SlideShare a Scribd company logo

DNS Security Strategy

Andreas Taudte
Andreas Taudte

This document discusses DNS security strategies. It covers building blocks like name servers, zone files and configurations. It discusses defenses against disasters and errors like geographic provisioning and change control meetings. It also covers securing hardware, operating systems, monitoring DNS, reducing the attack surface by separating roles, and specific defenses for roles like recursive servers, authoritative servers and hosting providers. Finally, it discusses securing each layer of DNS transit and endpoints using mechanisms like ACLs, DNSSEC, rate limiting and encryption.

Technology
1 of 17
Download to read offline
DNS Security Strategy N3K Expert Webinar Series Andreas Taudte Principal DDI Consultant Last updated April 2023
www.n3k.com 2 Housekeeping • Timing, Schedule, Q&A Session • Online Etiquette (microphones, distracting activities) • Recording and Privacy
www.n3k.com 3 DNS Building Blocks • Platform (hardware, operating system) of the Name Server or Resolver • Software of the Name Server or Resolver • Transactions (query/response, transfers, dynamic updates, notifications) • Database (zone files, journal files) • Configuration (named.conf, include files)
www.n3k.com 4 Disaster and Human Error Defences • Geographic Provisioning of Services against natural & unnatural Disasters (earthquakes, hurricanes, floods, terrorist attacks, acts of war) • Periodic User Trainings & Communication • Roles & Responsibilities clearly enumerated and understood • Change Control Meetings among relevant Stakeholders • IP Address Management System to identify & correct potential Config. Errors • Audit Logging to enable Review
www.n3k.com 5 Hardware and Operating System • Physical Access (unplug, disconnect, console access) • Updates & Patches for known Vulnerabilities (OS & service) • Protect Control Channel from unauthorized Access • Permissions to Servers, Directories & Files containing Service Configuration • Monitoring of Logs (OS & service)
www.n3k.com 6 DNS Monitoring • Monitoring of the Service itself (status, version, patch level, connectivity, probe, transfer, etc.) • Query Logging on caching Layers into SIEM1 System incl. ECS2 (further investigation of single and groups of DNS queries) • Monitoring of critical internal Records and Systems (databases, call servers or internal certificate authority, etc.) • Monitoring of critical public Records and Systems (web servers, mail exchange servers, delegations in parent zone, etc.) 1 Security Information and Event Management 2 EDNS Client Subnet
www.n3k.com 7 Reducing the Attack Surface • Different DNS Roles can be attacked differently (authoritative DNS, caching DNS, internal or public-facing DNS) • Authoritative Servers perform resource-consuming Tasks like dynamic Updates or Zone Transfers • Caching Servers handle Queries from Clients and get other Servers involved for Recursion • Multiple Roles provided by the same Server means bigger Attack Surface • Systems with separated Roles can be installed and managed in isolated Security Areas • Role-specific Updates and Patches address different Behaviours
www.n3k.com 8 • Internal Caching DNS • Configured as Stealth Secondary for faster Resolution • Subscription to Security Feed (known as DNS firewall) • Dedicated caching Layer “close” to Clients in remote Locations • External Caching DNS • Performs Internet Name Resolution • Only accept Queries from internal Caching Servers Internal and public-facing Caching Layer
www.n3k.com 9 • Provisioning multiple Servers in different geographic Locations • Running a Variety of Server Vendor Implementations • Using multiple external Hosting Providers Public DNS Diversity
www.n3k.com Stub Resolver 10 • Host Controls incl. physical, Operating Systems and Resolver Software • DHCP Server Audits • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 DNS-over-TLS 2 DNS-over-HTTPS 3 DNS-over-QUIC
www.n3k.com Recursive Server 11 • Planned Deployment (size, number & capacity of servers) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Network Interface and DNS Software ACLs1 • Randomization (source port, transaction ID, query case) • Limit Queries per Client (rate limiting) • DNS Firewall (RPZ), DNSSEC Validation, Query Log Auditing (tunnel & malware detection) • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 Access Control List
www.n3k.com Authoritative Server 12 • Planned Deployment (size, number & capacity of servers) • External DNS Service Provider (Backup or Diversity) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Disable Recursion • Restricted Zone Updates and Zone Transfers • Deployment-based Network Interface and DNS Software ACLs (internal, external, public-facing) • Signing of mission-critical Zones (DNSSEC) DNS Role-specific Defences
www.n3k.com Hosting Provider 13 • Encrypted and unique User Access with Multi-Factor Authentication • Integrity of every DNS Record (change history) • DNSSEC Signing with planned and Emergency Key Rollover • Support for other Security Features (ACLs, GeoDNS, Rate Limiting, DMARC1 policy etc.) • Service-Level Agreement (SLA) • Denial of Service (DoS) Mitigation • Parent Domain Security Controls DNS Role-specific Defences 1 Domain-based Message Authentication, Reporting and Conformance
www.n3k.com 14 Securing each Layer of DNS Transit Path Transit Endpoints Key Security Mechanisms Recursive Query Stub Resolver Recursive Server ACLs, DoT, DoH, DoQ, DNSSEC Iterative Query Recursive Server Authoritative Server DNSSEC Dynamic Update IPAM System DHCP Server/Client Authoritative Server ACLs, Transaction Signatures (TSIG) Zone Transfer Primary Server Secondary Server ACLs, TSIG DNS Configuration IPAM System File Editor Transfer to/from Server SSH, SCP, SFTP, TLS
www.n3k.com 15 What’s next?
www.n3k.com 16 Greedy for more? https://www.n3k.com/aktuelles/webinare/schulungen https://www.wiley.com/en-us/DNS+Security+Management-p-9781119331407
N3K Network Systems Ferdinand-Braun-Straße 2/1 | 74074 Heilbronn +49 7131 594 95 0 info@n3k.de Thank you for your Time. 17

