中間人攻擊

  7. DNS Security Extensions • DNSSEC = DNS+digital signature • RFC4034 & RFC4035 • 新增四種RRsets • DNS Public Key (DNSKEY) • Resource Record Signature (RRSIG) • Next Secure (NSEC) • Delegation Signer (DS) -optionally

  8. DNS Public Key (DNSKEY) • 公布Public key的地方 固定為三

  9. For example • example.com. 86400 IN DNSKEY 256 3 5 ( AQP…………….== ) • Owner name TTL class RRtype Flag Pro. Algo. (PK)

  10. Resource Record Signature (RRSIG) • digital signature Root = 0

  11. Algo. • host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( 20030220173103 2642 example.com. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTrPYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG J5D6fwFm8nN+6pBzeDQfsS3Ap3o= ) Key Tag Signer’s name Base64 Encoding

  12. Next Secure (NSEC) • If next domain name doesn’t exist, itwill be the first domain name. • chain

  13. alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG NSEC TYPE1234 )

  14. Delegation Signer (DS) • Protect user get right PK • Let upper manager sign 1(SHA-1)

  15. dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQO……….== ) ; key id = 60485 • dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A 98631FAD1A292118 ) SHA-1

  16. 目前現況 • VeriSign 與 美國商務部和ICANN合作 ,在root中部屬DNSSEC • 預計在年底完成.net的部屬 • 2011第一季在.com中實現DNSSEC

  17. http://tech.hexun.com.tw/2010-09-27/125010169.html • http://www.isc.org/files/DNSSEC_in_6_minutes.pdf • http://www.informationsecurity.com.tw/article/article_detail.aspx?tv=13&aid=5886 • http://phorum.study-area.org/index.php?topic=60268.0 • http://www.ietf.org/rfc/rfc4035.txt • http://www.ietf.org/rfc/rfc4034.txt

More Related