Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses various DNS security threats such as DNS hijacking, cache poisoning, and tunneling. It provides examples of how DNS tunneling works by encoding data in domain names and using subdomains for communication. The document also outlines some mitigation techniques for DNS tunneling, including payload analysis, traffic analysis, and restricting unusual DNS behaviors and record types.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the importance of DNS security for the internet. It provides background on the Domain Name System (DNS), explaining that DNS acts as the "phonebook" of the internet by translating domain names to IP addresses. While DNS was originally designed to be fault tolerant, dynamic, scalable, and redundant, security was not initially considered. The document outlines how DNS works and its hierarchical structure. It notes that traditional DNS uses UDP and lacks security features like authentication, making it vulnerable to spoofing and cache poisoning attacks. Finally, the document argues that DNSSEC is crucial for online safety as it uses digital signatures to authenticate DNS data and verify responses came from authorized servers.
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
Security Specialist Jamie Gillespie presents on DNS Security, examining the complex interactions of this system, from domain registration to name resolution, the security risks of each component, and the mitigation options currently available at 23rd PITA AGM and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the history and evolution of the Domain Name System (DNS). It describes how early computer networks like ARPANET used hosts.txt files to map hostnames to IP addresses, but this approach did not scale well. DNS was developed in the 1980s to provide a distributed, hierarchical database to resolve hostname lookups. DNS uses a client-server model with nameservers to store records and respond to queries. The 13 root servers delegate authority to top-level domains which in turn delegate to authoritative nameservers for each domain.
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
Yacin Nadji, Georgia Institute of Technology
Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain’s prior use. We find that adversaries can, and do, use malicious re- registration to exploit domain ownership changes—undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. We identify several instances of residual trust abuse using this algorithm, including an expired APT domain that could be used to revive existing infections.
This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.
The document discusses DNS over HTTPS (DoH), DNS over TLS (DoT), and Encrypted Server Name Indication (ESNI). It explains that DoH and DoT encrypt DNS queries and responses for increased privacy and security compared to traditional DNS. However, ESNI is also discussed as a solution to further improve privacy by encrypting the server name in the TLS handshake. Concerns about the potential use of these protocols by malware for command and control are also raised.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
DNSSEC: What a Registrar Needs to Knowlaurenrprice
The document summarizes an upcoming webinar on DNSSEC hosted by .ORG, The Public Interest Registry and Afilias. The webinar will provide an introduction to DNSSEC including how it adds security and authentication to the Domain Name System to prevent forged DNS data. It will also discuss PIR's implementation timeline and test program for DNSSEC in the .ORG top-level domain.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses various DNS security threats such as DNS hijacking, cache poisoning, and tunneling. It provides examples of how DNS tunneling works by encoding data in domain names and using subdomains for communication. The document also outlines some mitigation techniques for DNS tunneling, including payload analysis, traffic analysis, and restricting unusual DNS behaviors and record types.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the importance of DNS security for the internet. It provides background on the Domain Name System (DNS), explaining that DNS acts as the "phonebook" of the internet by translating domain names to IP addresses. While DNS was originally designed to be fault tolerant, dynamic, scalable, and redundant, security was not initially considered. The document outlines how DNS works and its hierarchical structure. It notes that traditional DNS uses UDP and lacks security features like authentication, making it vulnerable to spoofing and cache poisoning attacks. Finally, the document argues that DNSSEC is crucial for online safety as it uses digital signatures to authenticate DNS data and verify responses came from authorized servers.
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
Security Specialist Jamie Gillespie presents on DNS Security, examining the complex interactions of this system, from domain registration to name resolution, the security risks of each component, and the mitigation options currently available at 23rd PITA AGM and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the history and evolution of the Domain Name System (DNS). It describes how early computer networks like ARPANET used hosts.txt files to map hostnames to IP addresses, but this approach did not scale well. DNS was developed in the 1980s to provide a distributed, hierarchical database to resolve hostname lookups. DNS uses a client-server model with nameservers to store records and respond to queries. The 13 root servers delegate authority to top-level domains which in turn delegate to authoritative nameservers for each domain.
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
Yacin Nadji, Georgia Institute of Technology
Any individual that re-registers an expired domain implicitly inherits the residual trust associated with the domain’s prior use. We find that adversaries can, and do, use malicious re- registration to exploit domain ownership changes—undermining the security of both users and systems. In fact, we find that many seemingly disparate security problems share a root cause in residual domain trust abuse. With this study we shed light on the seemingly unnoticed problem of residual domain trust by measuring the scope and growth of this abuse over the past six years. During this time, we identified 27,758 domains from public blacklists and 238,279 domains resolved by malware that expired and then were maliciously re-registered. To help address this problem, we propose a technical remedy and discuss several policy remedies. For the former, we develop Alembic, a lightweight algorithm that uses only passive observations from the Domain Name System (DNS) to flag potential domain ownership changes. We identify several instances of residual trust abuse using this algorithm, including an expired APT domain that could be used to revive existing infections.