Recommended

DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
CNS @ Infoblox Exchange
CNS @ Infoblox ExchangeCNS @ Infoblox Exchange
CNS @ Infoblox Exchange
Andreas Taudte
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinal
Rafał Kucharski
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
DHCP Security Consideration
DHCP Security ConsiderationDHCP Security Consideration
DHCP Security Consideration
Andreas Taudte
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
Neustar, Inc.
 
Troubleshooting DNS with dig
Troubleshooting DNS with digTroubleshooting DNS with dig
Troubleshooting DNS with dig
Andreas Taudte
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 

Recommended

DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
CNS @ Infoblox Exchange
CNS @ Infoblox ExchangeCNS @ Infoblox Exchange
CNS @ Infoblox Exchange
Andreas Taudte
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinal
Rafał Kucharski
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
DHCP Security Consideration
DHCP Security ConsiderationDHCP Security Consideration
DHCP Security Consideration
Andreas Taudte
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
Neustar, Inc.
 
Troubleshooting DNS with dig
Troubleshooting DNS with digTroubleshooting DNS with dig
Troubleshooting DNS with dig
Andreas Taudte
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
Nihal Pasham, CISSP
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
Sqrrl
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator
97148881557
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Irm solutions 09 2014
Irm solutions 09 2014Irm solutions 09 2014
Irm solutions 09 2014
Cathy Anderson
 
IPAM Security Considerations
IPAM Security ConsiderationsIPAM Security Considerations
IPAM Security Considerations
Andreas Taudte
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
n|u - The Open Security Community
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
Nitesh Shilpkar
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
Jani Sabtriady
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
Cloud DNS Challenges
Cloud DNS ChallengesCloud DNS Challenges
Cloud DNS Challenges
Andreas Taudte
 
Next-Gen DHCP
Next-Gen DHCPNext-Gen DHCP
Next-Gen DHCP
Andreas Taudte
 

More Related Content

Similar to DNS Security Strategy

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
Nihal Pasham, CISSP
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
Sqrrl
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator
97148881557
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Irm solutions 09 2014
Irm solutions 09 2014Irm solutions 09 2014
Irm solutions 09 2014
Cathy Anderson
 
IPAM Security Considerations
IPAM Security ConsiderationsIPAM Security Considerations
IPAM Security Considerations
Andreas Taudte
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
n|u - The Open Security Community
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
Nitesh Shilpkar
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
Jani Sabtriady
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 

Similar to DNS Security Strategy (20)

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Irm solutions 09 2014
Irm solutions 09 2014Irm solutions 09 2014
Irm solutions 09 2014
 
IPAM Security Considerations
IPAM Security ConsiderationsIPAM Security Considerations
IPAM Security Considerations
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 

More from Andreas Taudte

Cloud DNS Challenges
Cloud DNS ChallengesCloud DNS Challenges
Cloud DNS Challenges
Andreas Taudte
 
Next-Gen DHCP
Next-Gen DHCPNext-Gen DHCP
Next-Gen DHCP
Andreas Taudte
 
AI Possibilities for DDI
AI Possibilities for DDIAI Possibilities for DDI
AI Possibilities for DDI
Andreas Taudte
 
Extended DNS Errors
Extended DNS ErrorsExtended DNS Errors
Extended DNS Errors
Andreas Taudte
 
