Interop - Dyn Inc on DNSSEC for InteropNET


Published on

Education session

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Interop - Dyn Inc on DNSSEC for InteropNET

  1. 1. Securing InteropNET with DNSSEC Cory von Wallenstein VP, Engineering – Dyn Inc.
  2. 2. Internet Infrastructure as a Service DynECT Managed DNS & Email Delivery <ul><li>DNS is names to numbers </li></ul><ul><ul><li> -> </li></ul></ul><ul><li>5+ Million active users/clients </li></ul><ul><li>1000+ Enterprise clients </li></ul><ul><li>250,000+ Zones managed </li></ul><ul><li>100,000+ Domains registered </li></ul><ul><li>17 World-wide datacenters </li></ul><ul><li>Billions of queries per day </li></ul><ul><li>Billions of messages annually </li></ul>
  3. 3. User My Bank Insecure HTTP… end user beware! http –
  4. 4. User My Bank Add HTTPS… verify domain owner. https – Is the domain correct?
  5. 5. User My Bank But what verifies the IP in DNS? https – Is the domain correct? But what about the IP address that resolved to… What verifies that? A
  6. 6. Quick DNS Terminology Recap <ul><li>Authoritative DNS </li></ul><ul><ul><li>The “authority” for DNS records </li></ul></ul><ul><ul><li>You as a web site owner or operator designate your authoritative DNS servers at your registrar. </li></ul></ul><ul><ul><li>Trusted information. Keys to the kingdom. </li></ul></ul><ul><li>Recursive DNS </li></ul><ul><ul><li>Query authoritative servers on behalf of clients (performing recursion as necessary) and caching answers for faster future lookups by other clients. </li></ul></ul>
  7. 7. DNS Recursion – Query the recursive server
  8. 8. DNS Recursion – Recursive server queries root...
  9. 9. DNS Recursion – Recursive server queries com
  10. 10. DNS Recursion – Recursive server queries
  11. 11. DNS Recursion – Recursive server queries
  12. 12. DNS Recursion – Recursive server responds to original request
  13. 13. But I see the lock in the browser window! I see “https” in the URL! Aren’t I safe? <ul><li>Partially! </li></ul><ul><ul><li>The domain is verified </li></ul></ul><ul><ul><li>The IP address is not </li></ul></ul><ul><ul><li>Implicit trust in your recursive DNS servers. </li></ul></ul><ul><li>Attack vectors </li></ul><ul><ul><li>Single computer </li></ul></ul><ul><ul><ul><li>Edit /etc/hosts </li></ul></ul></ul><ul><ul><li>One or more computers </li></ul></ul><ul><ul><ul><li>Man in the middle attack </li></ul></ul></ul><ul><ul><li>Many, many computers </li></ul></ul><ul><ul><ul><li>Recursive DNS cache poisoning </li></ul></ul></ul>
  14. 14. DNS Cache Poisoning
  15. 15. You would be securely connected... but to the wrong computer!
  16. 16. Need a way to verify the information in DNS. Enter DNSSEC. <ul><li>Recursive resolvers and end users alike can verify the information in DNS. </li></ul><ul><li>Chain of trust. </li></ul><ul><ul><li>I trust the root nameservers. </li></ul></ul><ul><ul><li>The root servers trust .com, and give me the information I need to verify .com hasn’ t been tampered with. </li></ul></ul><ul><ul><li>The .com servers trust, and give me the information I need to verify hasn’t been tampered with… </li></ul></ul>
  17. 17. DNSSEC Secured
  18. 19. Cisco providing DHCP service through their CNR
  19. 20. CNR pushes updates to Dynect show floor hidden master
  20. 21. It's good to have redundancy plus redundancy is good to have
  21. 22. Sign the update and propagate it to Dynect
  22. 23. Need to handle DNS requests too!
  23. 24. Handle it by show floor anycast recursive servers.... and here is the complete DNS picture
  24. 25. How do you sign a zone? <ul><li>The BIND way (for each and every zone...) </li></ul><ul><ul><li>Generate the keys using dnssec-keygen twice, once for the ZSK and once for the KSK </li></ul></ul><ul><ul><li>Store the private keys someplace safe (since anyone with the private keys can sign as you) </li></ul></ul><ul><ul><li>Include the correct keys in the zone file </li></ul></ul><ul><ul><li>Actually sign the zone using dnssec-signzone </li></ul></ul><ul><li>The DynECT way... </li></ul>
  25. 26. Click “Add DNSSEC”, publish to registrar!
  26. 27. <ul><li>Great visualization and debugging tool </li></ul><ul><li>Verify chain of trust </li></ul><ul><li>There’s a computer on this network called: </li></ul><ul><ul><li> </li></ul></ul>
  27. 28. Get started with DNSSEC. <ul><li>Visit our booth - 236 </li></ul><ul><li>Reach out </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>@cvonwallenstein </li></ul></ul><ul><ul><li>@DynInc </li></ul></ul><ul><ul><li> </li></ul></ul>