A presentation given at APRICOT 2015 during the APCERT (2) session.

1. {
Strengthen DNS
Through
Infrastructure Design
Id-NS Project – The National Secure DNS Initiatives
Muhammad Salahuddien – Deputy of Operation and Network Security

2.  Growth, 90+ M users, 45+ M students, 200+ Gb/s
traffic (transit, IX, CDN), 200% rising local content
 Mobile: 155+ M data users, 30+ M internet banking,
99%+ district coverage, 60+ M gadget/year
 Price War, $5 unlimited/monthly, $200 smartphone
price, $300- tablet/netbook (bundled internet ready)
 Always On, 60+ M social media (4th largest), 15+ M
online media visitors daily, 10+ M online gamers,
500+ M e-commerce transaction yearly
 400% rising reported DNS related incident: malware
domain, phishing sites, SPAM host, DDOS
Recent Profiles

3.  More than 30+ Network Access Provider (NAP)
with multiple fiber optic links in conjunction to
VSAT and wireless terrestrial distribution
 More than 300+ nation wide licensed Internet
Service Provider (ISP) and 15 cellular operators
 5 major internet local exchange (IX) operate by
internet community and Internet Association
 33 Province IX operate by government agency
(not yet operation due to political reason)
Existing Providers

4.  Recent DNS exploitation attack are increasing
 Rare but the impact of actual event are serious
 i.e. DNS amplification and DDOS during the
national election last year, malware domains are also
increasing more than 400% last year
 DNS protection features is not a mandatory
standard, it is difficult to leverage security to
prevent common vulnerabilities
 This project will employ and to combine most
available security features and protection measures
and impose it as single robust infrastructure to
assure DNS security at every level
Background

5.  Provide secure managed DNS shared service
 To improve national DNS traffic efficiency
 To utilize and maximized existing DNS service
 To improve and leverage national internet core
infrastructure, security, robustness, availability
 Integration of all national DNS resources to
simplified management and maintenance
Project Objectives

6.  DNS Hijacking
 DNS Amplification
 DNS Cache Poisoning
 Man in The Middle Attack
 Distributed Denial of Services
 Malware domain, SPAM host, phishing sites
To Prevent Threat/Attack

7.  Distributed Secure DNS Peering
 DNS Security Extension service
 Secure DNS Cache Resolver service
 Secure DNS Secondary free service
 DNS Based Content Filtering service
 DNS Based Anti SPAM Filtering service
 DNS Based Anti Phishing Filtering service
 DNS BL malware/malicious/bot site detection
Managed Shared Services

8. DNSSEC
TSIG, HSM
Content Filter
DNS IP RBL
Dashboard
Interface
ROOT .id
F, I and L
.id Secondary
Authoritative
Cache
Resolver
Anti
SPAM
Anti
Phishing
National
Honey Net
Core System Component

9.  DNS content filtering, mirror from NAWALA
 DNS and Open Relay blacklist (updated)
 Exploits and Malware blacklist (updated)
 RBL, SBL, PBL, Phishing blacklist (updated)
 Malicious sites feed from National Honey Net
 IP’s/domains black list, feed from Id-SPAM
 Public’s reported suspected IP’s/domains
 Optional (upon request) DNS White List
 Optional (upon request) DNS Geo Location
Content/IP Filter

10.  Mandated by Law or Court Order i.e. any kind
of pornography, gambling, fraud, defamation,
threat/extortion, hatred, racism and bigotry
 Any others content violating Indonesian laws
and or forbidden by the authority i.e. illegal
foods and drugs product, investment scheme
 Any others harmful material causing system
and or data interference i.e. malware, SPAM
 Content are beyond Indonesia jurisdiction and
not negotiable to take down suspected host
Content Policy (Filtering)

11.  A leading content filtering initiatives since 2009
 DNS based filter, open to public and free to use
 ANYCAST IP 180.131.144.144 , 180.131.145.145
 Multi host: Singapore, Indonesia at 3 different
sites BATAM, JAKARTA, SURABAYA and co-
hosted by APJII and many others organization
 Widely used by 120+ countries, Asia, Africa and
middle east. More than 4 billion query per day
 NAWALA is an NGO, not for profit foundation
NAWALA in Brief

12.  Provide Transaction Signature (TSIG) service
 Provide Hardware Security Module (HSM) key
 Provide DNS Security (DNSSEC) Extension
 Provide (optional) DNS Curve tunnel service
 Provide secure client AAA and VPN access
 Only connected within pre registered IP’s
 Reference RFC 2845 (TSIG), RFC 3833 (threat)
Security Features

