Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn't working, then your business likely isn't either. Secure your business and web presence with Domain Name System Security Extensions (DNSSEC).
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
DNS, which stands for domain name system, controls your domain name's website and email settings. When visitors go to your domain name, its DNS settings control which company's server it reaches out to.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
This is my final project. The purpose is that I don't get any course about Network, so I try to implement DNS server and learn from practicing.
In this slide, it would cover brief introduction of ddns server, prerequisite for building protocol, aims of my project and all of pitfalls I have met.
Demo resolver.
I would finish this project and provide the part2 of slide.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
Talk by Jonathan Oxer at Linux Users Victoria in April 2007 about how DNS works. Covers authoritative and recursive DNS, delegation, and attack vectors including cache poisoning and DNS forgery. More information at http://jon.oxer.com.au/talks/id/66
Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.
By Utah Networxs
Follow - @fabioandpires
Follow - @utah_networxs
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
Overview of DNSSEC protocol.
DNS is a pivotal infrastructure in TCP/IP based networks. An outage of the DNS system would bring entire networks to a grinding halt.
When DNS was devised in the early days of the Internet, security had no importance. Therefore, DNS is entirely unsecured which means it offers countless attack vectors to hack and crack a network.
Common attacks are DNS cache poisoning, i.e. adding false entries in DNS databases thus diverting the unsuspecting user to a malicious server and man in the middle attacks.
To secure DNS, an extension was defined in the form of DNSSEC. It uses state-of-the-art security algorithms to authenticate and digitally sign requests and responses so that a DNS resolver is able to verify legitimate DNS responses.
The adoption rate of DNSSEC is still slow, but is gradually picking up speed.
DNS, which stands for domain name system, controls your domain name's website and email settings. When visitors go to your domain name, its DNS settings control which company's server it reaches out to.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
This is my final project. The purpose is that I don't get any course about Network, so I try to implement DNS server and learn from practicing.
In this slide, it would cover brief introduction of ddns server, prerequisite for building protocol, aims of my project and all of pitfalls I have met.
Demo resolver.
I would finish this project and provide the part2 of slide.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
Talk by Jonathan Oxer at Linux Users Victoria in April 2007 about how DNS works. Covers authoritative and recursive DNS, delegation, and attack vectors including cache poisoning and DNS forgery. More information at http://jon.oxer.com.au/talks/id/66
Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.
By Utah Networxs
Follow - @fabioandpires
Follow - @utah_networxs
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
Overview of DNSSEC protocol.
DNS is a pivotal infrastructure in TCP/IP based networks. An outage of the DNS system would bring entire networks to a grinding halt.
When DNS was devised in the early days of the Internet, security had no importance. Therefore, DNS is entirely unsecured which means it offers countless attack vectors to hack and crack a network.
Common attacks are DNS cache poisoning, i.e. adding false entries in DNS databases thus diverting the unsuspecting user to a malicious server and man in the middle attacks.
To secure DNS, an extension was defined in the form of DNSSEC. It uses state-of-the-art security algorithms to authenticate and digitally sign requests and responses so that a DNS resolver is able to verify legitimate DNS responses.
The adoption rate of DNSSEC is still slow, but is gradually picking up speed.
Primer on DNS tunneling used as a vector for data theft via malware and insider threats with mitigation techniques and pointers on improving outbound DNS security architecture.
BSidesLondon 20Th April 2011 - Arron "finux" Finnon
---------------------------------------------------------------------
The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
----- for more about @F1nux go to www.finux.co.uk
Get an overview of the Domain Name System (DNS) one of the pillars of the Internet and understand the internal security issues of the DNS as well as the crucial role it plays in cybersecurity.
ION Tokyo slides for "The Business Case for Implementing DNSSEC" by Dan York (Internet Society).
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
Learn to recognize the many ways in which attackers can tamper with DNS servers and records, and the measures you can take to prevent this.
