SecuringDNSInfrastructureUsingDNSSECRamMohanExecutiveVicePresident,Afiliasrmohan@afilias.info

February28,2009

Agenda  GettingStarted

  FindingoutwhatDNSdoesforyou  WhatCanGoWrong

  ASurvivalGuidetoDNSSEC  WhyTechiesCreatedDNSSEC  WhatCanHappenWithoutDNSSEC

  WhyShouldAnyoneCare  Consequences  ResponsibilitiesofNetworkOperators(ISPs),Registrars,Registries,

RootOperators,ICANNandothers  TheRoadAhead

  Signingtheroot  Whatdomainnameownerscando

  Q&ASession

mohan_dnssec

WhattheDNSisusedfor Web,Email,StreamingMedia,InstantMessaging–theInternetdependsontheDNS DNSdecidesifyoursitecanbereached DNSdeterminesifyouremailcanbedelivered

  DNSistheInternetdirectoryandphonebook  Providesdirectionsonwherecomputersareforeachdomainname

  DNSPreventsOutagesandProvidesRedundancy DNSmismanagementcanresultin“Internetoutages”evenifyourInternetconnectionisworking

mohan_dnssec

WhatDoesTheDNSDoForYou  Tellsmachineswheretogowhenyou:

  Typeinawebaddress  Sendanemail

Resolver

AmIonline?WhereshouldIgotogetmyanswer?‐MylocalInternetServiceProvider

Cache

DoIalreadyhavetheanswer?‐SendtheanswerbacktoresolverElse,contactDomainNameServer

NameServer

User ISP NameServerOperators

FindtheIPaddressSenditback

mohan_dnssec

WhyA8acktheDNS

 Money Lotofmoneywaitingtobemade(stolen)whenecommerceandbankingiscompromised

 Power  ISPs,NetworkoperatorsandtheDanishInternetusercanbehijackedandforciblyredirected

 Reducescredibilityanderodestrust Control

 Allowsspyingonuserswithouttheirknowledgeorcontrol

mohan_dnssec

WhatCanGoWrong  Forgery

  TheDNSdatabeingreturnedtoyourISPcanbeforged  Especiallyeasyonawirelessnetwork  Result:Youaretransportedwhereyoudidnotmeantogo

  Poisoning  TheDNSdatacanbemodified

  CausesyourISP’scachetohavevalidbutwronginformationonwheretogo

  Eavesdropping  CaninterceptyourDNSdataandjust“listen”beforepassingon

  Otherthingsthatcangowrong:  Alterationofzonedata‐Impersonationofmaster/cache‐Unauthorizedupdates

mohan_dnssec

2005ISPA8ack

  InMarch‐April2005,usersofanISPhadspecificspyware,spamandpay‐per‐clicktrojans,fromredirectionsites

  TheISP’scachehadhundredsofDNSnamesspoofed…  AmericanExpress.com  FedEx.com  CitiCards.com  DHL‐USA.com  Sabre.com

Source:AllisonMankin

mohan_dnssec

  July2008‐researcherDanKaminskydisclosesevidenceofmassiveInternetvulnerability  Easy“cachepoisoning”  ExposesallrecursiveDNSresolverstotakeover

  AllowsallInternettraffictobehijackedoncompromisedDNSresolvers  Lessthanonesecondtocompromiseavulnerableserver  CompletelytransparenttoInternetuser

Worldwidecriticalproblem:DNSvendorsandothercompaniesissuedemergencypatches

mohan_dnssec

1)  Breakpastmostusername/passwordpromptsonwebsites,nomatterhowthesiteisbuilt.

2)  BreaktheCertificateAuthoritysystemusedbySSL,becauseDomainValidationsendsanemailandemailisinsecure.

3)  ExposethetrafficofSSLVPNs,becausethecertificatecheckisnowcircumvented

4)  Forcemaliciousautomaticupdatestobeaccepted5)  Causemillionsoflinesoftotallyuntestednetworkcodetobe

exposedtoattack6)  LeakTCPandUDPconnectivitybehindthefirewall,toany

website,inanattackwethoughtwealreadyfixedtwice7)  Exposethetrafficoftoolsthatdon’tevenpretendtobesecure,

because“it’sbehindthefirewall”or“protectedbyasplit‐tunnelingIPsecVPN”.

mohan_dnssec Source:http://www.doxpara.com/

DNSSECExplained  DNSSECistheInternet’sanswertoDNSIdentityTheft

  ItprotectsusersfromDNSattacks  ItmakessystemsdetectDNSattacks

  AlmosteverythinginDNSSECisdigitallysigned  AllowsauthenticationoftheORIGINoftheDNSdata  EnsuresINTEGRITYoftheDNSdata

