TODAY & TOMORROWDAY 2 - GROUP 5

PRESENTED BY:J A M E S S P E I R S

C H A R L E S H I G B YB R A D Y R E D F E A R N

Domain Name System (DNS)

J

Overview

• Day 1 Review• DNS Exploit Types• DNS SEC• Public Key Infrastructure (PKI)• DNS SEC Implementation• Early DNS Fixes• DNS SEC Proposals• Which Is Best?

C

Day 1 Review

• DNS• Bailiwick• Dan Kaminski• DNS Poisoning• SSL & HTTPS

B

DNS Exploit Types

• Cache poisoningo Dan Kaminiski o HD Moore 

Metasploit 10 seconds

• Client floodingo No other DNS responses are receivedo Denial-of-Service (DoS)

• Dynamic updateo Everything freely available - no query required

• Hosts file o Malware attacks

J

DNS SEC

• Pros:o Can distribute public keys

emailo IPs are distributed securely o Reliable o Robust

• Cons:o Rework of DNS infrastructure (UDP)

10x larger packets  100x more resources

o Easier to run DoS attacko Unbroken zone signing all the way to the root

C

Public Key Infrastructure (PKI)

1. I ask the Certificate Authority (CA) to issue a certificate in my name

2. The CA validates my identity, then issues me a certificate3. I present a certificate containing my identity to the user4. The user doesn't know me, so they ask the CA to verify my

identity5. The CA checks that my certificate is valid: unaltered,

unexpired, legitimate6. The CA tells the user my certificate is valid7. User now trusts me

B

PKI Example

 

DNS SEC Implementation

"Report on the ccNSO’s DNSSEC Survey 2009," http://ccnso.icann.org/surveys/dnssec-survey-report-2009.pdf C

Early DNS Fixes

• Transaction ID randomization • Source port randomization

B

Evgeniy Polyakov

• Cracked full-patched BIND 9o In 10 hrs o With gigabit Etherneto Trojan horse could do this within network

J

De-Bouncing

Double queries• Pros

o Verified DNS querieso Easy to implement

• Conso Not enough bandwidtho Servers too busyo Easy to run DoS

C

Abandon UDP

Make all DNS traffic TCP• 3-way handshake to start• 2 for question/answer• 2 to shutdown

 • Pros:

o No information limito Can use PKI

• Cons:o 7x more bandwidtho Need more hardwareo Bridge UDP to TCP packeting

B

0x20

Case sensitivity• Case is preserved in DNS query 

 • Pros:

o Random case can be sento Reply can be verifiedo Authoritative Name Servers need no updateo No bandwidth increase o Easy to implement

• Cons:o Querying servers need updateo Client update o Query servers need hardware

J

Domain Vouching

Look-aside technology • Pros:

o Distributed loado One party maintains all DNS info

• Cons:o Bottleneck at voucher o Reliant on third-party service availabilityo DoS on third-party machineo URL redirection

example.com example.voucher.com

C

U.S. Controls All

Department of Homeland Security (DHS) controls DNS activity• Pros:

o Can we trust DHS? o One authority?o U.S. dominance of Internet

• Cons: o Politics

Any non-US government is opposedo Censorship o One authorityo Trust

B

PGP Signing Model

Proven example for PKI• Pros:

o Multiple non-governmental signers approve all keys Peer approval CA approval Anyone approves

o Create Root Key Set  o Distribute Root Key Setso Distributed load o No single point of failure

• Cons:o Someone has to approve your keyo Some more hardwareo Everyone has to do it

J

Which Is Best?

Class Discussion

C

Summary

• Everything depends on DNS• DNS SEC 9 yrs old• Lots of proposals• No perfect solution • PGP model seems best right now• Lots of work to do• Without DNS SEC, we're in trouble

B

Questions

 

?

Vocabulary

• KSK - Key Signing Keys• ZSK - Zone Signing Key• RZM - Root Zone Maintainer• RKO - Root Key Operator• RZF - Root Zone File• RKS - Root Key Set • ZKS - Zone Key Set