This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.
The document discusses DNS over HTTPS (DoH), DNS over TLS (DoT), and Encrypted Server Name Indication (ESNI). It explains that DoH and DoT encrypt DNS queries and responses for increased privacy and security compared to traditional DNS. However, ESNI is also discussed as a solution to further improve privacy by encrypting the server name in the TLS handshake. Concerns about the potential use of these protocols by malware for command and control are also raised.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
DNSSEC: What a Registrar Needs to Knowlaurenrprice
The document summarizes an upcoming webinar on DNSSEC hosted by .ORG, The Public Interest Registry and Afilias. The webinar will provide an introduction to DNSSEC including how it adds security and authentication to the Domain Name System to prevent forged DNS data. It will also discuss PIR's implementation timeline and test program for DNSSEC in the .ORG top-level domain.
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
This document introduces DNS Security Extensions (DNSSEC) which aims to secure DNS queries and information by adding digital signatures to DNS response records. It discusses security problems with the current DNS system like cache poisoning and spoofing attacks. DNSSEC uses cryptographic keys and signatures to authenticate DNS responses and establish a chain of trust. While DNSSEC adds security, its deployment has been gradual due to complexity and the need for widespread implementation to provide full benefits.
The document describes an Internet2 pilot project to deploy DNSSEC (Domain Name System Security Extensions) across several universities and organizations. The goals are to gain operational experience implementing DNSSEC, test DNSSEC-aware applications, and help address obstacles to wider adoption. Participants will sign at least one of their DNS zones and exchange trust anchors to validate DNS data. Several groups including MAGPI and Merit have already started deploying DNSSEC. Challenges include key distribution, operational stability, and encouraging application support.
The document provides an overview of modules for implementing advanced network services, with a focus on lessons for configuring advanced DHCP and DNS features, and implementing IP Address Management (IPAM). The lessons cover topics such as DHCP components and failover, advanced DNS settings including DNSSEC, and using IPAM to manage IP addressing, address spaces, and monitor network resources.
DNSSEC at Penn aims to deploy DNSSEC across Penn's DNS infrastructure to authenticate DNS data and secure delegations. The summary tests DNSSEC records and signatures for the jabber.upenn.edu domain, showing authenticated data. Penn has developed homegrown tools to manage secure zone transitions and key rollovers. Initial results from Penn's DNSSEC testbed show a 3-4x increase in zone size and server resource usage after enabling DNSSEC.
Why Implement DNSSEC?
Champika Wijayatunga from ICANN discusses the importance of implementing DNSSEC. DNSSEC introduces digital signatures to cryptographically secure DNS data and protect against threats like cache poisoning, spoofing, and man-in-the-middle attacks. While DNSSEC does not protect server threats or ensure data correctness, it does establish the authenticity and integrity of DNS data retrieved. Fully implementing DNSSEC allows businesses and users to be confident they are receiving unmodified DNS information. However, more needs to be done to increase awareness and provide turnkey solutions in order for widespread DNSSEC adoption.
ION Toronto, 11 November 2013: What is DNSSEC and why is it so important? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet.
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
1) ICANN implemented DNSSEC at the root zone using AEP Keyper HSMs to securely generate and store cryptographic keys.
2) The AEP Keyper HSMs provide the highest level of security certification (FIPS 140-2 Level 4) and have never been compromised.
3) ICANN uses a split key signing scheme, with the KSK stored offline on an encrypted smartcard for additional protection.
DNSSEC aims to secure the Domain Name System (DNS) by introducing digital signatures to guarantee the authenticity and integrity of DNS data and protect against vulnerabilities like cache poisoning, as it uses cryptographic keys to validate that DNS responses have not been tampered with and that the data originates from the authoritative name server.
This document provides an overview of application uses of DNSSEC and the DANE protocol. It discusses how DNSSEC allows cryptographic keys to be stored and verified in the DNS using records like SSHFP, IPSECKEY and TLSA. It describes issues with the current public CA model for TLS certificates and how DANE addresses these by binding certificates to domain names using DNSSEC. The document also provides background on DNSSEC deployment status and examples of application uses like validating SSH host keys.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
The document discusses DNS security and various DNS attacks. It begins with an overview of the DNS protocol and infrastructure, then describes common DNS attacks like spoofing, cache poisoning, and reflection attacks. It also covers mitigation techniques like DNSSEC and discusses fast flux networks used by malware to evade detection. The document provides technical details on securing DNS servers and domains through configurations, software updates, and cryptographic protocols.
