Intro To DNS Security with Cory Von Wallenstein & Chris Brenton
Upcoming SlideShare
Loading in...5
×
 

Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

on

  • 1,278 views

With DNS hijacks happening more frequently, website security has never been more important for your company. However, it can be a daunting task to figure out where you're getting started, and to ...

With DNS hijacks happening more frequently, website security has never been more important for your company. However, it can be a daunting task to figure out where you're getting started, and to evaluate if what you are doing is working.

That's why our Director of Security Chris Brenton and Chief Technologist Cory von Wallenstein teamed up for a special webinar on that topic. Enjoy the slides and watch the show: http://dyn.com/webinar-what-you-need-to-know-about-dns-security/

Statistics

Views

Total Views
1,278
Views on SlideShare
1,136
Embed Views
142

Actions

Likes
1
Downloads
27
Comments
0

4 Embeds 142

http://dyn.com 133
http://es.dyn.com 5
http://pt.dyn.com 2
http://de.dyn.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Intro To DNS Security with Cory Von Wallenstein & Chris Brenton Intro To DNS Security with Cory Von Wallenstein & Chris Brenton Presentation Transcript

  • Intro To DNS Security October 23, 2013 Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @chris_brenton
  • Your Presenters Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton
  • What We Will Cover DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info       Pg. 3 Intro To DNS Security @cvwdyn @chris_brenton
  • Pg. 4 Intro To DNS Security @cvwdyn @chris_brenton
  • Pg. 5 Intro To DNS Security @cvwdyn @chris_brenton
  • Pg. 6 Intro To DNS Security @cvwdyn @chris_brenton
  • Pg. 7 Intro To DNS Security @cvwdyn @chris_brenton
  • Pg. 8 Intro To DNS Security @cvwdyn @chris_brenton
  • Is DNS Still Sexy? It’s old tech, so we must have it secured by now…right? Pg. 9 Intro To DNS Security @cvwdyn @chris_brenton
  • Is DNS Still Sexy? DNS is effectively our root of trust:   Pg. 10 You “ass-u-me” typing in www.google.com will always bring you to a Google server If sent to the wrong IP address, would you even notice? Intro To DNS Security @cvwdyn @chris_brenton
  • Is DNS Still Sexy? If DNS is compromised, everything else falls apart. Pg. 11 Intro To DNS Security @cvwdyn @chris_brenton
  • Architecture Run split DNS: Pg. 12 Intro To DNS Security @cvwdyn @chris_brenton
  • Architecture Two separate sets of name server records:   Pg. 13 One for use by internal clients One for use by the rest of the world Intro To DNS Security @cvwdyn @chris_brenton
  • Architecture Helps protect internal systems from cache poisoning and other various nastiness Pg. 14 Intro To DNS Security @cvwdyn @chris_brenton
  • Internal Name Servers Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals      Pg. 15 Intro To DNS Security @cvwdyn @chris_brenton
  • External Name Servers Accessed by the rest of the Internet Contains only records you want the world to see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals      Pg. 16 Intro To DNS Security @cvwdyn @chris_brenton
  • Recursive Answers DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an answer is not in cache    Pg. 17 Intro To DNS Security @cvwdyn @chris_brenton
  • Recursive Answers  Recursive = Do the lookup work for the client  Non-Recursive = Don't be so friendly Pg. 18 Intro To DNS Security @cvwdyn @chris_brenton
  • Non-Recursive Possibilities Hand back the list of root name servers  Referred to as an “upward referral” Hand back the error code “Refused”  Let the client figure out what to do next Pg. 19 Intro To DNS Security @cvwdyn @chris_brenton
  • Why Recursion Can Be Bad Can be leveraged for cache poisoning attacks:  Pg. 20 Redirect your employees to an IP owned by the attacker Intro To DNS Security @cvwdyn @chris_brenton
  • Why Recursion Can Be Bad Can be leveraged for DDoS attacks:     Pg. 21 Most DNS is UDP based Connectionless, so its easy to spoof the source IP Small questions that result in big answers = amplification A savvy attacker can get 30X amplification Intro To DNS Security @cvwdyn @chris_brenton
  • Why Upward Referrals Are Bad Non-recursive servers have historically handed back a list of root name server  Considered the polite thing to do  Pg. 22 Intro To DNS Security @cvwdyn @chris_brenton