  Digitallysigned=“PublicKeyCryptography”  SecretPrivateKey,OpenPublicKey  DNSMessagesarescrambledusingthePrivateKey–thePublicKeyis

neededtounscrambleit[a.k.a.“SIGNING”]  YounowknowWHOsentthemessage(sinceprivatekeyisunique)

  IfdataisMODIFIED,mangled,orotherwisecompromiseden‐route…  Thesignatureisnolongervalid

  DNSSEC=DNSSecurityExtensions

mohan_dnssec

TheChainofTrustIfItrustapublickeyfromsomeone,Icanusethatkeytoverifythesignature…andauthenticatethesource

 Makesuretherootzonekeycanbetrusted  Pointersintherootzonepointtolowerzones(com/org/info/deetc)

  Eachpointerisvalidatedwiththepreviousvalidatedzonekey

 OnlythekeyfortherootzoneisneededtovalidatealltheDNSSECkeysontheInternet

 Howtoupdatethesekeysandpropagatethemarenotdoneyet

mohan_dnssec

TechnicalDetailsbehindDNSSEC

  AUTHENTICATESeverysetofDNSdata–thisiscalledaDNSResourceRecordset,orRRs  (Arecords,MXrecords,DNAMEs,etc,etc)

  AuthenticatesabsenceofDNSdata  xyz.icann.orgdoesnotexist

  CreatesfournewDNSrecordtypes  ValidatesusingChainOfTrust  Eachanswerissigned  DNSSEC:

  ProvidesnoCONFIDENTIALITYofDNSdata  NoprotectionagainstDenialofServiceattacks

  SSL,IPSecarenotenough

mohan_dnssec

RolesandResponsibiliGes

 Registrars,networkoperators,registries,ICANN,rootserveroperators…largenetworkmustcoordinateandinteract

 CreateDNSSECCapableNameServersfortheTLDandlowerlevelzones

 Putpoliciestogether  Zonewalking

 Howtohandlekeyrollover Howcanyouensurethatwhenthekeyhastobechanged,itispropagatedsecurely,safely,andquickly?

mohan_dnssec

DNSSECTrustAnchorRepositories(TAR)

ATrustAnchorRepository(TAR)canbedefinedasarepositoryorsetofrepositoriesthatmaybeusedforstoringSecureEntryPoint(SEP)akazonekeysforoneormoreDNSzones

  InterimapproachtoimplementingDNSSEC

  CompensatesfornosignedrootorTLDs  ProvidessecurelocationstoobtainDNSSECvalidationinformation,

absentasignedrootzone  ProposedtypesofTARs:

  GlobalTARs  CommunityofInterest(CoI)TARs  LocalTARs

mohan_dnssec

Summary  Rootmustbesigned!  6‐7ccTLDsalreadysigned  .ORGhasannouncedplanstosignin1H2009  TrustAnchorRepositoriesallow“look‐aside”mechanismforDNSSEC

keys  EvangelizetheneedforDNSSECatindustry–companies–

organizations  Policiesmustbeestablished  Whattoread:

  Introductions:www.dnssec.net  Tutorials:http://www.ripe‐ncc.org/training/dnssec/material/  Othermaterial:

  http://www.nlnetlabs.nl/dnssec/  http://www.ripe.net/disi/

mohan_dnssec

MaketheDNSimmunetoDNSIdentityTheft

  ImplementDNSSECattherootandTLDzones  ImmunizationagainstDNShijacking

  Proven“ChainofTrust”modelprotection  PublickeycryptographywithstrongencryptionwillprotectDNSsystem

  SecurestorageofkeysinTrustAnchorRepository  Resultsinguaranteedlookupsinasafeenvironment

  Buildastrongfoundationfordomainnameowners  Allowsdomainnameownerstodigitallysigntheirdomains‐‐protectstheirnamesfromhijacking

mohan_dnssec

  Talktoyourwebsitehostproviderortechnicalproviderabout“Signingyourzone”withaDNSSECkey  Thiswillautomaticallyprotectvisitorstoyourwebsitefrombeinghijacked

  Itwillincreasetheperceptionandrealityofsecurityforyourorganization

  SignupwithmailingliststounderstandmoreaboutimplementingDNSSEC  EliminateDNSidentitytheft  Ensuresafetyforyourclients  Improveyourbranding

mohan_dnssec

MailingLists

  dnssec@cafax.se  operatorsanddevelopersworkingondnssec

  namedroppers@ops.ietf.org  DNSEXTIETFworkinggroup(DNSprotocoldevelopment)

  dnsop@cafax.se  DNSOPIETFworkinggroup(operationalDNSissues)

  techsec@ripe.net  RIPETechnicalSecurityworkinggroup

  dns‐wg@ripe.net  RIPEDNSworkinggroup

mohan_dnssec

SecuringDNSInfrastructureUsingDNSSECRamMohanExecutiveVicePresident,Afiliasrmohan@afilias.info

February28,2009