2. Growth, 90+ M users, 45+ M students, 200+ Gb/s
traffic (transit, IX, CDN), 200% rising local content
Mobile: 155+ M data users, 30+ M internet banking,
99%+ district coverage, 60+ M gadget/year
Price War, $5 unlimited/monthly, $200 smartphone
price, $300- tablet/netbook (bundled internet ready)
Always On, 60+ M social media (4th largest), 15+ M
online media visitors daily, 10+ M online gamers,
500+ M e-commerce transaction yearly
400% rising reported DNS related incident: malware
domain, phishing sites, SPAM host, DDOS
Recent Profiles
3. More than 30+ Network Access Provider (NAP)
with multiple fiber optic links in conjunction to
VSAT and wireless terrestrial distribution
More than 300+ nation wide licensed Internet
Service Provider (ISP) and 15 cellular operators
5 major internet local exchange (IX) operate by
internet community and Internet Association
33 Province IX operate by government agency
(not yet operation due to political reason)
Existing Providers
4. Recent DNS exploitation attack are increasing
Rare but the impact of actual event are serious
i.e. DNS amplification and DDOS during the
national election last year, malware domains are also
increasing more than 400% last year
DNS protection features is not a mandatory
standard, it is difficult to leverage security to
prevent common vulnerabilities
This project will employ and to combine most
available security features and protection measures
and impose it as single robust infrastructure to
assure DNS security at every level
Background
5. Provide secure managed DNS shared service
To improve national DNS traffic efficiency
To utilize and maximized existing DNS service
To improve and leverage national internet core
infrastructure, security, robustness, availability
Integration of all national DNS resources to
simplified management and maintenance
Project Objectives
6. DNS Hijacking
DNS Amplification
DNS Cache Poisoning
Man in The Middle Attack
Distributed Denial of Services
Malware domain, SPAM host, phishing sites
To Prevent Threat/Attack
7. Distributed Secure DNS Peering
DNS Security Extension service
Secure DNS Cache Resolver service
Secure DNS Secondary free service
DNS Based Content Filtering service
DNS Based Anti SPAM Filtering service
DNS Based Anti Phishing Filtering service
DNS BL malware/malicious/bot site detection
Managed Shared Services
8. DNSSEC
TSIG, HSM
Content Filter
DNS IP RBL
Dashboard
Interface
ROOT .id
F, I and L
.id Secondary
Authoritative
Cache
Resolver
Anti
SPAM
Anti
Phishing
National
Honey Net
Core System Component
9. DNS content filtering, mirror from NAWALA
DNS and Open Relay blacklist (updated)
Exploits and Malware blacklist (updated)
RBL, SBL, PBL, Phishing blacklist (updated)
Malicious sites feed from National Honey Net
IP’s/domains black list, feed from Id-SPAM
Public’s reported suspected IP’s/domains
Optional (upon request) DNS White List
Optional (upon request) DNS Geo Location
Content/IP Filter
10. Mandated by Law or Court Order i.e. any kind
of pornography, gambling, fraud, defamation,
threat/extortion, hatred, racism and bigotry
Any others content violating Indonesian laws
and or forbidden by the authority i.e. illegal
foods and drugs product, investment scheme
Any others harmful material causing system
and or data interference i.e. malware, SPAM
Content are beyond Indonesia jurisdiction and
not negotiable to take down suspected host
Content Policy (Filtering)
11. A leading content filtering initiatives since 2009
DNS based filter, open to public and free to use
ANYCAST IP 180.131.144.144 , 180.131.145.145
Multi host: Singapore, Indonesia at 3 different
sites BATAM, JAKARTA, SURABAYA and co-
hosted by APJII and many others organization
Widely used by 120+ countries, Asia, Africa and
middle east. More than 4 billion query per day
NAWALA is an NGO, not for profit foundation
NAWALA in Brief
12. Provide Transaction Signature (TSIG) service
Provide Hardware Security Module (HSM) key
Provide DNS Security (DNSSEC) Extension
Provide (optional) DNS Curve tunnel service
Provide secure client AAA and VPN access
Only connected within pre registered IP’s
Reference RFC 2845 (TSIG), RFC 3833 (threat)
Security Features
13. Integrated logs analysis, SIEM’s and NMS
Interface for DNS Statistics Analysis (web)
Interface for DNS Managed Services (web)
Interface for DNS Management System (web)
Interface for Public Interaction (web portal)
Others interfaces needed (SSH, console etc.)
Dashboard and NMS
14. Normally, a DNS request resolved recursively
Static content will utilize 1/10 DNS query traffic
User generated, dynamic and rich content will
utilize more, 1/3 DNS query traffic – most of it,
request to the same domain address (recurrent)
Cache resolver will reduce at least 30% of DNS
query, significantly improve traffic efficiency
Localize root servers – including .id root and
by hosting all .id secondary NS (authoritative)
will also benefit in reducing international
access
Improve Traffic Efficiency
16. VPN to Id-NS
ISP NS Resolver
IP authentication
and DNS Security
TSIG Secure Key
.id cache transfer
VPN to Id-NS
.id Root, Secondary
IP authentication
TSIG Secure Key
.id zone transfer
IP Geo Location
VPN to Id-NS
F and I (L) Root
*IP authentication
*TSIG Secure Key
*Retain Cache NS
*others requirement
NS Resolver Architecture
* by ISC, NETNOD, ICANN permission
17. Retaining daily TOP 100 requested domain
Retaining monthly TOP 1000 requested domain
Retaining others static most requested domain
All .id record transferred from ns1.id (PANDI)
Free robust secondary DNS for all .id domains
DNS White List feed from partners i.e. Trust +
Others White List feed from others i.e. users
Peering with others Id-NS members (locals)
NS Cache Peering
19. Provide free – not yet mandatory – fully .id
domains authoritative secondary NS service
To protect primary NS service – staging design
To improve .id domains query latency for local
(Indonesia) users and to leverage security
.id Secondary Services
22. Stage 1 Q3 2014 – Proposal, Technical FGD and
limited prototyping as Proof of Concept
Stage 2 Q1 2015 – Limited alpha test with ISP’s
and voluntary institution. Will be fully engaged
with .id-root F-root I-root and L-root. Employ
core features DNSSEC, TSIG, HSM, Content
Filter DNS IP RBL, Black/White Listing
Stage 3 Q2 2015 – public beta test with ISP’s
and employ all features .id secondary service,
Anti SPAM, Anti Phishing, National Honey Net
Stage 4 Q3 2015 – public release
Development Stages
23. Core DNS System (resolver/cache) and Filtering
Fine tuning core DNSSEC, TSIG, DNS IP RBL –
synchronized to stratum 1 ID-NTP services
Engage to .id-root (complete), F-root I-root and
L-root (waiting for approval) .id-root secondary
Developing web management, dashboard, VPN
and AAA services, NMS and user interface (UI)
Performance test and security assessment with
participating ISP’s and voluntary institution
Limited operation at IIX APJII data centers
Implementation Progress
24. Roughly statistic as per end of December 2014
Participated users experiencing better latency
for .id query and reducing 10% international
domains DNS traffic query – in average
Common DNS Hijacking, Amplification, Cache
Poisoning attack tools did not succeed
Problems with NS cache database indexing
and query expiration (flush) and renewing
process
Results and Findings
25. Id-SIRTII/CC
Ravindo Tower 17th Floor
KEBON SIRIH RAYA, KAV. 75
Central Jakarta, 10340
Phone +62 21 3192 5551
Fax +62 21 3193 5556
info@idsirtii.or.id ; www.idsirtii.or.id
Thank You