SlideShare a Scribd company logo
1 of 13
Download to read offline
Understanding the
DNS & DNS Security!
The World’s Network – the Domain
Name System!
+ Internet Protocol address uniquely identifies
laptops or phones or other devices 
+ The Domain Name System matches IP addresses
with a name
+ IP routing and DNS are the underpinning of unified
Internet


2
A sample DNS query!

Where	
  is	
  
www.iana.org?	
  
192.0.2.1	
  

3
Making the DNS Secure!
+ A computer sends a question to a DNS server, like
“where is IANA.org?”
+ It receives an answer and assumes that it is
correct.
+ There are multiple ways that traffic on the Internet
can be intercepted and modified, so that the
answer given is false.


4
Receiving the Wrong Answer!

	
  is	
  
here org?	
  
W
.
.iana
www

.2.0	
  
192.0

13.1
3.14
.0	
  

5
Poisoning a Cache!
+  Attacker knows iterative
resolvers may cache
+  Attacker 
+  Composes a DNS response with
malicious data about a targeted
domain
+  Tricks a resolver into adding this
malicious data to its local cache

+  Later queries processed
by server will return
malicious data for the life
of the cached entry
+  Example: user at My Mac clicks
on a URL in an email message
from try@loseweightfastnow.com 

What	
  is	
  the	
  IPv4	
  address	
  for	
  
loseweigh<astnow.com?	
  
My Mac

I’ll	
  cache	
  this	
  
response…	
  and	
  
update	
  
www.ebay.com	
  	
  
My local resolver

loseweigh<astnow.com	
  IPv4	
  
address	
  is	
  192.168.1.1	
  	
  
ALSO	
  www.ebay.com	
  is	
  at	
  
192.168.1.2	
  
6	
  

ecrime name
server
DNS Security (DNSSEC)	
  
+  Protects DNS data against forgery!
+  Uses public key cryptography to sign
authoritative zone data!
+  Assures that the data origin is authentic!
+  Assures that the data are what the authenticated
data originator published!

+  Trust model also uses public key
cryptography!
+  Parent zones sign public keys of child zone!
(root signs TLDs, TLDs sign registered
domains…!



7

7	
  
Public Key Cryptography in
DNSSEC!
Authority signs zone data with
private key!
Authorities must keep private
keys secret!!

Sign with
Private key
DNS

Data 

8



Signed DNS

Data
+
Digital
signatures 

Authoritative"
server

Publish

8	
  
Public Key Cryptography in
DNSSEC!
Authority	
  publishes	
  
public	
  key	
  so	
  that	
  any	
  
recipient	
  can	
  decrypt	
  to	
  
verify	
  that	
  “the	
  data	
  are	
  
correct	
  and	
  came	
  from	
  
the	
  right	
  place”	
  
Validate with
	
  

Public key
Signed
Zone

Data

Validating

recursive

server

9

Authoritative

server

9	
  
ICANN’s Role in DNSSEC
Deployment!
+ Manages root key with VeriSign and trusted
international representatives of Internet community
+ Processes requests for changes of public key and
other records from registries at top of DNS
+ Educates and assists Internet community with
DNSSEC
+ Implements DNSSEC on its own domains


10
Obstacles to Broader DNSSEC
Adoption!
+ Browser and/or Operating System support
+ DNSSEC support from domain name registration
service providers (registrars, resellers)
+ Misconceptions regarding key management,
performance, software/hardware availability and
reliability


11
DNSSEC Deployment!
• 
• 
• 
• 
• 
!

Fast pace of deployment at
the TLD level "!
Deployed at root!
Supported by software!
Growing support by ISPs!
Required by new gTLDs!

à Inevitable widespread deployment
across core Internet infrastructure!