See the full webinar and the rest of the series at https://www.thousandeyes.com/resources/monitoring-for-dns-security-webinar
This is a presentation about DNS Cache Poisoning which was presented to the Grey H@t club at Georgia Tech. It covers the basics of DNS, how DNS is vulnerable, the effect of exploiting DNS, and the Kaminsky attack.
ION Bucharest, 12 October 2016 - DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
ION Islamabad, 25 January 2017
By Champika Wijayatunga, ICANN
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
The state of privacy and data security complianceFindWhitePapers
With new privacy and data security regulations increasing, organizations are asking questions. Do the new regulations help or hinder the ability to protect sensitive and confidential information? With these new regulations on the march, how can you remain competitive in the global marketplace? This report provides answers and examines how compliance efforts can impact a company's bottom line.
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
Evaluating the various data security options to protect your PCs can be challenging. This paper examines the options, discusses why passwords alone are not sufficient and makes the case for strong data encryption.
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in organizations worldwide as components of a holistic data security strategy.
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
Traditional markets for dedicated endpoint security products have been eclipsed by endpoint protection platforms. The Evolution of Endpoint Security featuring the Buyers Guide to Endpoint Protection Platforms explores how the traditional methods for endpoint security should evolve. In it, you'll learn how the lack of data protection can affect your bottom line and gain insight into the true costs involved in migrating and managing an endpoint security product. Finally, learn how Sophos's acquisition of Utimaco affects the security and data protection market.
VMware DRS: Why You Still Need Assured Application Delivery and Application D...FindWhitePapers
VMware Infrastructure products provide the next generation virtual platform for the new data center, but they don't virtualize the network or application delivery. F5 BIG-IP LTM works with VMware to provide truly virtualized Application Delivery Networking.
The ROI of Application Delivery Controllers in Traditional and Virtualized En...FindWhitePapers
How modern offload technologies in Application Delivery Controllers can drastically reduce expenses in traditional and virtualized architectures, with a fast ROI. In the following pages we won't show you how to determine if there is a compelling ROI case for Application Delivery Controllers, but how to determine how much of a compelling case there really is.
The continued expansion of file-based, business-critical information within extended enterprises is changing the storage dynamic in a wide range of industries and organizations. In a series of interviews with U.S. and European enterprises, IDC found that companies are increasing their file-based storage by 40% to 120% a year and place a high priority on boosting the efficiency and reliability of their management processes for file-based information. IDC research indicates that unstructured, filebased data drove a majority of new storage capacity in all organizations' datacenters in 2008 and projects this growth to accelerate, in spite of current economic conditions. By 2012, over 75% of new storage capacity shipped will be dedicated to the storage, organization, and protection of files.
Both business and technical stakeholders will find value and a broad range of uses for the highly accurate data available from a trusted third-party geolocation provider, especially when the data is integrated into a Unified Application and Data Delivery platform.
Lean Business Intelligence - How and Why Organizations Are Moving to Self-Ser...FindWhitePapers
Learn why and how enterprises are moving to self-service business intelligence (BI). Find out how to get the right data now, while maintaining information quality and operational security. By reviewing requirements and specific use cases for a controlled self-service BI application, Forrester identifies five key findings that can transform your business.
Inventory Optimization: A Technique for Improving Operational-Inventory TargetsFindWhitePapers
This white paper will help SAP customers understand how to gain better visibility into demand, enabling planners to modify inventory to reduce carrying costs without negatively impacting customer-service levels and sacrificing product availability.
Improving Organizational Performance Through Pervasive Business IntelligenceFindWhitePapers
Explore the growing body of evidence suggesting a direct link between investment in business analytics solutions and organizational performance. This white paper highlights market trends that point toward more pervasive use of BI solutions. The recommendations presented are based on ongoing IDC coverage of the BI and analytics solutions market.
IDC Energy Insights - Enterprise Risk ManagementFindWhitePapers
Operational risk management is a rising priority for companies in asset-intensive industry segments. Disparate and disconnected efforts in safety, environmental compliance, and asset utilization at the individual facility are converging to provide better enterprise-wide control and management accountability. Companies that make substantial efforts today will not only improve risk mitigation but create an enduring competitive advantage.