Core Network Services
Core Network ServicesCore Network Services
Core Network Services
Andreas Taudte
 
DDI in University Environments
DDI in University EnvironmentsDDI in University Environments
DDI in University Environments
Andreas Taudte
 
DDI Project Planning
DDI Project PlanningDDI Project Planning
DDI Project Planning
Andreas Taudte
 
DNS still partying
DNS still partyingDNS still partying
DNS still partying
Andreas Taudte
 
IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017
Andreas Taudte
 
Who is Andreas Taudte?
Who is Andreas Taudte?Who is Andreas Taudte?
Who is Andreas Taudte?
Andreas Taudte
 
DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6
Andreas Taudte
 
6 Myths about IPv6
6 Myths about IPv66 Myths about IPv6
6 Myths about IPv6
Andreas Taudte
 
The Power of DNS
The Power of DNSThe Power of DNS
The Power of DNS
Andreas Taudte
 
The what-you-may-call-it Internet
The what-you-may-call-it InternetThe what-you-may-call-it Internet
The what-you-may-call-it Internet
Andreas Taudte
 
Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015
Andreas Taudte
 
BlueCat's Open Customer Meeting
BlueCat's Open Customer MeetingBlueCat's Open Customer Meeting
BlueCat's Open Customer Meeting
Andreas Taudte
 
IPAM in University Environments
IPAM in University EnvironmentsIPAM in University Environments
IPAM in University Environments
Andreas Taudte
 
The Security Capabilities of Everything IP
The Security Capabilities of Everything IPThe Security Capabilities of Everything IP
The Security Capabilities of Everything IP
Andreas Taudte
 
The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015
Andreas Taudte
 
Security Capabilities of IPAM
Security Capabilities of IPAMSecurity Capabilities of IPAM
Security Capabilities of IPAM
Andreas Taudte
 

More from Andreas Taudte (20)

Cloud DNS Challenges
Cloud DNS ChallengesCloud DNS Challenges
Cloud DNS Challenges
 
Next-Gen DHCP
Next-Gen DHCPNext-Gen DHCP
Next-Gen DHCP
 
AI Possibilities for DDI
AI Possibilities for DDIAI Possibilities for DDI
AI Possibilities for DDI
 
Extended DNS Errors
Extended DNS ErrorsExtended DNS Errors
Extended DNS Errors
 
Core Network Services
Core Network ServicesCore Network Services
Core Network Services
 
DDI in University Environments
DDI in University EnvironmentsDDI in University Environments
DDI in University Environments
 
DDI Project Planning
DDI Project PlanningDDI Project Planning
DDI Project Planning
 
DNS still partying
DNS still partyingDNS still partying
DNS still partying
 
IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017
 
Who is Andreas Taudte?
Who is Andreas Taudte?Who is Andreas Taudte?
Who is Andreas Taudte?
 
DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6
 
6 Myths about IPv6
6 Myths about IPv66 Myths about IPv6
6 Myths about IPv6
 
The Power of DNS
The Power of DNSThe Power of DNS
The Power of DNS
 
The what-you-may-call-it Internet
The what-you-may-call-it InternetThe what-you-may-call-it Internet
The what-you-may-call-it Internet
 
Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015
 
BlueCat's Open Customer Meeting
BlueCat's Open Customer MeetingBlueCat's Open Customer Meeting
BlueCat's Open Customer Meeting
 
IPAM in University Environments
IPAM in University EnvironmentsIPAM in University Environments
IPAM in University Environments
 
The Security Capabilities of Everything IP
The Security Capabilities of Everything IPThe Security Capabilities of Everything IP
The Security Capabilities of Everything IP
 
The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015
 
Security Capabilities of IPAM
Security Capabilities of IPAMSecurity Capabilities of IPAM
Security Capabilities of IPAM
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

