SlideShare a Scribd company logo
DNS!Cache!Spoofing
"Fragmentation!Considered!Poisonous"
May!2012-August!2013

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

1
DNS!cache!poisoning!through!
fragmentation
• A!new!attack!presented!at!IETF!87!in!Berlin!August!2013
• works!with!any!large!DNS!responses!that!might!be!fragmented!on!the!

transport!path!(large!TXT!record!sets!-!SPF!etc)

• works!especially!well!in!situations!where!DNSSEC!validation!is!partially!or!

incorrectly!deployed:

• works!on!permissive!DNSSEC!resolvers,!clients!that!"fall-back"!to!non-

DNSSEC!resolvers

• according!to!research!from!Geoff!Huston!(APNIC),!these!situations!are!

fairly!common

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

2
Fragmentation!attack!(1)
evil!
web-server

HTTP
request
evil!resolver

Webpage!with!that!triggers!
DNS!requests!with!large!DNS!answers

“mybank.com”
authoritative!DNS
Servers

Cache

resolving!
DNS!Server
unsuspecting
resolver

local network, behind Firewall an NAT
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

3
Fragmentation!attack!(2)
evil!
web-server

DNS!lookups!
will!be!send!to!
the!
authoritative!
DNS!Servers
evil!resolver

“mybank.com”
authoritative!DNS
Servers

Cache

resolving!
DNS!Server
DNS!lookup!
for!the!domain!
name

unsuspecting
resolver

local network, behind Firewall an NAT
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

4
Fragmentation!attack!(3)
evil!
web-server

Answer!with!
Fragment!part!
1
“mybank.com”
authoritative!DNS
Servers

evil!resolver

Cache

resolving!
DNS!Server
unsuspecting
resolver

local network, behind Firewall an NAT
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

5
Fragmentation!attack!(4)
Attacker!will!
swamp
caching!DNS!Server
with!fake!fragment!
No.!2!packets

evil!
web-server

Answer!with!
good!fragment!
part!2
“mybank.com”
authoritative!DNS
Servers

evil!resolver

Cache

resolving!
DNS!Server

Fake!response
will!be!
cached

unsuspecting
resolver

local network, behind Firewall an NAT
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

6
Fragmentation!attack!(5)
evil!
web-server

Client!is!
connecting!to!a!
“pharming”!
website

HTTP
request
“mybank.com”
authoritative!DNS
Servers

evil!resolver

Cache

resolving!
DNS!Server

request!for!www.mybank.com./A!RR
false!answer!from!poisoned!cache
unsuspecting
resolver

local network, behind Firewall an NAT
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

7
Fragmentation!attack
• Attackers!try!to!overwrite!or!place!a!NS!record!in!the!cache
;; ANSWER SECTION:
mybank.com.
120

IN

SPF

"v=spf1, a:192.0.2.10, 192.0.2.22 ..."

;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400

IN
IN

NS
NS

ns1.mybank.com.
ns2.mybank.com.

;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800

IN
IN

A
A

large!RRset!causing!
fragmentation

192.0.2.20
192.0.2.30

high!TTL!for!
maximum!
damage

Here!is!the!
fake!data

Fragment 1

Fragment 2
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

8
Fragmentation!attack

• some!operating!systems!(Windows,!FreeBSD)!use!

sequential!Fragment-IDs
• next!Fragment!ID!to!be!used!can!be!inferred!by!the!

attacker

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

9
Fragmentation!attack
• How!to!guard!against!fragmentation!attacks:
• deploy!DNSSEC!in!a!non-permissive!mode!(full!

validation)
• deploy!IPv6!(UDP!Fragmentation!works!differently!in!

IPv6!than!in!IPv4,!the!same!fragmentation!attack!is!not!
possible!in!IPv6!networks)

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

10
DNSSEC!to!the!rescue!...

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

11
References

• IETF!87!-!DNS!Cache-Poisoning:!New!Vulnerabilities!and!

Implications,!or:!DNSSEC,!the!time!has!come!
http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf

• DNS-OARC!Presentation!Oct!2013:
https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

12
DNSSEC!validation

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

13
DNSSEC!in!DNS!Messages
00 01

0
03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
2
Q
R

Identification!(ID)
Total!Number!of!Question!Resource!Records
Total!Number!of!Authority!Resource!Records

Opcode

A
A

T R R
C D A

Z

A C
D D

RCode

Total!Number!of!Answer!Resource!Records
AD!=!Authenticated!
Data
Total!Number!of!Additional!Resource!Records

Question!Resource!Records
Answer!Resource!Records
EDNS:
!!!EDNS:!version:!0,!
!!!flags:!do;!
!!!udp:!4096

