DNS Security
DNS Security Introduction and Requirements,
RFC 4033, 2005
Fall 2013
Name to IP address
mil
ru
www.darpa.mil = 128.9.176.20
And many other mappings
isi
darpa
af
nge
andrews
mil
www.darpa.mil A?
End-user
www.darpa.mil
A 128.9.128.127
Caching
DNS Server
DNS Vulnerabilities
Original DNS design focused on data availability
DNS zone data is replicated at multiple servers.
A DNS zone works as long as one server is available.
DDoS attacks against the root must take out 13 root servers.
www.darpa.mil
A 192.5.18.19
Joes
Laptop
www.darpa.mil
A 128.9.128.127
Caching
DNS Server
Dans
Laptop
A Response
More Complex Attack
Secure64
Caching Server
www.attacker.com
attacker.com
attacker.com
ns.attacker.com
www.google.com
www.google.com
= 128.9.128.127
A 128.9.128.127
NS ns.attacker.com
NS www.google.com
A 128.9.128.2
A 128.9.128.127
ns.attacker.com
Query
www.attacker.com
Query www.google.com
Secure64 Laptop
Remote attacker
Internet
BGP
monitor
c.gtld-servers.net
192.26.92.30
www.darpa.mil
Authoritative DNS Servers
End-user
www.darpa.mil =
192.5.18.195
Plus (RSA) signature by the
darpa.mil private key
Authentication of DNS
Responses
Each zone signs its data using a private key.
Recommend signing done offline in advance
IN A 192.5.18.195
IN RRSIG A 1 4 86400 20040226023910 (
20040127023910 468 darpa.mil.
Base 64 encoding of signature )
Authenticated Denial of
Existence
What if the requested record doesnt exist?
Query for foo.isi.edu returns No such name
How do you authenticate this?
NSEC Records
Solution:
sign next name after a.isi.edu. is g.isi.edu.
foo.isi.edu. ?
darpa.mil NS records
www.darpa.mil A record
www.darpa.mil RRSIG(A) by key 2
}
}}
Objective: Replace
DNSKEY 1
with new DNSKEY 3
Minimal Requirements
Protocol Complications
Building on an existing system
Objective is to strengthen the system.
But additions also add stress to weak points.
Wild Cards
Authenticated denial further complicated by
wildcards.
Must prove b.darpa.mil does not exist
Must also prove no wildcard would match.
DNSSEC Deployment
Deployment Observations
(Undirected) Crawling DNS Finds Few Secure Zones
Vast DNS + tiny DNSSEC => low (near 0) hit rate for
crawler
User Submissions Drive Current Monitoring
SecSpider is well publicized => high submission rate
Augment secure zones with parent/child and popular sites
Islands of Security
Simple concept of parent private key signs the child public key.
But many complex details
Challenge 3: Lifetimes&Replays
Each cryptographic signature has a fixed lifetime
Ex: Signature for www.colostate.edu edu expires on Oct 31.
Future Directions
Challenge 1: Islands of Security
Monitor can be used to bootstrap public key information
Challenge is to authenticate public keys came from monitor and
limit chance monitor data is subverted by attacer
Challenge 2 and 3: Cryptographic Management
Given an external view of data, zone admins can adapt
Monitoring can verify key management is working
Monitoring can aide in automating DNS key management
Current work is using SecSpider data to identify new challenges and
practically solve existing challenges
http://secspider.cs.ucla.edu
Summary
DNSSEC is useful example.
Protocol evolved when it hit operations.
Lesson highlight flaws
So do we abandon DNSSEC?