How to Use Technology to Support the Lean EnterpriseFindWhitePapers
This SAP Executive Insight addresses the following questions: . What is the Lean enterprise? . What impact do Lean initiatives have on profitability? . What role does IT play in enabling Lean initiatives? . How is technology connected to the success of Lean initiatives?
Learn what is driving manufacturers to focus on creating more efficient manufacturing operations and which manufacturers are most successful in achieving these efficiency gains.
Enterprise Knowledge Workers: Understanding Risks and OpportunitiesFindWhitePapers
Examine the nature of collaboration-intensive knowledge work, challenges posed by IT, and related costs. Enterprise workers need easier access to information across disciplines and functions, better contextual information, collaboration tools, and automated provisions to protect data integrity and security.
Enterprise Information Management: In Support of Operational, Analytic, and G...FindWhitePapers
Your information can be one of your greatest assets - helping you stay on top of regulatory requirements, close to customers, and ahead of the competition. Organizations that pay attention to their data will be the ones to survive and thrive. So how do you obtain a complete view of your information when it is scattered across silos? Or integrate data from structured and unstructured data sources? Or help reduce the risk of inaccurate reporting? And how do you manage your information more effectively to help keep costs from spiraling out of control?
Enabling Strategy and Innovation: Achieving Optimized Outcomes from Planning ...FindWhitePapers
Read this study of Calearo Antennae Spa and Royal DSM, N.V., two companies that demonstrate how excellence in operations and a clear use of information technology can lead to sustained competitive advantage. (Louisiana State University)
Data Quality Strategy: A Step-by-Step ApproachFindWhitePapers
Learn about the importance of having a data quality strategy and setting the overall goals. The six factors of data are also explained in detail and how to tie it together for implementation.
Data Migration: A White Paper by Bloor ResearchFindWhitePapers
This paper is about using information management software from Business Objects, an SAP company, for SAP data migration projects, either for upgrades from one version of SAP to a newer one, or from other environments to SAP. In practice, many of the considerations that apply to SAP data migrations are no different from those that pertain generally to non-SAP environments.
Automating Stimulus Fund Reporting: How New Technologies Simplify Federal Rep...FindWhitePapers
Read about how U.S. government agencies and organizations spending economic stimulus funds are dealing with reporting and analysis requirements - that not only require tracking spending but measuring its economic impact. Find out what to look for in the technology available today to support this data management.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
Improving profitability for small businessBen Wann
In this comprehensive presentation, we will explore strategies and practical tips for enhancing profitability in small businesses. Tailored to meet the unique challenges faced by small enterprises, this session covers various aspects that directly impact the bottom line. Attendees will learn how to optimize operational efficiency, manage expenses, and increase revenue through innovative marketing and customer engagement techniques.
Personal Brand Statement:
As an Army veteran dedicated to lifelong learning, I bring a disciplined, strategic mindset to my pursuits. I am constantly expanding my knowledge to innovate and lead effectively. My journey is driven by a commitment to excellence, and to make a meaningful impact in the world.
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
Marvin neemt je in deze presentatie mee in de voordelen van non-endemic advertising op retail media netwerken. Hij brengt ook de uitdagingen in beeld die de markt op dit moment heeft op het gebied van retail media voor niet-leveranciers.
Retail media wordt gezien als het nieuwe advertising-medium en ook mediabureaus richten massaal retail media-afdelingen op. Merken die niet in de betreffende winkel liggen staan ook nog niet in de rij om op de retail media netwerken te adverteren. Marvin belicht de uitdagingen die er zijn om echt aansluiting te vinden op die markt van non-endemic advertising.
Skye Residences | Extended Stay Residences Near Toronto Airportmarketingjdass
Experience unparalleled EXTENDED STAY and comfort at Skye Residences located just minutes from Toronto Airport. Discover sophisticated accommodations tailored for discerning travelers.