CD!=!Checking!
disabled

Authority!Resource!Records
Additional!Resource!Records

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

14
DNSSEC!in!DNS!Messages
• DO!Flag!in!EDNS!pseudo!record:!DNSSEC!OK
• this!client!can!handle!DNSSEC!records
• in!addition,!each!client!signaling!“DNSSEC!OK”!also!

signals!that!it!can!handle!UDP!DNS!responses!larger!
512!byte

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

15
DNSSEC!in!DNS!Messages
• AD!Flag:
• a!validating!resolver!signaling!to!the!client
• that!it!has!successfully!validated!the!DNSSEC!data
• invalid!DNSSEC!data!will!not!be!send!to!a!

downstream!resolver!(client),!instead!the!resolver!will!
send!a!SERVFAIL!error!condition
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

16
DNSSEC!in!DNS!Messages
• CD!Flag:
• an!Application!can!signal!to!the!resolving!DNS!Server!

that!it!will!validate!the!DNSSEC!information
• the!resolving!DNS!Server!does!not!need!to!validate!

itself,!but!is!free!to!do!so

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

17
dig ripe.net +dnssec
AD!flag:!
; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec
secure!
;; global options: +cmd
answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ripe.net.	 	
	
IN	
A

EDNS0!
information!
including!the!DO!
flag

;; ANSWER SECTION:
ripe.net.	 	
172800	
ripe.net.	 	
172800	

IN	
IN	

A	
193.0.6.139
RRSIG	A 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY=

;; AUTHORITY SECTION:
ripe.net.	 	
172800	
ripe.net.	 	
172800	
ripe.net.	 	
172800	
ripe.net.	 	
172800	
ripe.net.	 	
172800	

IN	
IN	
IN	
IN	
IN	

NS	
sns-pb.isc.org.
NS	
sunic.sunet.se.
NS	
ns-pri.ripe.net.
NS	
ns3.nic.fr.
RRSIG	NS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U=

;; ADDITIONAL SECTION:
ns-pri.ripe.net.	 172800	
ns-pri.ripe.net.	 172800	
ns-pri.ripe.net.	 172800	
ns-pri.ripe.net.	 172800	

IN	
IN	
IN	
IN	

A	
193.0.0.195
AAAA	 2001:610:240:0:53::3
RRSIG	A 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg=
RRSIG	AAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k=

;;
;;
;;
;;

Query time: 454 msec
SERVER: 192.0.2.10#53(192.0.2.10)
WHEN: Sat Oct 9 22:39:45 2010
MSG SIZE rcvd: 870

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

18
DNSSEC!capable!DNS!
resolver!/!caching!server
• BIND!9!(starting!with!BIND!9.6-ESV):!
http://www.isc.org

• unbound:!

http://unbound.net

• PowerDNS!recursor:!
http://www.powerdns.com

• Windows!2012!DNS:!

http://technet.microsoft.com/en-us/library/hh831667.aspx

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

19
http://dnssec-or-not.org

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

20
http://dnssectest.sidn.nl

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

21
dnssec-tools.org

•A!collection!of!useful!tools!for!DNSSEC!deployment

(!http://dnssec-tools.org!)

• DNSSEC-check!-!tests!if!local!DNSSEC!resolver!are!

DNSSEC!enbled

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

22
DNSSEC-check

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

23
DNSSEC!validation!in!WebBrowser
• DNSSEC!Add-On!for!Firefox

Google!Chrome!and!
Microsoft!Internet!Explorer
(http://www.dnssec-validator.cz/)!
• go!to!
http://www.root-dnssec.org!

or!http://www.ripe.net
and!you!should!see!a!nice!green!key!icon!in!the!URL!bar!
telling!you!that!this!DNS!information!was!DNSSEC!validated.
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

24
DNSSEC!validation!in!Windows!
2012

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

25
DNSSEC!validation!in!
Microsoft!DNS!Server!2012
• The!DNS!Server!in!Windows!2012!now!supports!all!bits!

and!pieces!necessary!to!validate!DNSSEC!signatures!and!
keys!in!the!Internet!(including!SHA256!and!NSEC3).
• Windows!2008!only!supports!SHA1!and!NSEC,!and!was!

not!able!to!validate!the!Internet!root!zone

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

26
DNSSEC!validation
• DNSSEC!validation!can!be!

enabled!in!the!DNS!Servers!
global!properties!
(Advanced!-!enable!DNSSEC!
validation!for!remote!
responses)

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

27
enabling!DNSSEC!using!
'dnscmd'
• it!is!possible!to!enable!DNSSEC!validation!from!the!commandline!

using!the!command!

dnscmd /RetrieveRootTrustAnchors
• This!command!will!first!fetch!the!delegation!signer!(DS-record)!using!

https!from!IANA!(https://data.iana.org/root-anchors/root-anchors.xml).!

