2. DNS Security
Topics
• What is DNS?
• Why is DNS important
• How does DNS work?
• Corrupting DNS responses
• What happens when DNS goes bad?
• Introduction to DNSSEC
• Why doesn’t everyone use DNSSEC?
• Deploying and maintaining DNSSEC
• Using the GSA DNSSEC Cloud Signing Service
• Questions & Answers
2
4. DNS Security
How does DNS work?
User:
123.example.com
ISP
ROOT
.
.com
dns.example.com:
123.example.com
1
2
3
4
5
6
7
8
1. A user types in 123.example.com (this information isn’t in a
local host file).
2. The ISP doesn’t have the answer so asks root . for the
answer.
3. Root doesn’t have the answer but knows who owns .com.
4. The ISP now knows to ask .comfor the answer.
5. .com doesn’t know the answer but knows who has name
services for example.
6. The ISP now knows to ask dns.example.com for the answer.
7. dns.example.com responds with the answer to the ISP.
8. The ISP delivers the IP address to the user who can now go to
the website.
4
5. DNS Security
Corrupting DNS responses
User:
123.example.com
ISP
ROOT
.
.com
dns.example.com:
123.example.com
1
2
3
4
5
6
7
8
Corruption
Corruption
Corruption
Impersonation
Impersonation
Impersonation
There are A LOT of place to corrupt a
DNS response to a user. DNS
response corruption can occur through
data corruption or impersonation.
5
6. DNS Security
What happens when DNS goes bad?
• A user may not be able to browse/view network locations.
• Facebook, Twitter, Cloud services, etc.
• Business applications, calendars, email, time card system, etc.
• A user may be directed to an unintended location.
• Possible transmission of sensitive data or PII
• Inability to conduct business operations
• A user may be intentionally directed to a malicious site.
• Possible infection of malicious software/virus
• Possible transmission of sensitive data or PII
• Inability to conduct business operations
6
7. DNS Security
Introduction to DNSSEC
• DNSSEC was introduced to address security challenges
of traditional DNS
• DNS was built to be open with little concern for security
• DNS did not have mechanisms to detect forged information
• DNS did not have the ability to digitally sign information
• DNS announces extensive information about your architecture
• DNSSEC
• Addresses all of the above and…
• Provides authentication that your DNS information came from who
it should have
• Provides upstream protection
7
8. DNS Security
Why is DNSSEC important?
• DNSSEC addresses real world cyber-threats to US
Government data and networks.
• DNSSEC is mandated by OMB Memo 08-23. All
Government agencies were mandated to deploy DNSSEC
by December 2009.
• DNSSEC addresses numerous FISMA security controls.
• DNSSEC makes you more compliant and secure!
8
9. DNS Security
Why doesn’t everyone use DNSSEC?
• Why doesn’t everyone use DNSSEC?
• Organizations don’t understand DNS vulnerabilities and threats.
• Organizations don’t understand the benefits of DNSSEC.
• Deploying and maintaining DNSSEC is more complex than
traditional DNS.
• DNSSEC requires actions every time a zone is changed (e.g. a
new website name is added).
• Failure to deploy and maintain DNSSEC properly can lead to
inaccessibility of a domain.
9
10. DNS Security
Deploying and maintaining DNSSEC
• There are a number of options for deploying and
maintaining a DNSSEC solution
• Run DNSSEC within your own infrastructure and utilizing your own
staff (high resource requirement)
• Complete outsourcing of DNS services, to include DNSSEC, to a
commercial provider (high cost)
• Outsource DNSSEC services to the GSA (in the case of USG)
10
11. DNS Security
Using the GSA DNSSEC CSS
• The GSA offers a DNSSEC Cloud Signing Service (CSS)
offering to all domains in .gov
• This service is provided at no charge to .gov domains.
• You can subscribe to the service when registering a domain name
(dotgov.gov).
• The DNSSEC CSS takes the complexities out of DNSSEC
• You still control your DNS
• CSS handles zone signing
• CSS handles ZSK and KSK roll-overs
• CSS detects changes in your zone files and resigns zones
• Additional information, FAQs, and contact information is available
at www.dotgov.gov.
• Using this service makes you more compliant and secure.
11