12
Thank You &
Questions?!

More Related Content

What's hot

What's hot (20)

DNS Security
DNS SecurityDNS Security
DNS Security
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
DNS
DNSDNS
DNS
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol  (DNSSEC)Introduction To The DANE Protocol  (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
Dns Hardening Linux Os
Dns Hardening   Linux OsDns Hardening   Linux Os
Dns Hardening Linux Os
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS Spoofing
 
What is a domain name system(dns)?
What is a domain name system(dns)?What is a domain name system(dns)?
What is a domain name system(dns)?
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
 
Domain Name System ppt
Domain Name System pptDomain Name System ppt
Domain Name System ppt
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 

Viewers also liked

Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)
Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)
Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)
Positive Hack Days
 
Web осень 2012 лекция 2
Web осень 2012 лекция 2Web осень 2012 лекция 2
Web осень 2012 лекция 2
Technopark
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
mmoizuddin
 
How it works internet networking icann53
How it works internet networking icann53How it works internet networking icann53
How it works internet networking icann53
ICANN
 

Viewers also liked (20)

DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
Доменная структура интернета
Доменная структура интернетаДоменная структура интернета
Доменная структура интернета
 
F5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureF5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructure
 
Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)
Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)
Positive Hack Days. Баранов. DNS Rebinding возвращается (0-day)
 
Сети и системы телекоммуникаций. Протоколы маршрутизации
Сети и системы телекоммуникаций. Протоколы маршрутизацииСети и системы телекоммуникаций. Протоколы маршрутизации
Сети и системы телекоммуникаций. Протоколы маршрутизации
 
Сети и системы телекоммуникаций. Протокол UDP
Сети и системы телекоммуникаций. Протокол UDPСети и системы телекоммуникаций. Протокол UDP
Сети и системы телекоммуникаций. Протокол UDP
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
 
Web осень 2012 лекция 2
Web осень 2012 лекция 2Web осень 2012 лекция 2
Web осень 2012 лекция 2
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
 
The Journey to New gTLDs
The Journey to New gTLDsThe Journey to New gTLDs
The Journey to New gTLDs
 
The Domain Name Industry: Value Chain
The Domain Name Industry: Value ChainThe Domain Name Industry: Value Chain
The Domain Name Industry: Value Chain
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
What Does ICANN Do (English)
What Does ICANN Do (English)What Does ICANN Do (English)
What Does ICANN Do (English)
 
ICANN and the Internet Ecosystem
ICANN and the Internet EcosystemICANN and the Internet Ecosystem
ICANN and the Internet Ecosystem
 
The Domain Name Industry: Responsibilities
The Domain Name Industry: ResponsibilitiesThe Domain Name Industry: Responsibilities
The Domain Name Industry: Responsibilities
 
The Domain Name Industry: Ecosystem
The Domain Name Industry: EcosystemThe Domain Name Industry: Ecosystem
The Domain Name Industry: Ecosystem
 
Who Runs the Internet?
Who Runs the Internet?Who Runs the Internet?
Who Runs the Internet?
 
The IANA Functions
The IANA FunctionsThe IANA Functions
The IANA Functions
 
How it works internet networking icann53
How it works internet networking icann53How it works internet networking icann53
How it works internet networking icann53
 
Call for Volunteers: Accountability & Transparency Review Team_PT
Call for Volunteers: Accountability & Transparency Review Team_PTCall for Volunteers: Accountability & Transparency Review Team_PT
Call for Volunteers: Accountability & Transparency Review Team_PT
 

Similar to Understanding the DNS & DNSSEC

Domain & Shared hosting
Domain & Shared hostingDomain & Shared hosting
Domain & Shared hosting
jisha-varkey
 
Dns server
Dns serverDns server
Dns server
Muuluu
 

Similar to Understanding the DNS & DNSSEC (20)

The History of DNS
The History of DNSThe History of DNS
The History of DNS
 
The domain name system
The domain name systemThe domain name system
The domain name system
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
Dns
DnsDns
Dns
 
Celebrating 31 Years Of The Domain Name System (DNS) This Month!
Celebrating 31 Years Of The Domain Name System (DNS) This Month!Celebrating 31 Years Of The Domain Name System (DNS) This Month!
Celebrating 31 Years Of The Domain Name System (DNS) This Month!
 