• The!server!will!then!fetch!the!public!key!signing!key!from!the!root!

zone!during!an!active!refresh!cycle!
(RFC 5011)!and!validate!the!KSK!using!the!delegation!signer!record.
©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

28
enabling!DNSSEC!using!
'dnscmd'

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

29
A!DNSSEC!validating!caching!
only!configuration!for!BIND!9

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

30
DNSSEC!validation!with!
BIND!9
• build-in!support!for!DNSSEC!validation!in!BIND!9!DNS!server:
• BIND!9.6!-!no!build-in!trust-anchor,!no!support!for!RFC!5011
• BIND!9.7!-!support!for!RFC!5011!(automatic!update!of!trust-anchors)
• BIND!9.8!-!includes!build-in!trust-anchor!for!the!Internet!Root-Zone,!

but!validation!is!disabled!by!default
• BIND!9.9!-!build-in!trust-anchor!for!the!Internet!Root-Zone,!

DNSSEC!validation!enabled!by!default
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

31
getting!the!root-anchor
•for!BIND!9,!the!public!KSK!of!the!root!zone!is!used!as!

the!root-anchor

• the!DNSKEY!record!can!be!retrieved!using!dig:
dig . dnskey @a.root-servers.net. +norec | grep 257 > root.key

dig
command

we!want!the!
DNSKEY!
record
"."!is!the!
domain!name!
of!the!root!
zone

we!only!want!
the!KSK!
(Flag!257)
we!send!the!
query!to!one!
of!the!root!
servers

we!write!the!
result!in!this!
file

we!send!an!
iterative!query!
(polite)

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

32
Verifying!the!root!zones!key
•We!should!never!blindly!trust!cryptographic!keys!

published!on!websites!or!slides

• nor!should!we!trust!a!DNSKEY!fetched!from!an!insecure!

channel!(plain!DNS)
•we!need!to!verify!the!key!material
• IANA!published!the!DS!(delegation!signer!fingerprint)!on!an!

HTTPS!secured!website

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

33
http://data.iana.org/root-anchors/

root!DS!
fingerprint

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

34
Verifying!the!root!zone!key
• we!use!the!command!"dnssec-dsfromkey"!to!create!a!SHA256!

hash-fingeprint!from!the!downloaded!root-zone!DNSKEY
dnssec-dsfromkey -2 root.key
. IN DS 19036 8 2 (
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32
F24E8FB5 )

• if!we!compare!the!computed!hash!with!the!one!from!the!

website,!they!both!match

• the!downloaded!DNSKEY!record!is!valid
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

35
DNSSEC!setup!(BIND!9.6-ESV)
• In!BIND!9.6-ESV,!we!configure!a!static!trust!anchor!using!the!

"trusted-keys"!statement!in!the!"named.conf"!file:

trusted-keys {
"." 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

36
DNSSEC!setup!(BIND!9.7.0+)
• Starting!with!BIND!9.7.0,!the!trusted!keys!can!be!automated!

updated!by!RFC!5011!(RFC!5011!-!Automated!Updates!of!DNS!
Security!(DNSSEC)!Trust!Anchors)
managed-keys {
   "." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
}; 

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

37
general!setup
options {
recursion yes;
allow-recursion { mynetworks; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
querylog no;
recursive-clients 2000;
tcp-clients 200;
max-cache-size 2147483648; // 2GB
};

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

38
DNSSEC!maintenance!with!BIND!9!
“rndc”
•rndc!secroots:!dump!information!about!the!current!

active!DNSSEC!trust!anchors!into!the!file!
“named.secroots”.!

KEY!ID!19036:
current!KSK!of!
the!root!zone

bash-3.2# rndc secroots
bash-3.2# more named.secroots
22-Nov-2013 07:48:31.775
.

Start view _default
./RSASHA256/19036 ; managed
root!zone!trust!
anchor!key!ID
Monday 9 December 13

trust!anchor!will!be!
updated!according!to!
RFC!5011

168851 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; KSK; alg = RSASHA256; key id = 19036

©!Men!&!Mice!!http://menandmice,com!

39
BIND!9!controlling!DNSSEC!validation
•validation!on:!enable!DNSSEC!validation!on!a!caching!

BIND!9!DNS!Server!(globally):!
bash# rndc validation on

•validation!off:!disable!DNSSEC!validation!on!a!caching!