13.  Integrated logs analysis, SIEM’s and NMS
 Interface for DNS Statistics Analysis (web)
 Interface for DNS Managed Services (web)
 Interface for DNS Management System (web)
 Interface for Public Interaction (web portal)
 Others interfaces needed (SSH, console etc.)
Dashboard and NMS

14.  Normally, a DNS request resolved recursively
 Static content will utilize 1/10 DNS query traffic
 User generated, dynamic and rich content will
utilize more, 1/3 DNS query traffic – most of it,
request to the same domain address (recurrent)
 Cache resolver will reduce at least 30% of DNS
query, significantly improve traffic efficiency
 Localize root servers – including .id root and
by hosting all .id secondary NS (authoritative)
will also benefit in reducing international
access
Improve Traffic Efficiency

15. REQUEST
www.xyz.any
ISP DNS
Resolver
Id-NS
Resolver
ROOT .id
L-F-I-ROOT
AUTHORITATIVE
www.xyz.any
DNS Recursive Request
Localize
Localize
Secure
Request

16. VPN to Id-NS
ISP NS Resolver
IP authentication
and DNS Security
TSIG Secure Key
.id cache transfer
VPN to Id-NS
.id Root, Secondary
IP authentication
TSIG Secure Key
.id zone transfer
IP Geo Location
VPN to Id-NS
F and I (L) Root
*IP authentication
*TSIG Secure Key
*Retain Cache NS
*others requirement
NS Resolver Architecture
* by ISC, NETNOD, ICANN permission

17.  Retaining daily TOP 100 requested domain
 Retaining monthly TOP 1000 requested domain
 Retaining others static most requested domain
 All .id record transferred from ns1.id (PANDI)
 Free robust secondary DNS for all .id domains
 DNS White List feed from partners i.e. Trust +
 Others White List feed from others i.e. users
 Peering with others Id-NS members (locals)
NS Cache Peering

18. IIX/Core
Id-NS
NIX’s
Locals IX
Local
Id-NS
Local
Id-NS
ISP’s
Institution
Internal
DNS
Distributed Topology

19.  Provide free – not yet mandatory – fully .id
domains authoritative secondary NS service
 To protect primary NS service – staging design
 To improve .id domains query latency for local
(Indonesia) users and to leverage security
.id Secondary Services

20. NS1
•Authoritative
•Registered
•Published
NS2
•Authoritative
•Registered
•Published
NS3
•Authoritative
•Registered
•Published
NS Authoritative Staging
.any.id domain
NS0 Primary
Not Registered
(Hidden Host)

21. Id-
NS
Id-SIRTII
Core System
Coordination
PANDI
Root .id
L-root
APJII
IIX Peer
F and I root
BP3TI
National IX
Infrastructure
AIR PUTIH
Design and
Operation
NAWALA
Content
Filtering
Multi Stakeholder Project

22.  Stage 1 Q3 2014 – Proposal, Technical FGD and
limited prototyping as Proof of Concept
 Stage 2 Q1 2015 – Limited alpha test with ISP’s
and voluntary institution. Will be fully engaged
with .id-root F-root I-root and L-root. Employ
core features DNSSEC, TSIG, HSM, Content
Filter DNS IP RBL, Black/White Listing
 Stage 3 Q2 2015 – public beta test with ISP’s
and employ all features .id secondary service,
Anti SPAM, Anti Phishing, National Honey Net
 Stage 4 Q3 2015 – public release
Development Stages

23.  Core DNS System (resolver/cache) and Filtering
 Fine tuning core DNSSEC, TSIG, DNS IP RBL –
synchronized to stratum 1 ID-NTP services
 Engage to .id-root (complete), F-root I-root and
L-root (waiting for approval) .id-root secondary
 Developing web management, dashboard, VPN
and AAA services, NMS and user interface (UI)
 Performance test and security assessment with
participating ISP’s and voluntary institution
 Limited operation at IIX APJII data centers
Implementation Progress

24.  Roughly statistic as per end of December 2014
 Participated users experiencing better latency
for .id query and reducing 10% international
domains DNS traffic query – in average
 Common DNS Hijacking, Amplification, Cache
Poisoning attack tools did not succeed
 Problems with NS cache database indexing
and query expiration (flush) and renewing
process
Results and Findings

25. Id-SIRTII/CC
Ravindo Tower 17th Floor
KEBON SIRIH RAYA, KAV. 75
Central Jakarta, 10340
Phone +62 21 3192 5551
Fax +62 21 3193 5556
info@idsirtii.or.id ; www.idsirtii.or.id
Thank You