Website Link :
https://skyeresidences.com/
https://skyeresidences.com/about-us/
https://skyeresidences.com/gallery/
https://skyeresidences.com/rooms/
https://skyeresidences.com/near-by-attractions/
https://skyeresidences.com/commute/
https://skyeresidences.com/contact/
https://skyeresidences.com/queen-suite-with-sofa-bed/
https://skyeresidences.com/queen-suite-with-sofa-bed-and-balcony/
https://skyeresidences.com/queen-suite-with-sofa-bed-accessible/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-king-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed-accessible/
#Skye Residences Etobicoke, #Skye Residences Near Toronto Airport, #Skye Residences Toronto, #Skye Hotel Toronto, #Skye Hotel Near Toronto Airport, #Hotel Near Toronto Airport, #Near Toronto Airport Accommodation, #Suites Near Toronto Airport, #Etobicoke Suites Near Airport, #Hotel Near Toronto Pearson International Airport, #Toronto Airport Suite Rentals, #Pearson Airport Hotel Suites
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
What is the TDS Return Filing Due Date for FY 2024-25.pdfseoforlegalpillers
It is crucial for the taxpayers to understand about the TDS Return Filing Due Date, so that they can fulfill your TDS obligations efficiently. Taxpayers can avoid penalties by sticking to the deadlines and by accurate filing of TDS. Timely filing of TDS will make sure about the availability of tax credits. You can also seek the professional guidance of experts like Legal Pillers for timely filing of the TDS Return.
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
1. F5 Technical Brief
DNSSEC: The Antidote to DNS
Cache Poisoning and Other
DNS Attacks
Domain Name System (DNS) provides one of the most basic
but critical functions on the Internet. If DNS isn’t working,
then your business likely isn’t either. Secure your business
and web presence with Domain Name System Security
Extensions (DNSSEC).
by Peter Silva
Technical Marketing Manager
With contributions from
Nathan Meyer, Product Manager
Michael Falkenrath, Senior Field Systems Engineer
2. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
Contents
Introduction 3
Challenges 4
DNS in the Wild: Bad Things Can Happen 4
Taming the Wild 5
Solutions 6
BIG‑IP v10.1 and DNSSEC: The Keys to Success 6
Conclusion 9
Resources 10
2
3. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
Introduction
Humans have always had difficulty remembering number sequences. Back in 1956,
George Miller did some research on digit span recall tasks and found that humans
are only able to hold seven plus or minus two items in memory.1 He concluded that
even when more information is offered, the human memory system has the capacity
to remember between five and nine chunks of information. Most people have a
vocabulary of 10,000 to 30,000 words and some suggest that 500 to 1,000 of
those are names. We’ve experienced words in place of numbers for years with the
telephone system, especially 800 numbers, when a company spells out its product,
name, or industry—like 1-800-EAT-SOUP.
It should come as no surprise that when the Internet was invented with all its
numbered Internet Protocol addresses, humans needed a way to translate those
numbers into understandable names. The Domain Name System (DNS) was created
in 1983 to enable humans to identify all the computers, services, and resources
connected to the Internet by name. DNS translates human readable names into the
unique binary information of devices so Internet users are able to find the machines
they need. Think of it as the Internet’s phone book.
Now what would happen if someone changed your business name and matching
phone book entry to his or her own? The phone book now lists “A. Crook,” an
imposter who receives all of your calls and controls your number. Or, what if
someone completely deleted your entry and no one could find you? That would
really hurt business. What if that same situation happened to the domain name tied
to your public website? An e-commerce site, at that! Either your customers won’t
be able to find you at all or they will be redirected to another site that might look
exactly like yours, but it is really A. Crook’s site. A. Crook happily takes their orders
and money, leaving you with lost revenue, downtime, or any of the other myriad of
issues organizations face when their web property is hijacked.
Security was not included in the original DNS design since at the time scalability—
rather than malicious behavior—was the primary concern. Many feel that securing
DNS would go a long way to securing the Internet at large. Domain Name System
Security Extensions (DNSSEC) attempts to add security to DNS while maintaining the
backward compatibility needed to scale with the Internet as a whole. In essence,
DNSSEC adds a digital signature to ensure the authenticity of certain types of DNS
transactions and, therefore, the integrity of the information.
