Interop - Dyn Inc on DNSSEC for InteropNET
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Interop - Dyn Inc on DNSSEC for InteropNET

on

  • 664 views

Education session

Education session

Statistics

Views

Total Views
664
Views on SlideShare
664
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Interop - Dyn Inc on DNSSEC for InteropNET Presentation Transcript

  • 1. Securing InteropNET with DNSSEC Cory von Wallenstein VP, Engineering – Dyn Inc.
  • 2. Internet Infrastructure as a Service DynECT Managed DNS & Email Delivery
    • DNS is names to numbers
      • twitter.com -> 199.59.148.82
    • 5+ Million active users/clients
    • 1000+ Enterprise clients
    • 250,000+ Zones managed
    • 100,000+ Domains registered
    • 17 World-wide datacenters
    • Billions of queries per day
    • Billions of messages annually
  • 3. User My Bank Insecure HTTP… end user beware! http – http://www.local.mybank.com
  • 4. User My Bank Add HTTPS… verify domain owner. https – https://www.local.mybank.com Is the domain correct?
  • 5. User My Bank But what verifies the IP in DNS? https – https://www.local.mybank.com Is the domain correct? But what about the IP address 1.2.3.4 that www.local.mybank.com resolved to… What verifies that? www.local.mybank.com A 1.2.3.4
  • 6. Quick DNS Terminology Recap
    • Authoritative DNS
      • The “authority” for DNS records
      • You as a web site owner or operator designate your authoritative DNS servers at your registrar.
      • Trusted information. Keys to the kingdom.
    • Recursive DNS
      • Query authoritative servers on behalf of clients (performing recursion as necessary) and caching answers for faster future lookups by other clients.
  • 7. DNS Recursion – Query the recursive server
  • 8. DNS Recursion – Recursive server queries root...
  • 9. DNS Recursion – Recursive server queries com
  • 10. DNS Recursion – Recursive server queries mybank.com
  • 11. DNS Recursion – Recursive server queries local.mybank.com
  • 12. DNS Recursion – Recursive server responds to original request
  • 13. But I see the lock in the browser window! I see “https” in the URL! Aren’t I safe?
    • Partially!
      • The domain is verified
      • The IP address is not
      • Implicit trust in your recursive DNS servers.
    • Attack vectors
      • Single computer
        • Edit /etc/hosts
      • One or more computers
        • Man in the middle attack
      • Many, many computers
        • Recursive DNS cache poisoning
  • 14. DNS Cache Poisoning
  • 15. You would be securely connected... but to the wrong computer!
  • 16. Need a way to verify the information in DNS. Enter DNSSEC.
    • Recursive resolvers and end users alike can verify the information in DNS.
    • Chain of trust.
      • I trust the root nameservers.
      • The root servers trust .com, and give me the information I need to verify .com hasn’ t been tampered with.
      • The .com servers trust mybank.com, and give me the information I need to verify mybank.com hasn’t been tampered with…
  • 17. DNSSEC Secured
  • 18.  
  • 19. Cisco providing DHCP service through their CNR
  • 20. CNR pushes updates to Dynect show floor hidden master
  • 21. It's good to have redundancy plus redundancy is good to have
  • 22. Sign the update and propagate it to Dynect
  • 23. Need to handle DNS requests too!
  • 24. Handle it by show floor anycast recursive servers.... and here is the complete DNS picture
  • 25. How do you sign a zone?
    • The BIND way (for each and every zone...)
      • Generate the keys using dnssec-keygen twice, once for the ZSK and once for the KSK
      • Store the private keys someplace safe (since anyone with the private keys can sign as you)
      • Include the correct keys in the zone file
      • Actually sign the zone using dnssec-signzone
    • The DynECT way...
  • 26. Click “Add DNSSEC”, publish to registrar!
  • 27. dnsviz.net
    • Great visualization and debugging tool
    • Verify chain of trust
    • There’s a computer on this network called:
      • soloru.ny.enet.interop.net.
  • 28. Get started with DNSSEC.
    • Visit our booth - 236
    • Reach out
      • [email_address]
      • @cvonwallenstein
      • @DynInc
      • Dyn.com