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses cryptography concepts used in DNSSEC like public-key cryptography, hashing algorithms, and digital signatures. It explains how DNSSEC uses these concepts to provide data integrity and authentication for DNS responses through the use of new resource records like RRSIG, DNSKEY, DS, and NSEC. It also discusses how DNSSEC establishes trust chains to validate signatures up to the root zone, and how "denial of existence" responses are signed using NSEC records.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
11 April 2016 - ION Bangladesh - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
The document provides an overview of DNS (Domain Name System) security. It begins with introductions and defines DNS as the core internet protocol that converts domain names to IP addresses. It then discusses some security issues with DNS like hijacking and cache poisoning since DNS data is not encrypted or authenticated. It provides examples of how DNS works through a system of delegation from the root zone down. It explains how DNSSEC aims to address security but has limitations. The document demonstrates DNSSEC in action by showing signed responses from the root zone down to an example domain.
This document discusses DNSSEC configuration in Windows DNS servers. It covers choosing a key master to generate and manage keys, configuring key signing keys (KSK) and zone signing keys (ZSK), setting denial of existence such as NSEC, importing and exporting trust anchors, and verifying DNSSEC through demonstration of the query and response process between DNS clients, servers, and zones. Powershell commands are provided for automating DNSSEC signing and key management.
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
At FOSE 2011, the panel discussion on the deployment of domain name system security extensions (DNSSEC) within government included Neustar VP and Senior Technologist, Rodney Joffe, who sat side-by-side with some of the industry’s best and discussed how federal IT managers can leverage private sector best practices to meet OMB and FISMA mandated DNSSEC requirements. Entitled “DNS-3: Private Sector Deployment in .com, .net, .org and Beyond,” the panel discussed lessons learned and how federal agencies that have yet to deploy DNSSEC can do so successfully. Visit http://www.ultradns.com for more information.
- DNSSEC and RPKI are protocols that aim to secure the core of the Internet by adding authentication and integrity to DNS and routing data.
- DNSSEC works by digitally signing DNS records with private keys, and publishing the signatures and corresponding public keys. It builds a chain of trust from the root zone down by including fingerprints of child keys in parent zones.
- RPKI uses a similar approach to secure routing by digitally signing routing announcements and filtering invalid routes. It establishes a framework for routers to validate the authenticity and authorization of routing information.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
The document discusses using an experimental system that can perform thousands of DNS and HTTP measurements per day on random internet users to test DNSSEC implementation. It proposes configuring five domains - one validly signed, one invalidly signed, one with IPv6-only NS, one with large IPv6 responses, and one without DNSSEC - to test clients' DNSSEC support, validation, IPv6 capability, and response handling. Initial results from testing 1.8 million clients worldwide found 4.4% of resolvers and 14.15% of clients appear to support DNSSEC. Further analysis of 7,500 New Zealand experiments identified variability between internet providers in estimated DNSSEC support rates. Future work to improve DNSSEC activity detection is proposed
ION Islamabad, 25 January 2017
By Champika Wijayatunga, ICANN
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
1. The DNS is widely used but lacks security measures like encryption, making it easy to monitor users' activities and inject false responses.
2. Efforts to add authenticity through DNSSEC have had limited success due to technical challenges and lack of adoption.
3. The DNS is increasingly being used for application-level functions through extensions, but this increases the privacy risks as DNS queries reveal more user intentions.
4. Solutions exist like DNS over TLS and DNS over HTTPS to provide encryption, but full deployment faces economic and technical barriers, risking further fragmentation of the DNS.
This document summarizes Dan York's presentation on deploying DNSSEC. It discusses how DNSSEC helps ensure the integrity of DNS data by using digital signatures to authenticate DNS responses, preventing cache poisoning and man-in-the-middle attacks. It provides examples of normal DNS interactions versus attacks, and how DNSSEC establishes a chain of trust. The presentation also covers the current state of DNSSEC deployment, how it works in combination with TLS/SSL through DANE, and business reasons for organizations to deploy DNSSEC.
APNIC Chief Scientist, Geoff Huston, gives a presentation on DOH and the changing nature of the DNS as infrastructure at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.
- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions.
- Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers.
- Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.
This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.
The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.
This document provides an overview of analyzing iOS apps, including jailbreaking mobile devices. It discusses iOS security features like code signing and sandboxing. It explains how to set up a test environment for analyzing apps by jailbreaking a device and using Unix tools. Key files like property lists and databases that can be explored are also outlined.
This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.
This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.
This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes:
1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag.
2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication.
3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer.
4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.
This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.
This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.
