Your SlideShare is downloading. ×
0
Intro To DNS Security
October 23, 2013

Cory von Wallenstein
Chief Technologist
@cvwdyn

Chris Brenton
Director of Securit...
Your Presenters
Cory von Wallenstein
Chief Technologist
@cvwdyn

Chris Brenton
Director of Security
@Chris_Brenton

Pg. 2
...
What We Will Cover
DNS security state of the union: 2013
Why DNS security is important
Securing the architecture
Securing ...
Pg. 4

Intro To DNS Security

@cvwdyn

@chris_brenton
Pg. 5

Intro To DNS Security

@cvwdyn

@chris_brenton
Pg. 6

Intro To DNS Security

@cvwdyn

@chris_brenton
Pg. 7

Intro To DNS Security

@cvwdyn

@chris_brenton
Pg. 8

Intro To DNS Security

@cvwdyn

@chris_brenton
Is DNS Still Sexy?

It’s old tech, so we must have it secured
by now…right?

Pg. 9

Intro To DNS Security

@cvwdyn

@chris...
Is DNS Still Sexy?
DNS is effectively our root of trust:




Pg. 10

You “ass-u-me” typing in
www.google.com will always...
Is DNS Still Sexy?

If DNS is compromised, everything else falls
apart.

Pg. 11

Intro To DNS Security

@cvwdyn

@chris_br...
Architecture

Run split DNS:

Pg. 12

Intro To DNS Security

@cvwdyn

@chris_brenton
Architecture
Two separate sets of name server records:



Pg. 13

One for use by internal clients
One for use by the res...
Architecture
Helps protect internal systems from cache poisoning
and other various nastiness

Pg. 14

Intro To DNS Securit...
Internal Name Servers
Accessed by internal systems only
Contains a full list of host records
Usually identifies your hosts...
External Name Servers
Accessed by the rest of the Internet
Contains only records you want the world to see
Usually identif...
Recursive Answers
DNS is a distributed system
Not all servers know every answer
“Recursion” identifies what to do when an
...
Recursive Answers


Recursive = Do the lookup work for the client



Non-Recursive = Don't be so friendly

Pg. 18

Intro...
Non-Recursive Possibilities
Hand back the list of root name servers

Referred to as an “upward referral”
Hand back the er...
Why Recursion Can Be Bad
Can be leveraged for cache poisoning attacks:


Pg. 20

Redirect your employees to an IP owned b...
Why Recursion Can Be Bad
Can be leveraged for DDoS attacks:






Pg. 21

Most DNS is UDP based
Connectionless, so its...
Why Upward Referrals Are Bad
Non-recursive servers have historically handed
back a list of root name server



Considered...
Why Upward Referrals Are Bad
Every name server should already maintain a
current list of root name servers



That “polit...
Configuring Bind
Disabling Recursion and upward referrals
In /etc/named.conf:
recursion no;
additional-from-cache no;

Pg....
DNSSEC
Spec to secure DNS



Pg. 25

Intro To DNS Security

@cvwdyn

@chris_brenton
DNSSEC
Spec to secure DNS
Provides authentication but not data privacy




Pg. 26

Intro To DNS Security

@cvwdyn

@chri...
DNSSEC
Spec to secure DNS
Provides authentication but not data privacy
Trust anchor to create a chain of trust






P...
DNSSEC
Spec to secure DNS
Provides authentication but not data privacy
Trust anchor to create a chain of trust






D...
DNSSEC
Spec to secure DNS
Provides authentication but not data privacy
Trust anchor to create a chain of trust






D...
DNSSEC Pitfalls

Pg. 30

Intro To DNS Security

@cvwdyn

@chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse



Pg. 31

Intro To DNS Security

@cvwdyn

@chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse
Can be problematic with split zone deployment




