1. How it works
Why it needs to be secured
June 13th 2016
By Michael McLean
2. Why did I choose this subject?
I’m a history buff
3. DNS defined
DNS stands for Domain Name System
Maps user friendly domain names to IP addresses
DNS is organized in a hierarchical structure
Used on TCP/IP networks to locate resources
4. A brief history of DNS
The first form of name resolution was done using a
hosts file.
A centrally managed hosts file was used by ARPANET
from 1973 – 1984.
Today the hosts file can still be found on client
machines at
%Systemroot%WindowsSystem32DriversEtc
5. History continued
Before DNS email used “Source Routing.”
Below is an actual communication path of the old email routing system
called “source routing.” Note that a bang or “!” separates the individual
sites linked in the hops along the path to the destination. The “grg”
tagged at the end was the actual destination user name.
utzoo!decvax!harpo!eagle!mhtsa!ihnss!ihuxp!grg
DNS was invented in 1983 by Paul Mockapetris at
USC’s Information Science Institute.
DNS was not implemented until 1984.
6. Domain Name System Hierarchy
A properly written fully qualified domain name in a DNS
zone file will have a terminating dot or period on the end.
Such as:
www.lwtech.edu.
7. Why does DNS need to be secure?
If authoritative DNS servers are compromised there
can be global consequences.
Hackers will also try and compromise the registration
of a domain to gain access to the DNS servers assigned
to that domain.
DNS cache can be altered maliciously to provide
fraudulent responses. This DNS spoofing attack
maliciously places an incorrect IP address into a DNS
resolvers cache.
8. DNS Secure Extensions
DNSSEC guards against cache poisoning such as the
Kaminsky Bug
DNSSEC will validate DNS responses to be from a
trusted source using the digital signatures generated
by zone signing
The digital signature returned with the DNS response
validates data integrity
Digital signatures can be generated on DNS servers
containing DNS zones that have had DNSSEC applied
to them
9. DNSSEC Defined
DNSSEC works with a trust level that works from the
top down starting at the root zone or the dot [.]
The root zone verifies the top level domains
The top level domains verify the second level domains.
DNSSEC name servers use public key signing keys and
public zone signing keys that are signed by private key
signing keys.
To be able to authenticate and validate a DNS
response, DNSSEC uses asymmetric public and private
key cryptology and digital signatures
10. Protocols of DNSSEC
Un-secured DNS uses the UDP protocol
Secure DNS uses TCP which requires a TCP 3 way
handshake
Both UDP and TCP need to be enabled on port 53
DNSSEC does not provide encryption. DNSSEC provides a
chain of trust
DNSCrypt provides encryption and can work together with
DNSSEC. DNSCrypt does not use SSL.
DNSCrypt uses elliptic-curve cryptography
Elliptic curve cryptography (ECC) is an approach to public-
key cryptography based on the algebraic structure of
elliptic curves over finite fields
34th president, Sputnik, 1958 Advance Research Project Agency,
ARPANET, MIT, Managed by the Network Information Center (NIC) at the Stanford Research Institute from 1973 – 83.. By the early 1980’s the Hosts file had become very large and error prone. It was manually maintained by the NIC and subject to errors and would then become corrupted and propagated out to the network.
DNS was originally invented as a way to route email more efficiently. In 1983 a UCLA researcher by the name of Jon Postel approached Paul Mockapteris and asked him to sort through 5 different DNS proposals. Paul proceeded to ignore all 5 proposals and instead invented the DNS solution that is still used to this day.
Jon Postel was in charge of RFCs or Request for Comments for the Internet. RFCs are the documents that define how the internet was built and how it works.
The DNS root zone is served by thirteen root server clusters in secret locations around the globe. These 13 root clusters serve the entire needs of the internet. All DNS queries start with a query to a root DNS server or uses information stored in cache that was once obtained from a root server. The root DNS name servers help verify the top level domains like .com, .edu rg. Root level domains are represented by a single trailing period or [.] at the end of a domain name when written into zone files that are stored on DNS servers.
If hackers gain access to the zone files of authoritative DNS servers they can point DNS records at IP addresses of servers they control.
DNS caching can increase DNS response performance by allowing replies from previously stored requests and thereby negating the need to query another DNS server for the same information. The problem is that this is a system of blind trust.
When you make a DNS request you are really asking “Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?
DNSSEC can provide data integrity with digitally signed resource records using digital signatures This process is called zone signing and allows a resource record to be accompanied with a digital signature when returned with a response. To create a digital signature a hash function is used to verify data integrity by generating the checksum value of a data object. If the data is modified then the checksum value is changed and when compared to the previous checksum it can verify data integrity or provide a denial of integrity.
The top level domains like .com, .edu, .org, .biz etc. Recall that Public-key cryptology uses two separate but mathematically linked keys, one public key and one private key. Either key can encrypt data but only the other key can decrypt the data.
UDP packet sizes are less than 512 bytes. UDP is a stateless and connectionless protocol that does not guarantee packet delivery.
DNSSEC packets require TCP guaranteed packet delivery because of the large packet sizes that can reach up to 4069 bytes in length.
DNSCrypt is like SSL in that it wraps all DNS traffic with encryption the same way SSL wraps all HTTP traffic