The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Diana Rendina
Librarians are leading the way in creating future-ready citizens – now we need to update our spaces to match. In this session, attendees will get inspiration for transforming their library spaces. You’ll learn how to survey students and patrons, create a focus group, and use design thinking to brainstorm ideas for your space. We’ll discuss budget friendly ways to change your space as well as how to find funding. No matter where you’re at, you’ll find ideas for reimagining your space in this session.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
3. Objectives of DNSSEC
• Data origin authentication
– Assurance that the requested data came from
the genuine source
• Data integrity
– Assurance that the data have not been
altered
4. Development of DNSSEC
• Record signatures use public-key
cryptography to verify authenticity of DNS
records
• RFC 2065 (1997): SIG and KEY records
• RFC 2535 (1999): NXT record – denial of
existence of a record
• 2003: DS (Delegation Signer) record
– Allows secure delegation to child zones
– SIG, KEY, NXT evolved to RRSIG, DNSKEY, NSEC
5. Development of DNSSEC
• RFC 3757 (2004)
– Zone-Signing Key (ZSK)
– Key-Signing-Key (KSK)
– Secure Entry Point (SEP)
• A flag used to identify a KSK
• 2005
– NSEC replaced by NSEC3
6.
7. 7
Man-in-the-Middle Attack
– Attacker generates two “false” key pairs
– Attacker intercepts the genuine keys and send
false keys out
– Client trusts the Attacker's data
• Trusted third party prevents this attack
– The root of DNS
Victim Attacker Server
9. The Delegation Signer (DS) Record
• Links in the chain of trust
• DS record contains a hash of a zone's
public key
• To make performance better, the zone key
may be separated into
– Zone Signing Key (ZSK) and
– Key Signing Key (KSK)
10.
11. Authenticated Denial of Existence
NSEC and NSEC3 Records
• Sort all domain names in zone in alphabetical
order
– a.example.com with A, AAAA, RRSIG
– c.example.com
• NSEC Record
– a.example.com TTL IN NSEC c.example.com A AAAA
RRSIG
– Nothing between a.example.com and c.example.com
• This record proves there is no b.example.com
13. NSEC Information Disclosure
• Easy to find all domains in a zone
• Like a zone transfer
• dig *.se +dnssec
– Reveals first valid hostname
• Dig for valid hostname* to find next one
• NSEC3 fixes this problem
19. Lack of Protection Between User
Devices and Resolvers
• Attacker in the middle has enough info to
perfectly forge responses
– Unless DNSSEC is enforced in the client's
browser
Protected
by DNSSEC
DNS ResolverUser DNS SOA
Not
protected
20. Lack of Protection of Glue Records
• DNSSEC only protects Resource Records if
they are authoritative in the zone
• Glue records are resource records that
facilitate a resolution that is delegated
from a parent zone to a child zone
• They are owned by the child zone but
appear in the parent zone
• So they are non-authoritative
• Not protected by DNSSEC
21. Key Changes Don't Propagate
• Keys can
– Roll over
– Be Revoked
– Signatures can expire
• These events do not propagate down the
DNS tree
22. NSEC3 Denial of Service
• If a zone is insecurely delegated to
another zone
• And it includes NSEC3 records
• A MITM can block resolution of a domain
• Or delegate the resolution to another
server and change the A record
• Enabling spoofing, cookie-stealing, etc.
23. Re-Addressing Replay Attack
• If a server moves to a new hosting
provider
• The old IP address can be used until the
signatures expire
• Because there's no way to push signature
expiration from authoritative servers to
resolvers
24. NSEC3 Still Allows Zone Walking
• An offline dictionary attack can be used
to guess the hashes
• It's the same as cracking password hashes
25. No Protection of DNS or Lower Layer
Header Data
• The AD flag is part of the DNS header
– Authenticated Data flag, indicating that the
response data was verified by DNSSEC
– Can't be trusted, because
• Can be changed by a MITM
• DNSSEC won't detect that
26. DNSSEC Data Inflate Zone Files and DNS
Packet Sizes
• Small requests lead to large responses
• UDP allows spoofing the source IP address
AttackerOpen DNS ResolverTarget
29. Encrypted Packets
• Operates at layer 2 (Data Link)
• Uses Elliptic Curve Cryptography
• Each request and response packet is
encrypted in its entirety
– DNSSEC doesn't encrypt any data, it just signs
it
• ECC keys are 256 bits long
• Calculation is much faster than RSA
30. DNSCurve Limitations
• Not yet an IETF standard
• Does not provide end-to-end security
– Just from endpoint to resolver
• Name-server names need to be longer to
include a Base-32 encoded 53-byte public key
– Makes responses even larger
• DNS Queries may exceed 255 bytes, which will
be dropped by old middleware
• Key compromise requires renaming the server
– And manual update of NS record in the parent zone