Pg. 32

In...
DNSSEC Pitfalls
Large responses make DDoS issues even worse
Can be problematic with split zone deployment
Can be a problem...
DNSSEC Pitfalls
Large responses make DDoS issues even worse
Can be problematic with split zone deployment
Can be a problem...
DNSSEC Pitfalls
Large responses make DDoS issues even worse
Can be problematic with split zone deployment
Can be a problem...
Should I Use DNSSEC?
Case-by-case judgment call



Pg. 36

Intro To DNS Security

@cvwdyn

@chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call
Useful when IP filtering is problematic for
protecting zone transfers


...
Should I Use DNSSEC?
Case-by-case judgment call
Useful when IP filtering is problematic for
protecting zone transfers
May ...
Should I Use DNSSEC?
Case-by-case judgment call
Useful when IP filtering is problematic for
protecting zone transfers
May ...
Dyn Makes DNSSEC Easier To Enable

Pg. 40

Intro To DNS Security

@cvwdyn

@chris_brenton
Protecting Your Registration
The easiest way to compromise all of your
servers is to compromise your zone



Popular atta...
Bit.ly/DynSec1
Pg. 42

Intro To DNS Security

@cvwdyn

@chris_brenton
Domain Status Codes
Many registrars support codes to protect your
domain



Permits you to limit zone management



Pg. ...
Domain Status Codes
Predefine authentication process for changes:




Pg. 44

Requires call back to a specified phone
nu...
Status Code Examples
•
•
•
•

Transfer prohibited
Delete prohibited
Update prohibited
Renew prohibited

Bit.ly/DynSec2

Pg...
Protected Zone
foo$ whois dyn.com
[whois.dyndns.com]
Registrant:
Hostmaster, Dyn-Inc

hostmaster@dyn-inc.com

…
Domain sta...
Questions to Ask Your Registrar
• What are my authentication options?

Pg. 47

Intro To DNS Security

@cvwdyn

@chris_bren...
Questions to Ask Your Registrar
• What are my authentication options?
• How will authorized changes be verified?

Pg. 48

...
Questions to Ask Your Registrar
• What are my authentication options?
• How will authorized changes be verified?
• Can I l...
Questions to Ask Your Registrar
•
•
•
•

What are my authentication options?
How will authorized changes be verified?
Can ...
Questions to Ask Your Registrar
•
•
•
•
•

What are my authentication options?
How will authorized changes be verified?
Ca...
Questions?
Cory von Wallenstein
Chief Technologist
@cvwdyn

Chris Brenton
Director of Security
@Chris_Brenton

Pg. 52

Int...
Next Webinar: Wed., Nov. 20th
DNS Security: PCI in The Public Cloud

Cory von Wallenstein
Chief Technologist
@cvwdyn

Chri...
Upcoming SlideShare
Loading in...5
×

Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

1,447

Published on

With DNS hijacks happening more frequently, website security has never been more important for your company. However, it can be a daunting task to figure out where you're getting started, and to evaluate if what you are doing is working.

That's why our Director of Security Chris Brenton and Chief Technologist Cory von Wallenstein teamed up for a special webinar on that topic. Enjoy the slides and watch the show: http://dyn.com/webinar-what-you-need-to-know-about-dns-security/

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,447
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Intro To DNS Security with Cory Von Wallenstein & Chris Brenton"

