What We are Learning About DNS Security: DNSSEC and Much More..


Published on

Edward Lewis, Director, Member of Technical Staff at Neustar presented at the DNS Technology and Security Day”, held on Wednesday, July 27th 2011, in the “Park Saloon” of the Bogota Royal Hotel at Bogota, COLOMBIA. The context of these slides morphed into "cooperation" of internet elements, featuring government and industry relationships. During security events, when you can't determine friend or foe by looking through a wire, you need to already know who your true friends are.

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What We are Learning About DNS Security: DNSSEC and Much More..

  1. 1. What We are LearningAbout DNS SecurityDNSSEC and Much More7/27/2011Edward LewisDirector, Member of Technical Staff1 © Neustar Inc. / Proprietary and Confidential
  2. 2. 8/1/2011Joseph is unhappy about my talk» This is the first day since my son was born that I have not been home» Hes 6 1/2 months old» When I told him Id be away July 27, he had this frown » This talk is dedicated to» Still, it is an honor to be little Joe invited to speak here today2 © Neustar Inc. / Proprietary and Confidential
  3. 3. 8/1/2011Agenda»The significance of DNSSEC»What you should be doing about DDoS»What you need to do3 © Neustar Inc. / Proprietary and Confidential
  4. 4. 8/1/2011In the Wake of DNSSEC» The protocol and code has been strengthened» Weve improved the state of operations» Cooperation has become very important4 © Neustar Inc. / Proprietary and Confidential
  5. 5. 8/1/2011Briefly, What is DNSSEC?»DNSSEC is an add-on to the DNS protocol»It adds information to DNS answers that provide proof that the data is genuine » DNSSEC is like automobile safety belts for DNS»The greatest benefit is preventing ISP caches from accepting forged answers, misdirecting customers5 © Neustar Inc. / Proprietary and Confidential
  6. 6. 8/1/2011Protocol Strengthening» The DNS protocol, as specified, is a very weak base to secure» One of the benefits of DNSSEC is that is made us take a critical look at the protocol DNSSEC6 © Neustar Inc. / Proprietary and Confidential
  7. 7. 8/1/2011Why securing DNS is so hard»DNS goals are » global scale, fast response, high availability»Its a crowd, not one person7 © Neustar Inc. / Proprietary and Confidential
  8. 8. 8/1/2011...and...»The original specifications are informal, incomplete » Leading to a wide range of interpretations » And thus a wide range of different implementations » Rely on the memories of the "old guys"8 © Neustar Inc. / Proprietary and Confidential
  9. 9. 8/1/2011Updates to DNS»Security throughout the DNS » Data Loading (EPP & WhoIs-related too) » Data Replication (zone transfers) » Queries and Responses (e.g., DNSSEC, TSIG, wild card)»New code, new code everywhere»And new ways to operate9 © Neustar Inc. / Proprietary and Confidential
  10. 10. 8/1/2011What DNSSEC got right»DNSSEC is a technical success»DNSSEC was designed with adoption by transition in mind » This is what IPv6 lacks»But adoption by slow transition is not easy and requires patience, its a good plan and a lot of execution » Slow adoption is a beneficial thing, a feature, really!»And the path to DNSSECs completion can teach us much about security improvements10 © Neustar Inc. / Proprietary and Confidential
  11. 11. 8/1/2011Strengthening Cooperation»When teaching the ISO seven layer protocol model I came across this in an old textbook » There are times when it is necessary to handle an error in the layer above the one you are designing»Translating this into DNS and security events » Duringtimes of attack, out-of-band coordination must have already been established11 © Neustar Inc. / Proprietary and Confidential
  12. 12. 8/1/2011Coordinate?»Who?: Anyone that teams in a defense » Government and Private Industry » Competitors » Across borders and oceans»When? » Strategicand tactical » Frequently, openly » During exercises, events»Where? » Conferences, workshops » In-person meetings at offices » And dont forget - happy hours!12 © Neustar Inc. / Proprietary and Confidential
  13. 13. 8/1/2011Government - Industry cooperation»Government and Industry relationship is important»Government learns from experts in industry»Government always maintains legal authority»Government provides leadership in mandates and funding»Industry provides innovation and takes the risk13 © Neustar Inc. / Proprietary and Confidential
  14. 14. 8/1/2011DDoS»You can be a target of a DDoS » Solutions include capacity, reserves, and traffic scrubbing»You can be used to launch a DDoS » Open recursive servers can reflect and amplify an attack»(You could also be the attacker...;))14 © Neustar Inc. / Proprietary and Confidential
  15. 15. 8/1/2011Anti-DDOS»Expertise is needed to defend against these attacks » Target owners, ISPs and other security entities have this»This is why cooperation, set up ahead of time, is critical»If you need to "click here" ... it is too late for you!15 © Neustar Inc. / Proprietary and Confidential
  16. 16. 8/1/2011Failure to set up cooperation»There are two possible outcomes»"Fail closed" and not respond adequately » Examples are one person having a password and being on vacation when the attack happens»"Fail open" and be open to be fooled (social engineered) by an attacker » Examples are attackers causing a diversion and then acting as "first responders"/emergency workers to monitor damage and adjust attacks16 © Neustar Inc. / Proprietary and Confidential
  17. 17. 8/1/2011Securing the DNS system»The DNS is spread amongst many elements » Registries,registrars, web hosters, dns operators » ISPs, open/remote recursive servers » Policy elements, law enforcement»Each element can self-secure, but end-to-end security is also needed»This is one final push to form cooperative groups!17 © Neustar Inc. / Proprietary and Confidential
  18. 18. 8/1/2011Better DNS & cooperation is not enough»Attacks will happen»Defenses will not stop all damage » If a defense stops all attacks, it is probably too tight!»This makes logging or tracing activity an important element18 © Neustar Inc. / Proprietary and Confidential
  19. 19. 8/1/2011What do we learn from logging events»The information left behind by an attack is valuable»We learn the techniques»We learn the level of sophistication»We learn the weaknesses of the attack»We learn how the attackers are learning»We learn who the attackers are»We might even be able to convict and punish them19 © Neustar Inc. / Proprietary and Confidential
  20. 20. 8/1/2011A stronger system»DNS is becoming a stronger system»We know it takes more than a good protocol, because "good" depends on the way you measure»We know it takes world-wide cooperation and in- depth cooperation to run a network that opens communication without letting it be overrun with abuse»We want citizens to have access to government services to help their lives, not gangs like ANONYMOUS to disrupt lives20 © Neustar Inc. / Proprietary and Confidential
  21. 21. 8/1/2011What You Need to Do to Prepare»Learn about DNSSEC » Its like getting used to seatbelts » Its not scary but it takes work»And begin to get to know others in the Industry & Government » Help defend the network21 © Neustar Inc. / Proprietary and Confidential
  22. 22. Thank you!22