DNSSEC: What a Registrar Needs to Know
DNSSEC:  What a Registrar Needs to KnowDNSSEC:  What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
How DNS Works.pptx
How DNS Works.pptxHow DNS Works.pptx
How DNS Works.pptx
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Lecture17
Lecture17Lecture17
Lecture17
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
What is private dns &amp; how to use it on i phone, android &amp; laptop
What is private dns &amp; how to use it on i phone, android &amp; laptopWhat is private dns &amp; how to use it on i phone, android &amp; laptop
What is private dns &amp; how to use it on i phone, android &amp; laptop
 
DNS Security Issues NES 554 for DNS Security
DNS Security Issues  NES 554 for DNS SecurityDNS Security Issues  NES 554 for DNS Security
DNS Security Issues NES 554 for DNS Security
 
Domain & Shared hosting
Domain & Shared hostingDomain & Shared hosting
Domain & Shared hosting
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0:  Introducing the Domain Key InfrastructurePhreebird Suite 1.0:  Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
Dns server
Dns serverDns server
Dns server
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
Dns server
Dns serverDns server
Dns server
 
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?Early Detection of Malicious Activity—How Well Do You Know Your DNS?
Early Detection of Malicious Activity—How Well Do You Know Your DNS?
 

More from ICANN

More from ICANN (20)

Call for Volunteers: Accountability & Transparency Review Team_ZH
Call for Volunteers: Accountability & Transparency Review Team_ZHCall for Volunteers: Accountability & Transparency Review Team_ZH
Call for Volunteers: Accountability & Transparency Review Team_ZH
 
Call for Volunteers: Accountability & Transparency Review Team_ES
Call for Volunteers: Accountability & Transparency Review Team_ESCall for Volunteers: Accountability & Transparency Review Team_ES
Call for Volunteers: Accountability & Transparency Review Team_ES
 
Call for Volunteers: Accountability & Transparency Review Team_AR
Call for Volunteers: Accountability & Transparency Review Team_ARCall for Volunteers: Accountability & Transparency Review Team_AR
Call for Volunteers: Accountability & Transparency Review Team_AR
 
Call for Volunteers: Accountability & Transparency Review Team_FR
Call for Volunteers: Accountability & Transparency Review Team_FRCall for Volunteers: Accountability & Transparency Review Team_FR
Call for Volunteers: Accountability & Transparency Review Team_FR
 
Call for Volunteers: Accountability & Transparency Review Team_RU
Call for Volunteers: Accountability & Transparency Review Team_RUCall for Volunteers: Accountability & Transparency Review Team_RU
Call for Volunteers: Accountability & Transparency Review Team_RU
 
Call for Volunteers: Accountability & Transparency Review Team
Call for Volunteers: Accountability & Transparency Review TeamCall for Volunteers: Accountability & Transparency Review Team
Call for Volunteers: Accountability & Transparency Review Team
 
ICANN Expected Standards of Behavior | French
ICANN Expected Standards of Behavior | FrenchICANN Expected Standards of Behavior | French
ICANN Expected Standards of Behavior | French
 
ICANN Expected Standards of Behavior
ICANN Expected Standards of BehaviorICANN Expected Standards of Behavior
ICANN Expected Standards of Behavior
 
ICANN Expected Standards of Behavior | Russian
ICANN Expected Standards of Behavior | RussianICANN Expected Standards of Behavior | Russian
ICANN Expected Standards of Behavior | Russian
 
ICANN Expected Standards of Behavior | Arabic
ICANN Expected Standards of Behavior | ArabicICANN Expected Standards of Behavior | Arabic
ICANN Expected Standards of Behavior | Arabic
 
ICANN Expected Standards of Behavior | Chinese
ICANN Expected Standards of Behavior | ChineseICANN Expected Standards of Behavior | Chinese
ICANN Expected Standards of Behavior | Chinese
 
ICANN Expected Standards of Behavior | Spanish
ICANN Expected Standards of Behavior | SpanishICANN Expected Standards of Behavior | Spanish
ICANN Expected Standards of Behavior | Spanish
 
Policy Development Process Infographic Turkish
Policy Development Process Infographic TurkishPolicy Development Process Infographic Turkish
Policy Development Process Infographic Turkish
 
Policy Development Process Infographic Russian
Policy Development Process Infographic RussianPolicy Development Process Infographic Russian
Policy Development Process Infographic Russian
 