3
4. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC provides:
• Origin authentication of DNS data.
• Data integrity.
• Authenticated denial of existence.
Challenges
DNS in the Wild: Bad Things Can Happen
DNS has worked just great since its inception, but as with almost everything
Internet-related, the bad guys have found ways to exploit the protocol. One such
way is called DNS cache poisoning. When you type a URL into your browser, a DNS
resolver checks the Internet for the proper name/number translation and location.
Typically, DNS will accept the first response or answer without question and send
you to that site. It will also cache that information for a period of time until it
expires, so upon the next request for that name/number, the site is immediately
delivered. DNS won’t need to query the Internet again and uses that address until
that entry expires. Since users assume they are getting the correct information,
it can get ugly when a malicious system responds to the DNS query first with
modified, false information, as it does with DNS cache poisoning. The DNS servers
first send the user to the bad link but also cache that fake address until it expires.
Not only does that single computer get sent to the wrong place, but if the malicious
server is answering for a service provider, then thousands of users can get sent to
a rogue system. This can last for hours to days, depending on how long the server
stores the information, and all the other DNS servers that propagate the information
can also be affected. The imminent dangers posed by a rogue site include delivering
malware, committing fraud, and stealing personal or sensitive information.
In 2009, the main DNS registrar in Puerto Rico was hacked by a DNS attack.2 Local
versions of the websites for Google, Microsoft, Coca-Cola, Yahoo, and others
such as PayPal, Nike, and Dell were redirected to defaced sites or blank pages
that told users that the requested site had been hacked. In this instance, the users
were aware that they were not visiting the real site since the group who claimed
responsibility gave notice. In a more sinister incident, one of Brazil’s largest banks
suffered an attack that redirected users to a malicious site that attempted to install
malware and steal passwords.3 In this situation, the users were not aware that they
were on a fake site since the delivered page looked just like the original. These types
of attacks are very hard to detect since the users had actually typed the correct
domain name in their browsers.
4
5. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
Taming the Wild
DNSSEC is a series of DNS protocol extensions, defined in Request for Comments
(RFCs) 4033, 4034, and 4035, that ensures the integrity of data returned by domain
name lookups by incorporating a chain of trust into the DNS hierarchy. The chain is
built using public key infrastructure (PKI), with each link in the chain consisting of a
public/private key pair. DNSSEC does not encrypt or provide confidentiality of the
data, but it does authenticate that data.
DNSSEC provides the following:
• Origin authentication of DNS data: Resolvers can verify that data has
originated from authoritative sources.
• Data integrity: Resolvers can verify that responses are not modified in flight.
• Authenticated denial of existence: When there is no data for a query,
authoritative servers can provide a response that proves no data exists.
Deploying DNSSEC involves signing zones with public/private key encryption and
returning DNS responses with signatures. (See Figure 1.) A client’s trust in those signatures
is based on a chain of trust established across administrative boundaries, from parent
to child zone, using a new DNSKEY and delegation signer (DS) resource records. Any
DNSSEC deployment must manage cryptographic keys: multiple key generation, zone
signing, key swapping, key rollover and timing, and recovery from compromised keys.
What IP address is I don’t know, let me ask Who owns the records
www.example.com? someone who does. for example.com?
End user example.com is 1.1.1.2 example.com is 1.1.1.2 Ask .com DNS Server
Local DNS ISP DNS Root DNS
server server server
Who owns the records
Figure 1: How DNSSEC works Ask 1.1.1.1 for example.com?
Top Level Domains
Chain of trust
What IP address
is example.com?
example.com .com DNS .org DNS .net DNS
is 1.1.1.2 server server server
DNS server for
example.com
(1.1.1.1)
5
6. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
To accomplish DNSSEC:
1. Each DNSSEC zone creates one or more pairs of public/private key(s) with the
public portion put in DNSSEC record type DNSKEY.
2. The zones sign all resource record sets (RRsets) and define the order in which
multiple records of the same type are returned with private key(s).
