Your SlideShare is downloading. ×
Session 4.1 Roy Arends
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Session 4.1 Roy Arends

99
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
99
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How Crucial is DNS security in securing the Internet Roy Arends Nominet Research Fellow
  • 2. What is the Domain Name System? • DNS is the ‘Phonebook’ of the Internet • All connected devices essentially use the DNS in some form • The DNS is used to lookup the address for a domain name. • www.cto.int is a domain name, a DNS lookup will return its address: 70.33.246.199 • DNS provides much more than just addresses.
  • 3. Original DNS requirements, 1983 • DNS Design Requirements: – Fault Tolerant – Dynamic – Scalable – Redundant where needed – See RFC799 and RFC819 • The solution added a very important feature: – Delegation of authority – RFC 1034/1035 • Security was not considered
  • 4. DNS, how it works • DNS is both a network and a namespace. • Consists of servers that publish a section of the name space, and resolvers that query the servers about the name space • Attributes are stored in records and individually retrievable – Attributes can be anything, but are mostly addresses • No single system contains all the DNS data
  • 5. High level concept of DNS • Your laptop has a DNS resolver configured – The DNS resolver typically resides at an ISP. • A resolver knows where the root-zone is • Each level refers the resolver to the next level • Traverses the DNS hierarchy – Root to INT – INT to CTO.INT – CTO.INT to WWW.CTO.INT • Until the question has been answered • The resolver caches all that information for future use.
  • 6. More detailed • Domains such as www.bbc.co.uk form a path – from the root, through “uk” and other labels, to “www” • Every level has a set of servers that points (delegates) to the servers of the next level • The last level of servers contain the address for the domain name.
  • 7. More detailed • This hierarchy is traversed by a resolver – Typically at an ISP • It knows the addresses of the root servers • Asks the root for the answer, and gets referred to the next level. • Caches whatever it sees for a period of time
  • 8. No Security • DNS uses mostly UDP, not TCP – UDP is much faster than TCP • Thus there is no handshake – Thats why UDP is much faster than TCP • There is no guarantee the answer came from the right source • Or that it hasn’t been tampered with in transit – This is called “spoofing” • Caching amplifies the problem – This is called “Cache-Poisoning”
  • 9. DNSSEC is the solution • DNSSEC uses digital signatures to assure that information is correct and came from the right place. • The keys and signatures to verify the information, is stored in the DNS as well • Since DNS is a lookup system, keys can simply be looked up, like any data.
  • 10. High level concept of DNSSEC • A resolver knows what the root-key is • It builds a Chain of Trust: – Each level signs the key of the next level – Until the chain is complete
  • 11. DNSSEC • DNSSEC is crucial to online safety • DNSSEC Tools, servers and services are available today • Automation of every process is under way. • Eventually, DNSSEC will be mainstream – Just like HTTPS for web-traffic – Just like SSH for Telnet traffic
  • 12. 12 DNSSEC • With DNSSEC, the DNS is: – Fault Tolerant – Dynamic – Scalable – Redundant where needed – Distribution of authority – Very secure 12
  • 13. On the use of Domain Names • Mobile use of the internet changes the use of domain names significantly • Mobile Apps provide a direct interface, instead of a web- interface • Though not obvious, it still requires DNS • DNS traffic growth rate is increasing • Many more devices per household • Many more links per webpage • pre-fetching in browsers • With the rise of DNS traffic, there is a rise of attack vectors.
  • 14. New avenues in DNS • DNS-based Authentication of Named Entities • Expected to replace Certificates eventually • Depends on the deployment of DNSSEC • Depends on the cooperation of application vendors