5. DNS Vulnerabilities
● Three important questions
○ How do attackers target DNS in general?
○ How do attackers spy on your DNS queries?
○ How do attackers forge DNS responses?
Image Credit: [5]
6. DNSSEC
● Limitations
○ availability/confidentiality
○ responses are authenticated but not encrypted
○ DNSSEC only signs RRs
○ does not protect against DoS attacks directly
○ DNSSEC cannot protect against false assumptions
7. Introduction to DNSCurve
● Uses elliptic-curve cryptography [1], not RSA
● Daniel J. Bernstein
● Uses a particular elliptic curve, Curve25519
○ 1 chance in 1000000000000000000000000000 !
○ 3000-bit RSA
● What does DNSCurve do for me?
○ confidentiality
○ integrity
○ availability
○ other aspects
13. DNSCurve Protocol
● Speedups
○ The server
○ The cache
● Computing Curve25519 shared secrets for ten million servers : 10 mins
14. DNSCurve: How to get it
● Simply upgrade your DNS cache
○ dnscache /BIND
○ PowerDNS Recursor /nominum
○ MaraDNS /Unbound
● No extra cache configuration is required.
● No extra firewall configuration is required
● Network bandwidth remains essentially unchanged
● ISP's DNS vs. Cache DNS (side benefits)
● Daily copies of root zone (side benefits)
15. Implementations
● CurveDNS
○ allows DNS administrators to protect existing
installations without patching
● DNSCrypt from OpenDNS
○ protects the channel between OpenDNS and its users
● Curve-Protect
○ for common services like DNS, SSH, HTTP, and
SMTP
16. References and bibliography
1. http://dnscurve.org/index.html
2. "Curve25519: new Diffie–Hellman speed records", 2006, Daniel J. Bernstein
3. NSA: The Case for Elliptic Curve Cryptography
4. Adam Langley: What a difference a prime makes
5. CURVEPROTECT SOFTWARE (EXPERIMENTAL)
6. DNS Cache Poisoning: Definition and Prevention