DNS Security Strategy

  • 1. DNS Security Strategy N3K Expert Webinar Series Andreas Taudte Principal DDI Consultant Last updated April 2023
  • 2. www.n3k.com 2 Housekeeping • Timing, Schedule, Q&A Session • Online Etiquette (microphones, distracting activities) • Recording and Privacy
  • 3. www.n3k.com 3 DNS Building Blocks • Platform (hardware, operating system) of the Name Server or Resolver • Software of the Name Server or Resolver • Transactions (query/response, transfers, dynamic updates, notifications) • Database (zone files, journal files) • Configuration (named.conf, include files)
  • 4. www.n3k.com 4 Disaster and Human Error Defences • Geographic Provisioning of Services against natural & unnatural Disasters (earthquakes, hurricanes, floods, terrorist attacks, acts of war) • Periodic User Trainings & Communication • Roles & Responsibilities clearly enumerated and understood • Change Control Meetings among relevant Stakeholders • IP Address Management System to identify & correct potential Config. Errors • Audit Logging to enable Review
  • 5. www.n3k.com 5 Hardware and Operating System • Physical Access (unplug, disconnect, console access) • Updates & Patches for known Vulnerabilities (OS & service) • Protect Control Channel from unauthorized Access • Permissions to Servers, Directories & Files containing Service Configuration • Monitoring of Logs (OS & service)
  • 6. www.n3k.com 6 DNS Monitoring • Monitoring of the Service itself (status, version, patch level, connectivity, probe, transfer, etc.) • Query Logging on caching Layers into SIEM1 System incl. ECS2 (further investigation of single and groups of DNS queries) • Monitoring of critical internal Records and Systems (databases, call servers or internal certificate authority, etc.) • Monitoring of critical public Records and Systems (web servers, mail exchange servers, delegations in parent zone, etc.) 1 Security Information and Event Management 2 EDNS Client Subnet
  • 7. www.n3k.com 7 Reducing the Attack Surface • Different DNS Roles can be attacked differently (authoritative DNS, caching DNS, internal or public-facing DNS) • Authoritative Servers perform resource-consuming Tasks like dynamic Updates or Zone Transfers • Caching Servers handle Queries from Clients and get other Servers involved for Recursion • Multiple Roles provided by the same Server means bigger Attack Surface • Systems with separated Roles can be installed and managed in isolated Security Areas • Role-specific Updates and Patches address different Behaviours
  • 8. www.n3k.com 8 • Internal Caching DNS • Configured as Stealth Secondary for faster Resolution • Subscription to Security Feed (known as DNS firewall) • Dedicated caching Layer “close” to Clients in remote Locations • External Caching DNS • Performs Internet Name Resolution • Only accept Queries from internal Caching Servers Internal and public-facing Caching Layer
  • 9. www.n3k.com 9 • Provisioning multiple Servers in different geographic Locations • Running a Variety of Server Vendor Implementations • Using multiple external Hosting Providers Public DNS Diversity
  • 10. www.n3k.com Stub Resolver 10 • Host Controls incl. physical, Operating Systems and Resolver Software • DHCP Server Audits • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 DNS-over-TLS 2 DNS-over-HTTPS 3 DNS-over-QUIC
  • 11. www.n3k.com Recursive Server 11 • Planned Deployment (size, number & capacity of servers) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Network Interface and DNS Software ACLs1 • Randomization (source port, transaction ID, query case) • Limit Queries per Client (rate limiting) • DNS Firewall (RPZ), DNSSEC Validation, Query Log Auditing (tunnel & malware detection) • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 Access Control List
  • 12. www.n3k.com Authoritative Server 12 • Planned Deployment (size, number & capacity of servers) • External DNS Service Provider (Backup or Diversity) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Disable Recursion • Restricted Zone Updates and Zone Transfers • Deployment-based Network Interface and DNS Software ACLs (internal, external, public-facing) • Signing of mission-critical Zones (DNSSEC) DNS Role-specific Defences
  • 13. www.n3k.com Hosting Provider 13 • Encrypted and unique User Access with Multi-Factor Authentication • Integrity of every DNS Record (change history) • DNSSEC Signing with planned and Emergency Key Rollover • Support for other Security Features (ACLs, GeoDNS, Rate Limiting, DMARC1 policy etc.) • Service-Level Agreement (SLA) • Denial of Service (DoS) Mitigation • Parent Domain Security Controls DNS Role-specific Defences 1 Domain-based Message Authentication, Reporting and Conformance
  • 14. www.n3k.com 14 Securing each Layer of DNS Transit Path Transit Endpoints Key Security Mechanisms Recursive Query Stub Resolver Recursive Server ACLs, DoT, DoH, DoQ, DNSSEC Iterative Query Recursive Server Authoritative Server DNSSEC Dynamic Update IPAM System DHCP Server/Client Authoritative Server ACLs, Transaction Signatures (TSIG) Zone Transfer Primary Server Secondary Server ACLs, TSIG DNS Configuration IPAM System File Editor Transfer to/from Server SSH, SCP, SFTP, TLS
  • 16. www.n3k.com 16 Greedy for more? https://www.n3k.com/aktuelles/webinare/schulungen https://www.wiley.com/en-us/DNS+Security+Management-p-9781119331407
  • 17. N3K Network Systems Ferdinand-Braun-Straße 2/1 | 74074 Heilbronn +49 7131 594 95 0 info@n3k.de Thank you for your Time. 17