today & tomorrow day 2 - group 5 presented by: james speirs charles higby brady redfearn domain...
TRANSCRIPT
TODAY & TOMORROWDAY 2 - GROUP 5
PRESENTED BY:J A M E S S P E I R S
C H A R L E S H I G B YB R A D Y R E D F E A R N
Domain Name System (DNS)
J
Overview
• Day 1 Review• DNS Exploit Types• DNS SEC• Public Key Infrastructure (PKI)• DNS SEC Implementation• Early DNS Fixes• DNS SEC Proposals• Which Is Best?
C
Day 1 Review
• DNS• Bailiwick• Dan Kaminski• DNS Poisoning• SSL & HTTPS
B
DNS Exploit Types
• Cache poisoningo Dan Kaminiski o HD Moore
Metasploit 10 seconds
• Client floodingo No other DNS responses are receivedo Denial-of-Service (DoS)
• Dynamic updateo Everything freely available - no query required
• Hosts file o Malware attacks
J
DNS SEC
• Pros:o Can distribute public keys
emailo IPs are distributed securely o Reliable o Robust
• Cons:o Rework of DNS infrastructure (UDP)
10x larger packets 100x more resources
o Easier to run DoS attacko Unbroken zone signing all the way to the root
C
Public Key Infrastructure (PKI)
1. I ask the Certificate Authority (CA) to issue a certificate in my name
2. The CA validates my identity, then issues me a certificate3. I present a certificate containing my identity to the user4. The user doesn't know me, so they ask the CA to verify my
identity5. The CA checks that my certificate is valid: unaltered,
unexpired, legitimate6. The CA tells the user my certificate is valid7. User now trusts me
B
PKI Example
DNS SEC Implementation
"Report on the ccNSO’s DNSSEC Survey 2009," http://ccnso.icann.org/surveys/dnssec-survey-report-2009.pdf C
Early DNS Fixes
• Transaction ID randomization • Source port randomization
B
Evgeniy Polyakov
• Cracked full-patched BIND 9o In 10 hrs o With gigabit Etherneto Trojan horse could do this within network
J
De-Bouncing
Double queries• Pros
o Verified DNS querieso Easy to implement
• Conso Not enough bandwidtho Servers too busyo Easy to run DoS
C
Abandon UDP
Make all DNS traffic TCP• 3-way handshake to start• 2 for question/answer• 2 to shutdown
• Pros:
o No information limito Can use PKI
• Cons:o 7x more bandwidtho Need more hardwareo Bridge UDP to TCP packeting
B
0x20
Case sensitivity• Case is preserved in DNS query
• Pros:
o Random case can be sento Reply can be verifiedo Authoritative Name Servers need no updateo No bandwidth increase o Easy to implement
• Cons:o Querying servers need updateo Client update o Query servers need hardware
J
Domain Vouching
Look-aside technology • Pros:
o Distributed loado One party maintains all DNS info
• Cons:o Bottleneck at voucher o Reliant on third-party service availabilityo DoS on third-party machineo URL redirection
example.com example.voucher.com
C
U.S. Controls All
Department of Homeland Security (DHS) controls DNS activity• Pros:
o Can we trust DHS? o One authority?o U.S. dominance of Internet
• Cons: o Politics
Any non-US government is opposedo Censorship o One authorityo Trust
B
PGP Signing Model
Proven example for PKI• Pros:
o Multiple non-governmental signers approve all keys Peer approval CA approval Anyone approves
o Create Root Key Set o Distribute Root Key Setso Distributed load o No single point of failure
• Cons:o Someone has to approve your keyo Some more hardwareo Everyone has to do it
J
Which Is Best?
Class Discussion
C
Summary
• Everything depends on DNS• DNS SEC 9 yrs old• Lots of proposals• No perfect solution • PGP model seems best right now• Lots of work to do• Without DNS SEC, we're in trouble
B
Questions
?
Vocabulary
• KSK - Key Signing Keys• ZSK - Zone Signing Key• RZM - Root Zone Maintainer• RKO - Root Key Operator• RZF - Root Zone File• RKS - Root Key Set • ZKS - Zone Key Set