SlideShare a Scribd company logo

Secure Your Domain with DNSSEC

J
johnmcclure00
1 of 12
Download to read offline
DNS  Security DNS SECURITY John  F.  McClure,  KimberSystems,  LLC john@kimbersystems.com
DNS  Security Topics • What  is  DNS? • Why  is  DNS  important • How  does  DNS  work? • Corrupting  DNS  responses • What  happens  when  DNS  goes  bad? • Introduction  to  DNSSEC • Why  doesn’t  everyone  use  DNSSEC? • Deploying  and  maintaining  DNSSEC • Using  the  GSA  DNSSEC  Cloud  Signing  Service • Questions  &  Answers 2
DNS  Security What  is  DNS? • Provides  www  address  to  IP  translation.    Sample: 3
DNS  Security How  does  DNS  work? User:   123.example.com ISP ROOT . .com dns.example.com:   123.example.com 1 2 3 4 5 6 7 8 1. A  user  types  in  123.example.com   (this  information   isn’t  in  a   local  host  file). 2. The  ISP  doesn’t  have  the  answer  so  asks  root  .  for  the   answer.   3. Root  doesn’t  have  the  answer  but  knows  who  owns  .com. 4. The  ISP  now  knows  to  ask  .comfor the  answer. 5. .com  doesn’t  know  the  answer  but  knows  who  has  name   services  for  example. 6. The  ISP  now  knows  to  ask  dns.example.com for  the  answer. 7. dns.example.com responds  with  the  answer  to  the  ISP. 8. The  ISP  delivers  the  IP  address  to  the  user  who  can  now  go  to   the  website. 4
DNS  Security Corrupting  DNS  responses User:   123.example.com ISP ROOT . .com dns.example.com:   123.example.com 1 2 3 4 5 6 7 8 Corruption Corruption Corruption Impersonation Impersonation Impersonation There  are  A  LOT  of  place  to  corrupt  a   DNS  response  to  a  user.    DNS   response  corruption  can  occur  through   data  corruption  or  impersonation. 5
DNS  Security What  happens  when  DNS  goes  bad? • A  user  may  not  be  able  to  browse/view  network  locations. • Facebook,  Twitter,  Cloud  services,  etc. • Business  applications,  calendars,  email,  time  card  system,  etc. • A  user  may  be  directed  to  an  unintended  location. • Possible  transmission  of  sensitive  data  or  PII • Inability  to  conduct  business  operations • A  user  may  be  intentionally  directed  to  a  malicious  site. • Possible  infection  of  malicious  software/virus • Possible  transmission  of  sensitive  data  or  PII • Inability  to  conduct  business  operations 6
DNS  Security Introduction  to  DNSSEC • DNSSEC  was  introduced  to  address  security  challenges   of  traditional  DNS • DNS  was  built  to  be  open  with  little  concern  for  security • DNS  did  not  have  mechanisms  to  detect  forged  information • DNS  did  not  have  the  ability  to  digitally  sign  information • DNS  announces  extensive  information  about  your  architecture • DNSSEC • Addresses  all  of  the  above  and… • Provides  authentication  that  your  DNS  information  came  from  who   it  should  have • Provides  upstream  protection 7
DNS  Security Why  is  DNSSEC  important? • DNSSEC  addresses  real  world  cyber-­threats  to  US   Government  data  and  networks. • DNSSEC  is  mandated  by  OMB  Memo  08-­23.    All   Government  agencies  were  mandated  to  deploy  DNSSEC   by  December  2009. • DNSSEC  addresses  numerous  FISMA  security  controls. • DNSSEC  makes  you  more  compliant  and  secure! 8
DNS  Security Why  doesn’t  everyone  use  DNSSEC? • Why  doesn’t  everyone  use  DNSSEC? • Organizations  don’t  understand  DNS  vulnerabilities  and  threats. • Organizations  don’t  understand  the  benefits  of  DNSSEC. • Deploying  and  maintaining  DNSSEC  is  more  complex  than   traditional  DNS. • DNSSEC  requires  actions  every  time  a  zone  is  changed  (e.g.  a   new  website  name  is  added). • Failure  to  deploy  and  maintain  DNSSEC  properly  can  lead  to   inaccessibility  of  a  domain. 9
DNS  Security Deploying  and  maintaining  DNSSEC • There  are  a  number  of  options  for  deploying  and   maintaining  a  DNSSEC  solution • Run  DNSSEC  within  your  own  infrastructure  and  utilizing  your  own   staff  (high  resource  requirement) • Complete  outsourcing  of  DNS  services,  to  include  DNSSEC,  to  a   commercial  provider  (high  cost) • Outsource  DNSSEC  services  to  the  GSA  (in  the  case  of  USG) 10
DNS  Security Using  the  GSA  DNSSEC  CSS • The  GSA  offers  a  DNSSEC  Cloud  Signing  Service  (CSS)   offering  to  all  domains  in  .gov • This  service  is  provided  at  no  charge  to  .gov domains. • You  can  subscribe  to  the  service  when  registering  a  domain  name   (dotgov.gov). • The  DNSSEC  CSS  takes  the  complexities  out  of  DNSSEC • You  still  control  your  DNS • CSS  handles  zone  signing • CSS  handles  ZSK  and  KSK  roll-­overs • CSS  detects  changes  in  your  zone  files  and  resigns  zones • Additional  information,  FAQs,  and  contact  information  is  available   at  www.dotgov.gov. • Using  this  service  makes  you  more  compliant  and  secure. 11
DNS  Security Questions  &  Answers John  F.  McClure john@kimbersystems.com (202)  630-­0726 12

Recommended

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution processkannanragothaman
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNSPhilippe Camacho, Ph.D.
 