  1. 1. Intro To DNS Security October 23, 2013 Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @chris_brenton
  2. 2. Your Presenters Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton
  3. 3. What We Will Cover DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info       Pg. 3 Intro To DNS Security @cvwdyn @chris_brenton
  4. 4. Pg. 4 Intro To DNS Security @cvwdyn @chris_brenton
  5. 5. Pg. 5 Intro To DNS Security @cvwdyn @chris_brenton
  6. 6. Pg. 6 Intro To DNS Security @cvwdyn @chris_brenton
  7. 7. Pg. 7 Intro To DNS Security @cvwdyn @chris_brenton
  8. 8. Pg. 8 Intro To DNS Security @cvwdyn @chris_brenton
  9. 9. Is DNS Still Sexy? It’s old tech, so we must have it secured by now…right? Pg. 9 Intro To DNS Security @cvwdyn @chris_brenton
  10. 10. Is DNS Still Sexy? DNS is effectively our root of trust:   Pg. 10 You “ass-u-me” typing in www.google.com will always bring you to a Google server If sent to the wrong IP address, would you even notice? Intro To DNS Security @cvwdyn @chris_brenton
  11. 11. Is DNS Still Sexy? If DNS is compromised, everything else falls apart. Pg. 11 Intro To DNS Security @cvwdyn @chris_brenton
  12. 12. Architecture Run split DNS: Pg. 12 Intro To DNS Security @cvwdyn @chris_brenton
  13. 13. Architecture Two separate sets of name server records:   Pg. 13 One for use by internal clients One for use by the rest of the world Intro To DNS Security @cvwdyn @chris_brenton
  14. 14. Architecture Helps protect internal systems from cache poisoning and other various nastiness Pg. 14 Intro To DNS Security @cvwdyn @chris_brenton
  15. 15. Internal Name Servers Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals      Pg. 15 Intro To DNS Security @cvwdyn @chris_brenton
  16. 16. External Name Servers Accessed by the rest of the Internet Contains only records you want the world to see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals      Pg. 16 Intro To DNS Security @cvwdyn @chris_brenton
  17. 17. Recursive Answers DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an answer is not in cache    Pg. 17 Intro To DNS Security @cvwdyn @chris_brenton
  18. 18. Recursive Answers  Recursive = Do the lookup work for the client  Non-Recursive = Don't be so friendly Pg. 18 Intro To DNS Security @cvwdyn @chris_brenton
  19. 19. Non-Recursive Possibilities Hand back the list of root name servers  Referred to as an “upward referral” Hand back the error code “Refused”  Let the client figure out what to do next Pg. 19 Intro To DNS Security @cvwdyn @chris_brenton
  20. 20. Why Recursion Can Be Bad Can be leveraged for cache poisoning attacks:  Pg. 20 Redirect your employees to an IP owned by the attacker Intro To DNS Security @cvwdyn @chris_brenton
  21. 21. Why Recursion Can Be Bad Can be leveraged for DDoS attacks:     Pg. 21 Most DNS is UDP based Connectionless, so its easy to spoof the source IP Small questions that result in big answers = amplification A savvy attacker can get 30X amplification Intro To DNS Security @cvwdyn @chris_brenton
  22. 22. Why Upward Referrals Are Bad Non-recursive servers have historically handed back a list of root name server  Considered the polite thing to do  Pg. 22 Intro To DNS Security @cvwdyn @chris_brenton
  23. 23. Why Upward Referrals Are Bad Every name server should already maintain a current list of root name servers  That “polite” answer still provides a 10X amplification in a DDoS attack  Pg. 23 Intro To DNS Security @cvwdyn @chris_brenton
  24. 24. Configuring Bind Disabling Recursion and upward referrals In /etc/named.conf: recursion no; additional-from-cache no; Pg. 24 Intro To DNS Security @cvwdyn @chris_brenton
  25. 25. DNSSEC Spec to secure DNS  Pg. 25 Intro To DNS Security @cvwdyn @chris_brenton
  26. 26. DNSSEC Spec to secure DNS Provides authentication but not data privacy   Pg. 26 Intro To DNS Security @cvwdyn @chris_brenton
  27. 27. DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Pg. 27 Designed to create “trusted” responses Intro To DNS Security @cvwdyn @chris_brenton
  28. 28. DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Designed to create “trusted” responses Protect against cache poisoning  Pg. 28 Intro To DNS Security @cvwdyn @chris_brenton
