Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

1,833 views

Published on

With DNS hijacks happening more frequently, website security has never been more important for your company. However, it can be a daunting task to figure out where you're getting started, and to evaluate if what you are doing is working.

That's why our Director of Security Chris Brenton and Chief Technologist Cory von Wallenstein teamed up for a special webinar on that topic. Enjoy the slides and watch the show: http://dyn.com/webinar-what-you-need-to-know-about-dns-security/

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,833
On SlideShare
0
From Embeds
0
Number of Embeds
161
Actions
Shares
0
Downloads
48
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

  1. 1. Intro To DNS Security October 23, 2013 Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @chris_brenton
  2. 2. Your Presenters Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton
  3. 3. What We Will Cover DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info       Pg. 3 Intro To DNS Security @cvwdyn @chris_brenton
  4. 4. Pg. 4 Intro To DNS Security @cvwdyn @chris_brenton
  5. 5. Pg. 5 Intro To DNS Security @cvwdyn @chris_brenton
  6. 6. Pg. 6 Intro To DNS Security @cvwdyn @chris_brenton
  7. 7. Pg. 7 Intro To DNS Security @cvwdyn @chris_brenton
  8. 8. Pg. 8 Intro To DNS Security @cvwdyn @chris_brenton
  9. 9. Is DNS Still Sexy? It’s old tech, so we must have it secured by now…right? Pg. 9 Intro To DNS Security @cvwdyn @chris_brenton
  10. 10. Is DNS Still Sexy? DNS is effectively our root of trust:   Pg. 10 You “ass-u-me” typing in www.google.com will always bring you to a Google server If sent to the wrong IP address, would you even notice? Intro To DNS Security @cvwdyn @chris_brenton
  11. 11. Is DNS Still Sexy? If DNS is compromised, everything else falls apart. Pg. 11 Intro To DNS Security @cvwdyn @chris_brenton
  12. 12. Architecture Run split DNS: Pg. 12 Intro To DNS Security @cvwdyn @chris_brenton
  13. 13. Architecture Two separate sets of name server records:   Pg. 13 One for use by internal clients One for use by the rest of the world Intro To DNS Security @cvwdyn @chris_brenton
  14. 14. Architecture Helps protect internal systems from cache poisoning and other various nastiness Pg. 14 Intro To DNS Security @cvwdyn @chris_brenton
  15. 15. Internal Name Servers Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals      Pg. 15 Intro To DNS Security @cvwdyn @chris_brenton
  16. 16. External Name Servers Accessed by the rest of the Internet Contains only records you want the world to see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals      Pg. 16 Intro To DNS Security @cvwdyn @chris_brenton
  17. 17. Recursive Answers DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an answer is not in cache    Pg. 17 Intro To DNS Security @cvwdyn @chris_brenton
  18. 18. Recursive Answers  Recursive = Do the lookup work for the client  Non-Recursive = Don't be so friendly Pg. 18 Intro To DNS Security @cvwdyn @chris_brenton
  19. 19. Non-Recursive Possibilities Hand back the list of root name servers  Referred to as an “upward referral” Hand back the error code “Refused”  Let the client figure out what to do next Pg. 19 Intro To DNS Security @cvwdyn @chris_brenton
  20. 20. Why Recursion Can Be Bad Can be leveraged for cache poisoning attacks:  Pg. 20 Redirect your employees to an IP owned by the attacker Intro To DNS Security @cvwdyn @chris_brenton
  21. 21. Why Recursion Can Be Bad Can be leveraged for DDoS attacks:     Pg. 21 Most DNS is UDP based Connectionless, so its easy to spoof the source IP Small questions that result in big answers = amplification A savvy attacker can get 30X amplification Intro To DNS Security @cvwdyn @chris_brenton
  22. 22. Why Upward Referrals Are Bad Non-recursive servers have historically handed back a list of root name server  Considered the polite thing to do  Pg. 22 Intro To DNS Security @cvwdyn @chris_brenton
  23. 23. Why Upward Referrals Are Bad Every name server should already maintain a current list of root name servers  That “polite” answer still provides a 10X amplification in a DDoS attack  Pg. 23 Intro To DNS Security @cvwdyn @chris_brenton
  24. 24. Configuring Bind Disabling Recursion and upward referrals In /etc/named.conf: recursion no; additional-from-cache no; Pg. 24 Intro To DNS Security @cvwdyn @chris_brenton
  25. 25. DNSSEC Spec to secure DNS  Pg. 25 Intro To DNS Security @cvwdyn @chris_brenton
  26. 26. DNSSEC Spec to secure DNS Provides authentication but not data privacy   Pg. 26 Intro To DNS Security @cvwdyn @chris_brenton