Domain Controller.pptx
Domain Controller.pptxDomain Controller.pptx
Domain Controller.pptxENTERTAINMENTHASNOEN
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptxmasbulosoke
 

Recommended

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution processkannanragothaman
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNSPhilippe Camacho, Ph.D.
 
Domain Controller.pptx
Domain Controller.pptxDomain Controller.pptx
Domain Controller.pptxENTERTAINMENTHASNOEN
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptxmasbulosoke
 
Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCPTan Huynh Cong
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
BIND DNS Configuration Red Hat 5
BIND DNS Configuration Red Hat 5BIND DNS Configuration Red Hat 5
BIND DNS Configuration Red Hat 5Cheri Amour Calicdan
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services JumpstartBill Buchan
 
Windows 2019
Windows 2019Windows 2019
Windows 2019Gary Williams
 
Einführung in Domain Name System DNS und Bind
Einführung in Domain Name System DNS und BindEinführung in Domain Name System DNS und Bind
Einführung in Domain Name System DNS und Bindtdeutsch
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...Ales Lichtenberg
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2jayeshpar2006
 
7 understanding DNS
7 understanding DNS7 understanding DNS
7 understanding DNSHameda Hurmat
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS ServerPrabhakar Thota
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning Vladislav Tatarincev
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin TipsGabriella Davis
 
Domain name system
Domain name systemDomain name system
Domain name systemNifras Ismail
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptwebhostingguy
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentBangladesh Network Operators Group
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Christoph Adler
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILUtah Networxs Consultoria e Treinamento
 

More Related Content

What's hot

Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services JumpstartBill Buchan
 
Einführung in Domain Name System DNS und Bind
Einführung in Domain Name System DNS und BindEinführung in Domain Name System DNS und Bind
Einführung in Domain Name System DNS und Bindtdeutsch
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...Ales Lichtenberg
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2jayeshpar2006
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning Vladislav Tatarincev
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptwebhostingguy
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Christoph Adler
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 

What's hot (20)

Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
BIND DNS Configuration Red Hat 5
BIND DNS Configuration Red Hat 5BIND DNS Configuration Red Hat 5
BIND DNS Configuration Red Hat 5
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstart
 
Windows 2019
Windows 2019Windows 2019
Windows 2019
 
Einführung in Domain Name System DNS und Bind
Einführung in Domain Name System DNS und BindEinführung in Domain Name System DNS und Bind
Einführung in Domain Name System DNS und Bind
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
 
7 understanding DNS
7 understanding DNS7 understanding DNS
7 understanding DNS
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Chapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.pptChapter 29 Domain Name System.ppt
Chapter 29 Domain Name System.ppt
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 

Viewers also liked

Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&CCourtland Smith
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
Wireless network security
Wireless network security Wireless network security
Wireless network security Aurobindo Nayak
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
Let's Lean and Implement flux
Let's Lean and Implement fluxLet's Lean and Implement flux
Let's Lean and Implement flux大樹 小倉
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 

Viewers also liked (20)

Dns security
Dns securityDns security
Dns security
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Firewalls
FirewallsFirewalls
Firewalls
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Fast flux
Fast fluxFast flux
Fast flux
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Smartcard
SmartcardSmartcard
Smartcard
 
Let's Lean and Implement flux
Let's Lean and Implement fluxLet's Lean and Implement flux
Let's Lean and Implement flux
 
Smart Card
Smart CardSmart Card
Smart Card
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 

Similar to Secure Your Domain with DNSSEC

FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 

Similar to Secure Your Domain with DNSSEC (20)

ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 

Secure Your Domain with DNSSEC

  • 1. DNS  Security DNS SECURITY John  F.  McClure,  KimberSystems,  LLC john@kimbersystems.com
  • 2. DNS  Security Topics • What  is  DNS? • Why  is  DNS  important • How  does  DNS  work? • Corrupting  DNS  responses • What  happens  when  DNS  goes  bad? • Introduction  to  DNSSEC • Why  doesn’t  everyone  use  DNSSEC? • Deploying  and  maintaining  DNSSEC • Using  the  GSA  DNSSEC  Cloud  Signing  Service • Questions  &  Answers 2
  • 3. DNS  Security What  is  DNS? • Provides  www  address  to  IP  translation.    Sample: 3
  • 4. DNS  Security How  does  DNS  work? User:   123.example.com ISP ROOT . .com dns.example.com:   123.example.com 1 2 3 4 5 6 7 8 1. A  user  types  in  123.example.com   (this  information   isn’t  in  a   local  host  file). 2. The  ISP  doesn’t  have  the  answer  so  asks  root  .  for  the   answer.   3. Root  doesn’t  have  the  answer  but  knows  who  owns  .com. 4. The  ISP  now  knows  to  ask  .comfor the  answer. 5. .com  doesn’t  know  the  answer  but  knows  who  has  name   services  for  example. 6. The  ISP  now  knows  to  ask  dns.example.com for  the  answer. 7. dns.example.com responds  with  the  answer  to  the  ISP. 8. The  ISP  delivers  the  IP  address  to  the  user  who  can  now  go  to   the  website. 4
  • 5. DNS  Security Corrupting  DNS  responses User:   123.example.com ISP ROOT . .com dns.example.com:   123.example.com 1 2 3 4 5 6 7 8 Corruption Corruption Corruption Impersonation Impersonation Impersonation There  are  A  LOT  of  place  to  corrupt  a   DNS  response  to  a  user.    DNS   response  corruption  can  occur  through   data  corruption  or  impersonation. 5
  • 6. DNS  Security What  happens  when  DNS  goes  bad? • A  user  may  not  be  able  to  browse/view  network  locations. • Facebook,  Twitter,  Cloud  services,  etc. • Business  applications,  calendars,  email,  time  card  system,  etc. • A  user  may  be  directed  to  an  unintended  location. • Possible  transmission  of  sensitive  data  or  PII • Inability  to  conduct  business  operations • A  user  may  be  intentionally  directed  to  a  malicious  site. • Possible  infection  of  malicious  software/virus • Possible  transmission  of  sensitive  data  or  PII • Inability  to  conduct  business  operations 6
  • 7. DNS  Security Introduction  to  DNSSEC • DNSSEC  was  introduced  to  address  security  challenges   of  traditional  DNS • DNS  was  built  to  be  open  with  little  concern  for  security • DNS  did  not  have  mechanisms  to  detect  forged  information • DNS  did  not  have  the  ability  to  digitally  sign  information • DNS  announces  extensive  information  about  your  architecture • DNSSEC • Addresses  all  of  the  above  and… • Provides  authentication  that  your  DNS  information  came  from  who   it  should  have • Provides  upstream  protection 7
  • 8. DNS  Security Why  is  DNSSEC  important? • DNSSEC  addresses  real  world  cyber-­threats  to  US   Government  data  and  networks. • DNSSEC  is  mandated  by  OMB  Memo  08-­23.    All   Government  agencies  were  mandated  to  deploy  DNSSEC   by  December  2009. • DNSSEC  addresses  numerous  FISMA  security  controls. • DNSSEC  makes  you  more  compliant  and  secure! 8
  • 9. DNS  Security Why  doesn’t  everyone  use  DNSSEC? • Why  doesn’t  everyone  use  DNSSEC? • Organizations  don’t  understand  DNS  vulnerabilities  and  threats. • Organizations  don’t  understand  the  benefits  of  DNSSEC. • Deploying  and  maintaining  DNSSEC  is  more  complex  than   traditional  DNS. • DNSSEC  requires  actions  every  time  a  zone  is  changed  (e.g.  a   new  website  name  is  added). • Failure  to  deploy  and  maintain  DNSSEC  properly  can  lead  to   inaccessibility  of  a  domain. 9
  • 10. DNS  Security Deploying  and  maintaining  DNSSEC • There  are  a  number  of  options  for  deploying  and   maintaining  a  DNSSEC  solution • Run  DNSSEC  within  your  own  infrastructure  and  utilizing  your  own   staff  (high  resource  requirement) • Complete  outsourcing  of  DNS  services,  to  include  DNSSEC,  to  a   commercial  provider  (high  cost) • Outsource  DNSSEC  services  to  the  GSA  (in  the  case  of  USG) 10
  • 11. DNS  Security Using  the  GSA  DNSSEC  CSS • The  GSA  offers  a  DNSSEC  Cloud  Signing  Service  (CSS)   offering  to  all  domains  in  .gov • This  service  is  provided  at  no  charge  to  .gov domains. • You  can  subscribe  to  the  service  when  registering  a  domain  name   (dotgov.gov). • The  DNSSEC  CSS  takes  the  complexities  out  of  DNSSEC • You  still  control  your  DNS • CSS  handles  zone  signing • CSS  handles  ZSK  and  KSK  roll-­overs • CSS  detects  changes  in  your  zone  files  and  resigns  zones • Additional  information,  FAQs,  and  contact  information  is  available   at  www.dotgov.gov. • Using  this  service  makes  you  more  compliant  and  secure. 11
  • 12. DNS  Security Questions  &  Answers John  F.  McClure john@kimbersystems.com (202)  630-­0726 12