BIND!9!DNS!Server

bash# rndc validation off

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

40
References
• Deploying!DNSSEC!(whitepaper!by!SurfNet):

http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html

• A!BIND!9!configuration!template!for!a!validating,!caching-

only!DNS!Server:
https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98;

• Free!BIND!9.9.4!installation!packages!for!Linux,!MacOS!X,!

Solaris:

http://support.menandmice.com/download/bind/

• Windows!2012!Server:!Enabling!DNSSEC!validation:

http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation

©!Men!&!Mice!!http://menandmice,com!

Monday 9 December 13

41
Thank!you!
E-Mail:
training@menandmice.com
©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

42

More Related Content

Similar to DNS fragmentation attacks - the dangers of not validating DNSSEC

RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
Shumon Huque
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
Men and Mice
 
Porque VIM?
Porque VIM?Porque VIM?
Porque VIM?
Augusto Pascutti
 
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph StoresContext-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
Serena Villata
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
Men and Mice
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS Server
Men and Mice
 
Dns reflection attacks webinar slides
Dns reflection attacks webinar slidesDns reflection attacks webinar slides
Dns reflection attacks webinar slides
Men and Mice
 
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANEIETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
Men and Mice
 
Grade 10 hardware& net working
Grade 10 hardware& net workingGrade 10 hardware& net working
Grade 10 hardware& net working
Krishan Madushanka
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
Men and Mice
 
A Robust Open-source GEDCOM Parser
A Robust Open-source GEDCOM ParserA Robust Open-source GEDCOM Parser
A Robust Open-source GEDCOM Parser
Dallan Quass
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit
 
Script for the geomeetup presentation
Script for the geomeetup presentationScript for the geomeetup presentation
Script for the geomeetup presentation
Steven Pousty
 
IETF 92 Webinar
IETF 92 WebinarIETF 92 Webinar
IETF 92 Webinar
Men and Mice
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
Priyanka Aash
 
PyLadies Talk: Learn to love the command line!
PyLadies Talk: Learn to love the command line!PyLadies Talk: Learn to love the command line!
PyLadies Talk: Learn to love the command line!
Blanca Mancilla
 

Similar to DNS fragmentation attacks - the dangers of not validating DNSSEC (20)

RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 
Porque VIM?
Porque VIM?Porque VIM?
Porque VIM?
 
Context-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph StoresContext-Aware Access Control for RDF Graph Stores
Context-Aware Access Control for RDF Graph Stores
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
 
The KNOT DNS Server
The KNOT DNS ServerThe KNOT DNS Server
The KNOT DNS Server
 
Dns reflection attacks webinar slides
Dns reflection attacks webinar slidesDns reflection attacks webinar slides
Dns reflection attacks webinar slides
 
IETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANEIETF 90 Report – DNS, DHCP, IPv6 and DANE
IETF 90 Report – DNS, DHCP, IPv6 and DANE
 
Grade 10 hardware& net working
Grade 10 hardware& net workingGrade 10 hardware& net working
Grade 10 hardware& net working
 
IETF 93 Review Webinar
IETF 93 Review WebinarIETF 93 Review Webinar
IETF 93 Review Webinar
 
A Robust Open-source GEDCOM Parser
A Robust Open-source GEDCOM ParserA Robust Open-source GEDCOM Parser
A Robust Open-source GEDCOM Parser
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
 
Spark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod NarasimhaSpark Summit EU talk by Debasish Das and Pramod Narasimha
Spark Summit EU talk by Debasish Das and Pramod Narasimha
 
Script for the geomeetup presentation
Script for the geomeetup presentationScript for the geomeetup presentation
Script for the geomeetup presentation
 
IETF 92 Webinar
IETF 92 WebinarIETF 92 Webinar
IETF 92 Webinar
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
PyLadies Talk: Learn to love the command line!
PyLadies Talk: Learn to love the command line!PyLadies Talk: Learn to love the command line!
PyLadies Talk: Learn to love the command line!
 

More from Men and Mice

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Men and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
Men and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
Men and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
Men and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
Men and Mice
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
Men and Mice
 

More from Men and Mice (20)

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
 

Recently uploaded

DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdfARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
Inglês no Mundo Digital
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Bert Blevins
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
Enterprise Wired
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
Global Agile Consulting- CLL-Group, LLC
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Chris Swan
 
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
MarceloMiranda38200
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Bert Blevins
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
Toru Tamaki
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 

Recently uploaded (20)

DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdfARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
ARTIFICIAL INTELLIGENCE (AI) IN MUSIC.pdf
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
 
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
 
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionAdvanced Techniques for Cyber Security Analysis and Anomaly Detection
Advanced Techniques for Cyber Security Analysis and Anomaly Detection
 
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 

DNS fragmentation attacks - the dangers of not validating DNSSEC