  29. 29. DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records   Pg. 29 Intro To DNS Security @cvwdyn @chris_brenton
  30. 30. DNSSEC Pitfalls Pg. 30 Intro To DNS Security @cvwdyn @chris_brenton
  31. 31. DNSSEC Pitfalls Large responses make DDoS issues even worse  Pg. 31 Intro To DNS Security @cvwdyn @chris_brenton
  32. 32. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment   Pg. 32 Intro To DNS Security @cvwdyn @chris_brenton
  33. 33. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature”    Pg. 33 Intro To DNS Security @cvwdyn @chris_brenton
  34. 34. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature” Still no data privacy     Pg. 34 Intro To DNS Security @cvwdyn @chris_brenton
  35. 35. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved      Pg. 35 Intro To DNS Security @cvwdyn @chris_brenton
  36. 36. Should I Use DNSSEC? Case-by-case judgment call  Pg. 36 Intro To DNS Security @cvwdyn @chris_brenton
  37. 37. Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers   Pg. 37 Intro To DNS Security @cvwdyn @chris_brenton
  38. 38. Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers May be mandated in some situations    Pg. 38 Intro To DNS Security @cvwdyn @chris_brenton
  39. 39. Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers May be mandated in some situations Will probably be a requirement  Someday...maybe     Pg. 39 Intro To DNS Security @cvwdyn @chris_brenton
  40. 40. Dyn Makes DNSSEC Easier To Enable Pg. 40 Intro To DNS Security @cvwdyn @chris_brenton
  41. 41. Protecting Your Registration The easiest way to compromise all of your servers is to compromise your zone  Popular attack pattern  Rapid7 owned by attackers with a…  Pg. 41 Intro To DNS Security @cvwdyn @chris_brenton
  42. 42. Bit.ly/DynSec1 Pg. 42 Intro To DNS Security @cvwdyn @chris_brenton
  43. 43. Domain Status Codes Many registrars support codes to protect your domain  Permits you to limit zone management  Pg. 43 Intro To DNS Security @cvwdyn @chris_brenton
  44. 44. Domain Status Codes Predefine authentication process for changes:   Pg. 44 Requires call back to a specified phone number Only certain individuals can make changes Intro To DNS Security @cvwdyn @chris_brenton
  45. 45. Status Code Examples • • • • Transfer prohibited Delete prohibited Update prohibited Renew prohibited Bit.ly/DynSec2 Pg. 45 Intro To DNS Security @cvwdyn @chris_brenton
  46. 46. Protected Zone foo$ whois dyn.com [whois.dyndns.com] Registrant: Hostmaster, Dyn-Inc hostmaster@dyn-inc.com … Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Pg. 46 Intro To DNS Security @cvwdyn @chris_brenton
  47. 47. Questions to Ask Your Registrar • What are my authentication options? Pg. 47 Intro To DNS Security @cvwdyn @chris_brenton
  48. 48. Questions to Ask Your Registrar • What are my authentication options? • How will authorized changes be verified? Pg. 48 Intro To DNS Security @cvwdyn @chris_brenton
  49. 49. Questions to Ask Your Registrar • What are my authentication options? • How will authorized changes be verified? • Can I lock changes to a call back number? Pg. 49 Intro To DNS Security @cvwdyn @chris_brenton
  50. 50. Questions to Ask Your Registrar • • • • What are my authentication options? How will authorized changes be verified? Can I lock changes to a call back number? Backup plan when primary auth goes FUBAR? Pg. 50 Intro To DNS Security @cvwdyn @chris_brenton
  51. 51. Questions to Ask Your Registrar • • • • • What are my authentication options? How will authorized changes be verified? Can I lock changes to a call back number? Backup plan when primary auth goes FUBAR? Can auth be circumvented via API or portal? Pg. 51 Intro To DNS Security @cvwdyn @chris_brenton
  52. 52. Questions? Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 52 Intro To DNS Security @cvwdyn @chris_brenton
  53. 53. Next Webinar: Wed., Nov. 20th DNS Security: PCI in The Public Cloud Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 53 Intro To DNS Security @cvwdyn @chris_brenton
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×