  27. 27. DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Pg. 27 Designed to create “trusted” responses Intro To DNS Security @cvwdyn @chris_brenton
  28. 28. DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Designed to create “trusted” responses Protect against cache poisoning  Pg. 28 Intro To DNS Security @cvwdyn @chris_brenton
  29. 29. DNSSEC Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust     Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records   Pg. 29 Intro To DNS Security @cvwdyn @chris_brenton
  30. 30. DNSSEC Pitfalls Pg. 30 Intro To DNS Security @cvwdyn @chris_brenton
  31. 31. DNSSEC Pitfalls Large responses make DDoS issues even worse  Pg. 31 Intro To DNS Security @cvwdyn @chris_brenton
  32. 32. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment   Pg. 32 Intro To DNS Security @cvwdyn @chris_brenton
  33. 33. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature”    Pg. 33 Intro To DNS Security @cvwdyn @chris_brenton
  34. 34. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature” Still no data privacy     Pg. 34 Intro To DNS Security @cvwdyn @chris_brenton
  35. 35. DNSSEC Pitfalls Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved      Pg. 35 Intro To DNS Security @cvwdyn @chris_brenton
  36. 36. Should I Use DNSSEC? Case-by-case judgment call  Pg. 36 Intro To DNS Security @cvwdyn @chris_brenton
  37. 37. Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers   Pg. 37 Intro To DNS Security @cvwdyn @chris_brenton
  38. 38. Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers May be mandated in some situations    Pg. 38 Intro To DNS Security @cvwdyn @chris_brenton
  39. 39. Should I Use DNSSEC? Case-by-case judgment call Useful when IP filtering is problematic for protecting zone transfers May be mandated in some situations Will probably be a requirement  Someday...maybe     Pg. 39 Intro To DNS Security @cvwdyn @chris_brenton
  40. 40. Dyn Makes DNSSEC Easier To Enable Pg. 40 Intro To DNS Security @cvwdyn @chris_brenton
  41. 41. Protecting Your Registration The easiest way to compromise all of your servers is to compromise your zone  Popular attack pattern  Rapid7 owned by attackers with a…  Pg. 41 Intro To DNS Security @cvwdyn @chris_brenton
  42. 42. Bit.ly/DynSec1 Pg. 42 Intro To DNS Security @cvwdyn @chris_brenton
  43. 43. Domain Status Codes Many registrars support codes to protect your domain  Permits you to limit zone management  Pg. 43 Intro To DNS Security @cvwdyn @chris_brenton
  44. 44. Domain Status Codes Predefine authentication process for changes:   Pg. 44 Requires call back to a specified phone number Only certain individuals can make changes Intro To DNS Security @cvwdyn @chris_brenton
  45. 45. Status Code Examples • • • • Transfer prohibited Delete prohibited Update prohibited Renew prohibited Bit.ly/DynSec2 Pg. 45 Intro To DNS Security @cvwdyn @chris_brenton
  46. 46. Protected Zone foo$ whois dyn.com [whois.dyndns.com] Registrant: Hostmaster, Dyn-Inc hostmaster@dyn-inc.com … Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Pg. 46 Intro To DNS Security @cvwdyn @chris_brenton
  47. 47. Questions to Ask Your Registrar • What are my authentication options? Pg. 47 Intro To DNS Security @cvwdyn @chris_brenton
  48. 48. Questions to Ask Your Registrar • What are my authentication options? • How will authorized changes be verified? Pg. 48 Intro To DNS Security @cvwdyn @chris_brenton
  49. 49. Questions to Ask Your Registrar • What are my authentication options? • How will authorized changes be verified? • Can I lock changes to a call back number? Pg. 49 Intro To DNS Security @cvwdyn @chris_brenton
  50. 50. Questions to Ask Your Registrar • • • • What are my authentication options? How will authorized changes be verified? Can I lock changes to a call back number? Backup plan when primary auth goes FUBAR? Pg. 50 Intro To DNS Security @cvwdyn @chris_brenton
  51. 51. Questions to Ask Your Registrar • • • • • What are my authentication options? How will authorized changes be verified? Can I lock changes to a call back number? Backup plan when primary auth goes FUBAR? Can auth be circumvented via API or portal? Pg. 51 Intro To DNS Security @cvwdyn @chris_brenton
  52. 52. Questions? Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 52 Intro To DNS Security @cvwdyn @chris_brenton
  53. 53. Next Webinar: Wed., Nov. 20th DNS Security: PCI in The Public Cloud Cory von Wallenstein Chief Technologist @cvwdyn Chris Brenton Director of Security @Chris_Brenton Pg. 53 Intro To DNS Security @cvwdyn @chris_brenton

×