Policy Development Process Infographic Portuguese
Policy Development Process Infographic PortuguesePolicy Development Process Infographic Portuguese
Policy Development Process Infographic Portuguese
 
Policy Development Process Infographic Spanish
Policy Development Process Infographic SpanishPolicy Development Process Infographic Spanish
Policy Development Process Infographic Spanish
 
Policy Development Process Infographic French
Policy Development Process Infographic FrenchPolicy Development Process Infographic French
Policy Development Process Infographic French
 
Policy Development Process Infographic English
Policy Development Process Infographic EnglishPolicy Development Process Infographic English
Policy Development Process Infographic English
 
Policy Development Process Infographic Chinese
Policy Development Process Infographic ChinesePolicy Development Process Infographic Chinese
Policy Development Process Infographic Chinese
 
Policy Development Process Infographic Arabic
Policy Development Process Infographic ArabicPolicy Development Process Infographic Arabic
Policy Development Process Infographic Arabic
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Recently uploaded (20)

Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 

Understanding the DNS & DNSSEC

  • 1. Understanding the DNS & DNS Security!
  • 2. The World’s Network – the Domain Name System! + Internet Protocol address uniquely identifies laptops or phones or other devices + The Domain Name System matches IP addresses with a name + IP routing and DNS are the underpinning of unified Internet 2
  • 3. A sample DNS query! Where  is   www.iana.org?   192.0.2.1   3
  • 4. Making the DNS Secure! + A computer sends a question to a DNS server, like “where is IANA.org?” + It receives an answer and assumes that it is correct. + There are multiple ways that traffic on the Internet can be intercepted and modified, so that the answer given is false. 4
  • 5. Receiving the Wrong Answer!  is   here org?   W . .iana www .2.0   192.0 13.1 3.14 .0   5
  • 6. Poisoning a Cache! +  Attacker knows iterative resolvers may cache +  Attacker +  Composes a DNS response with malicious data about a targeted domain +  Tricks a resolver into adding this malicious data to its local cache +  Later queries processed by server will return malicious data for the life of the cached entry +  Example: user at My Mac clicks on a URL in an email message from try@loseweightfastnow.com What  is  the  IPv4  address  for   loseweigh<astnow.com?   My Mac I’ll  cache  this   response…  and   update   www.ebay.com     My local resolver loseweigh<astnow.com  IPv4   address  is  192.168.1.1     ALSO  www.ebay.com  is  at   192.168.1.2   6   ecrime name server
  • 7. DNS Security (DNSSEC)   +  Protects DNS data against forgery! +  Uses public key cryptography to sign authoritative zone data! +  Assures that the data origin is authentic! +  Assures that the data are what the authenticated data originator published! +  Trust model also uses public key cryptography! +  Parent zones sign public keys of child zone! (root signs TLDs, TLDs sign registered domains…! 7 7  
  • 8. Public Key Cryptography in DNSSEC! Authority signs zone data with private key! Authorities must keep private keys secret!! Sign with Private key DNS
 Data 8 Signed DNS
 Data + Digital signatures Authoritative" server Publish 8  
  • 9. Public Key Cryptography in DNSSEC! Authority  publishes   public  key  so  that  any   recipient  can  decrypt  to   verify  that  “the  data  are   correct  and  came  from   the  right  place”   Validate with   Public key Signed Zone
 Data Validating
 recursive
 server 9 Authoritative
 server 9  
  • 10. ICANN’s Role in DNSSEC Deployment! + Manages root key with VeriSign and trusted international representatives of Internet community + Processes requests for changes of public key and other records from registries at top of DNS + Educates and assists Internet community with DNSSEC + Implements DNSSEC on its own domains 10
  • 11. Obstacles to Broader DNSSEC Adoption! + Browser and/or Operating System support + DNSSEC support from domain name registration service providers (registrars, resellers) + Misconceptions regarding key management, performance, software/hardware availability and reliability 11
  • 12. DNSSEC Deployment! •  •  •  •  •  ! Fast pace of deployment at the TLD level "! Deployed at root! Supported by software! Growing support by ISPs! Required by new gTLDs! à Inevitable widespread deployment across core Internet infrastructure! 12