  • Why Upward Referrals Are Bad Every name server should already maintain a current list of root name servers  That “polite” answer still provides a 10X amplification in a DDoS attack  Pg. 23 Intro To DNS Security @cvwdyn @chris_brenton
  • Configuring Bind Disabling Recursion and upward referrals In /etc/named.conf: recursion no; additional-from-cache no; Pg. 24 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Spec to secure DNS  Pg. 25 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Spec to secure DNS Provides authentication but not data privacy   Pg. 26 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Pg. 27 Designed to create “trusted” responses Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Designed to create “trusted” responses Protect against cache poisoning  Pg. 28 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records   Pg. 29 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Pitfalls Pg. 30 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Pitfalls Large responses make DDoS issues even worse  Pg. 31 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment   Pg. 32 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature”    Pg. 33 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature” Still no data privacy     Pg. 34 Intro To DNS Security @cvwdyn @chris_brenton
  • DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved      Pg. 35 Intro To DNS Security @cvwdyn @chris_brenton
  • Should I Use DNSSEC? Case-by-case judgment call  Pg. 36 Intro To DNS Security @cvwdyn @chris_brenton
  • Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers   Pg. 37 Intro To DNS Security @cvwdyn @chris_brenton
  • Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers May be mandated in some situations    Pg. 38 Intro To DNS Security @cvwdyn @chris_brenton
  • Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers May be mandated in some situations Will probably be a requirement  Someday...maybe     Pg. 39 Intro To DNS Security @cvwdyn @chris_brenton
  • Dyn Makes DNSSEC Easier To Enable Pg. 40 Intro To DNS Security @cvwdyn @chris_brenton
  • Protecting Your Registration The easiest way to compromise all of your servers is to compromise your zone  Popular attack pattern  Rapid7 owned by attackers with a…  Pg. 41 Intro To DNS Security @cvwdyn @chris_brenton
  • Bit.ly/DynSec1 Pg. 42 Intro To DNS Security @cvwdyn @chris_brenton
  • Domain Status Codes Many registrars support codes to protect your domain  Permits you to limit zone management  Pg. 43 Intro To DNS Security @cvwdyn @chris_brenton
  • Domain Status Codes Predefine authentication process for changes:   Pg. 44 Requires call back to a specified phone number Only certain individuals can make changes Intro To DNS Security @cvwdyn @chris_brenton
  • Status Code Examples • • • • Transfer prohibited Delete prohibited Update prohibited Renew prohibited Bit.ly/DynSec2 Pg. 45 Intro To DNS Security @cvwdyn @chris_brenton
  • Protected Zone foo$ whois dyn.com [whois.dyndns.com] Registrant: Hostmaster, Dyn-Inc hostmaster@dyn-inc.com … Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Pg. 46 Intro To DNS Security @cvwdyn @chris_brenton
  • Questions to Ask Your Registrar • What are my authentication options? Pg. 47 Intro To DNS Security @cvwdyn @chris_brenton
  • Questions to Ask Your Registrar • What are my authentication options? • How will authorized changes be verified? Pg. 48 Intro To DNS Security @cvwdyn @chris_brenton
  • Questions to Ask Your Registrar • What are my authentication options? • How will authorized changes be verified? • Can I lock changes to a call back number? Pg. 49 Intro To DNS Security @cvwdyn @chris_brenton
  • Questions to Ask Your Registrar • • • • What are my authentication options? How will authorized changes be verified? Can I lock changes to a call back number? Backup plan when primary auth goes FUBAR? Pg. 50 Intro To DNS Security @cvwdyn @chris_brenton
  • Questions to Ask Your Registrar • • • • • What are my authentication options? How will authorized changes be verified? Can I lock changes to a call back number? Backup plan when primary auth goes FUBAR? Can auth be circumvented via API or portal? Pg. 51 Intro To DNS Security @cvwdyn @chris_brenton
  • Questions? Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 52 Intro To DNS Security @cvwdyn @chris_brenton
  • Next Webinar: Wed., Nov. 20th DNS Security: PCI in The Public Cloud Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 53 Intro To DNS Security @cvwdyn @chris_brenton