3. Resolvers use DNSKEY(s) to verify RRsets; each RRset also has a signature
attached to it that is called RRSIG.
If a resolver has a zone’s DNSKEY(s), it can verify that RRsets are intact by verifying
their RRSIGs. The chain of trust is important to DNSSEC since an unbroken chain of
trust needs to be established from the root at the top through the top-level domain
(TLD) and down to individual registrants. All zones need to be authenticated by
“signing,” in that the publisher of a zone signs that zone prior to publication, and
the parent of that zone publishes the keys of that zone. With many zones, it is likely
that the signatures will expire before the DNS records are updated. Zone operators
therefore require a means to automatically re-sign DNS records before these
signatures expire. This functionality is called “continuous signing” or “automated key
rollover” and is not yet a feature of common name server implementations.
Solutions
BIG‑IP v10.1 and DNSSEC: The Keys to Success
F5® BIG-IP® v10.1 supports DNSSEC as an add-on feature to BIG-IP® Global Traffic
Manager™ (available as a standalone device or as a module on BIG-IP® Local Traffic
Manager™). BIG-IP Global Traffic Manager (GTM) is a global load balancer that
provides high availability, maximum performance, and centralized management
for applications running across multiple and globally dispersed data centers.
BIG-IP GTM distributes end-user application requests according to business policies
and data center and network conditions to ensure the highest possible availability.
The BIG-IP GTM DNSSEC feature signs DNS responses in real time and provides the
means to deploy DNSSEC quickly and easily in an existing environment.
If client requests a website that sits behind a BIG-IP device but does not request an
authenticated answer, the BIG-IP GTM DNSSEC feature does nothing and BIG-IP
GTM responds normally—passing through the BIG-IP device’s virtual IP address to
the DNS server pool and returning directly to the client. When authentication is
6
7. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
requested, the BIG-IP GTM DNSSEC feature intercepts the response and signs the
response before sending it to the client computer. (See Figure 2.) In this instance, the
DNSSEC request passes through BIG-IP GTM to the DNS servers. When the response
is returned, BIG-IP GTM signs the response in real time to ensure continuous signing.
The potential attacker cannot forge this response without the corresponding private
key. The internal communication between BIG-IP GTM and the DNS server is normal
and the external client communication is secure.
example.com
example.com example.com
Client 123.123.123.123 LDNS 123.123.123.123 BIG-IP GTM +
+ public key + public key DNSSEC feature DNS servers
Hacker
Figure 2: BIG‑IP GTM DNSSEC feature interaction
This real-time signing is critical in dynamic content environments where both objects
and users might be coming from various locations around the globe. There are
other devices claiming DNSSEC for static DNS and DNSSEC compliance in general,
but none of them has good solutions for dynamic content and none, so far, has
any solutions for global server load balancing (GSLB)-type DNS responses in which
the IP answer can change depending on the requesting client. Since GSLB can
provide different answers to different clients for the same fully qualified domain
name (FQDN), GSLB and DNSSEC are fundamentally at odds in the original design
specifications. DNSSEC, as originally conceived, was focused solely on traditional
static DNS and never considered the requirements of GSLB, or intelligent DNS. It’s
relatively easy to use BIND to provide DNSSEC for static DNS. It’s more difficult
to provide DNSSEC for dynamic DNS, and it’s very difficult to provide DNSSEC for
GSLB-type DNS responses, especially in cloud deployments. F5’s general purpose
DNSSEC feature provides DNSSEC covering all three scenarios and is simple to
implement and maintain while keeping management costs low.
F5’s unique, patent-pending solution to the GSLB DNSSEC problem addresses this
by signing answers at the time the GSLB device decides what the answer should be.
7
8. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
This is a real-time DNSSEC solution, and, with it, F5 is the only GSLB provider to
have a true DNSSEC solution that works. While others have proposed a system in
which every possible response is pre-signed, most have concluded that this isn’t a
feasible approach.
Assuming BIG-IP GTM is already up, configured, and functioning—including DCs, The BIG‑IP GTM DNSSEC
feature’s default settings
servers, listeners, WIPS, and so on—the DNSSEC key list (see Figure 3) is where the
are modeled on the National
administrator configures zone signing keys (ZSKs) and key signing keys (KSKs). KSKs Institute of Standards and
are used to sign other DNSKEY records and the DS records, while ZSKs are used to Technology (NIST) guidelines,
offering an easy, turnkey
sign RRSIG. It is best practice to name the keys with the zone name and either zsk means to deploy this powerful
or ksk at the end in order to easily identify them. The KSK can be made stronger by solution.
using more bits in the key material. It has little operational impact since it is only used
to sign a small fraction of the zone data and to verify the zone’s key set, not for other
RRsets in the zone. The KSK should be rotated every 12 months and the ZSK every
one to two months. No parent/child interaction is required when ZSKs are updated.
Required options include:
Name
Algorithm
Bit width
FIPS
Type (zone signing keys)
Optional items include:
Rollover period
Expiration period
Note: The default is no
automatic rollover
Figure 3: The GUI on the F5 BIG‑IP system makes it simple to quickly configure and
secure your DNS infrastructure.
Since the KSK is only used to sign a key set, which is most probably updated less
frequently than other data in the zone, it can be stored separately from and in a
safer location than the ZSK. A KSK can have a longer key effectivity period. For
almost any method of key management and zone signing, the KSK is used less
frequently than the ZSK. Once a key set is signed with the KSK, all the keys in the
key set can be used as ZSKs. If a ZSK is compromised, it can be simply dropped from
the key set and the new key set is then re-signed with the KSK.
8
9. Technical Brief
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
If a KSK is to be rolled over, there will be interactions with parties other than
the zone administrator. These can include the registry of the parent zone or
administrators of verifying resolvers that have the particular key configured as
secure entry points. Hence, the key effectivity period of these keys can and should
be made much longer.
1
The public key enables a client to validate the integrity of something signed with
the private key and the hashing enables the client to validate that the content was
not tampered with. Since the private key of the public/private key pair could be 2
used to impersonate a valid signer, it is critical to keep those keys secure. F5
employs two industry-leading techniques to accomplish this security task. First, 3
for non-FIPS requirements, F5 employs Secure Vault, a super-secure SSL-encrypted
storage system used by BIG-IP devices. Even if the hard disk was removed from
the system and painstakingly searched, it would be nearly impossible to recover
When creating DNSSEC zones, use
the contents of Secure Vault.
the most specific FQDN as its name.
BIG‑IP GTM will search the set of
For military-level security, F5 supports FIPS storage of the private keys, and this DNSSEC zones to find the most
is a unique differentiator from many of the DNSSEC providers on the market. specific one to use when signing,
Also unique to F5 is the ability to securely synchronize the keys between multiple even if multiple candidates exist.
FIPS devices. Additionally, multiple models of F5 hardware (BIG-IP 1500, 3400, (1) Name the DNSSEC zone.
(2) Choose the signing key.
6400, 6800, 8400, and 8800) take a further step by using the crypto storage chip
(3) Choose the key signing key.
on the motherboard to secure a unique hardware key as part of the multi-layer
encryption process.
Conclusion
DNSSEC ensures that the answer you receive when asking for name resolution
comes from a trusted name server. Since DNSSEC is still far from being globally
deployed and many resolvers either haven’t been updated or don’t support DNSSEC,
implementing the BIG-IP GTM DNSSEC feature can greatly enhance your DNS
security right away. It can help you comply with federal DNSSEC mandates and help
protect your valuable domain name and web properties from rogue servers sending
invalid responses.
F5 BIG-IP v10.1 now provides DNSSEC signing for DNS records and real-time DNSSEC
signing as requested by clients. The combination of BIG-IP Local Traffic Manager
+ BIG-IP GTM + DNSSEC on one box provides a drop-in DNSSEC solution for any
existing DNS deployment, instantly giving you greater control and security over your
DNS infrastructure while meeting U.S. Government mandates for DNSSEC compliance.
9