Submit Search
Upload
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]
•
0 likes
•
456 views
RootedCON
Follow
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]
Read less
Read more
Technology
Report
Share
Report
Share
1 of 86
Download now
Download to read offline
Recommended
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
RootedCON
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
Python Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
Recommended
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
RootedCON
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
Python Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
RootedCON
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
RootedCON
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
Maarten Mulders
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
Nemanja Nikodijević
DNS privacy in theory and practice
DNS privacy in theory and practice
APNIC
Shamoon
Shamoon
Shakacon
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
African Cyber Security Summit
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
More Related Content
What's hot
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
RootedCON
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
RootedCON
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
Maarten Mulders
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
Nemanja Nikodijević
DNS privacy in theory and practice
DNS privacy in theory and practice
APNIC
Shamoon
Shamoon
Shakacon
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
What's hot
(20)
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
Breaking the cyber kill chain!
Breaking the cyber kill chain!
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
DNS privacy in theory and practice
DNS privacy in theory and practice
Shamoon
Shamoon
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
African Cyber Security Summit
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
Deploy360 Programme (Internet Society)
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
SWITCHPOINT NV/SA
"Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
Hidden empires of malware
Hidden empires of malware
Ryan Kovar
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
8 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Mundo Contact
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
Chin Wan Lim
Toronto Event- How to Protect Data Throughout Its Lifecycle
Toronto Event- How to Protect Data Throughout Its Lifecycle
Blancco
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]
(20)
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
DNSSEC signing Tutorial
DNSSEC signing Tutorial
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
"Giving the bad guys no sleep"
"Giving the bad guys no sleep"
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
Hidden empires of malware
Hidden empires of malware
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
8 technical-dns-workshop-day4
8 technical-dns-workshop-day4
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
Toronto Event- How to Protect Data Throughout Its Lifecycle
Toronto Event- How to Protect Data Throughout Its Lifecycle
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
More from RootedCON
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
RootedCON
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
RootedCON
More from RootedCON
(20)
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Recently uploaded
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Recently uploaded
(20)
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]
1.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hype Potter and the Chamber of DNSSECrets www.d in o sec.co m @ d in o s e c Raúl Siles Founder & Senior Security Analyst raul@dinosec.com Mónica Salas Founder & Security Analyst monica@dinosec.com March 29, 2019
2.
2 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Raúl Siles Mónica Salas About Us raul@dinosec.com monica@dinosec.com
3.
3 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DiNoSEC 2019 X Aniversario RootedCON
4.
4 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com • DNSSEC zone signing – DNSSEC: Authenticity and integrity – Stats from the “.es” zone – ICANN and DNSpionage – DNS flag day • DNSSEC practical zone signing – Four DNSSEC cases • DNSSEC validation – DNSSEC bits (o flags) • DNSSEC responses – The last mile… • Conclusions Outline
5.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Zone Signing
6.
6 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNS Authenticity & Integrity Security Threats DNS spoofing (MitM attacks) DNS cache poisoning DNS resolver INTEGRITY AUTHENTICITY AUTHENTICITY 'To SEC or not to SEC: DNS question': https://youtu.be/HmiK51kA1QY
7.
7 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com + Where Did We Leave Off Last Year? DNSSEC is the solution for DNS spoofing and DNS cache poisoning attacks DNS ZONE DNS parent ZONE DNS RESOLVER “.” KSK (Public Key) + + +
8.
8 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Harry Potter - Hogwarts Admission Letter Integrity !!Authenticity? Why should Harry trust his Hogwarts admission letter?
9.
9 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Harry Potter – Rubius Hagrid The Trust Anchor 2,75 meters height 400 kilograms weight Anyone not convinced??
10.
10 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Roles Taxonomy I use DNSSEC in my authoritative server IuseaDNSSECcapableresolver NO SÍ SÍ NO And we convinced everybody…
11.
11 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC for ccTLD “.es” DNSSEC validation from Spain 0 5000 10000 15000 20000 25000 1/12/14 1/2/15 1/4/15 1/6/15 1/8/15 1/10/15 1/12/15 1/2/16 1/4/16 1/6/16 1/8/16 1/10/16 1/12/16 1/2/17 1/4/17 1/6/17 1/8/17 1/10/17 1/12/17 1/2/18 1/4/18 1/6/18 1/8/18 1/10/18 1/12/18 1/2/19 TOTAL “.es” DOMAINS with DNSSEC …or NOT? 1’022%0’948% +1,361 (+7.8%) SIGNED DOMAINS (from Nov 2019) 31% VALIDATION INCREMENT DEC 2018 MAR 2019 1750000 1770000 1790000 1810000 1830000 1850000 1870000 1890000 1910000 1930000 1950000 1/12/14 1/2/15 1/4/15 1/6/15 1/8/15 1/10/15 1/12/15 1/2/16 1/4/16 1/6/16 1/8/16 1/10/16 1/12/16 1/2/17 1/4/17 1/6/17 1/8/17 1/10/17 1/12/17 1/2/18 1/4/18 1/6/18 1/8/18 1/10/18 1/12/18 1/2/19 TOTAL “.es” DOMAINS https://stats.labs.apnic.net/dnssec Thanks to: José Eleuterio López (Red.es)
12.
12 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Yes, We Did It… But It Was Not Only You…! ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet LOS ANGELES – 22 February 2019 – The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems… https://www.icann.org/news/announcement-2019-02-22-en 7.8 % 31 % Not really, it was not us convincing ICANN… J
13.
13 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSpionage • “A Deep Dive on the Recent Widespread DNS Hijacking Attacks” Krebs on Security. February 18, 2019. • Attacks hijacked DNS infrastructure of a registrar which also operates one of the 13 “root” name servers (Netnod) • Access to administrative DNS resources with the goal of capturing credentials for other services via unauthorized changes to registries • Attackers gained control of registrar’s administrative systems… – Netnod, PCH… • But DNSSEC became the unexpected ally… https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
14.
mail.netnod.tld DNSSEC DS (.netnod) .tld DS (.tld) “.” Netnod employees (evil)
mail.netnod.tld DNSSEC DNSSEC DISABLE DNSSEC .netnod.tld. (2) COMODO Get new cert. for (evil) mail.netnod.tld. (3) ENABLE DNSSEC .netnod.tld. (4) DNS recursive resolver DNSSEC capable (6) (7) A (mail) .netnod DNSSEC DoT DoH NS (.netnod)(1) Registrar DNS mail.netnod.tld IP is evil IP x.x.x.x (5) No mail… & no credentials stealing!!
15.
15 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSpionage Conclusions • DNSSEC is not enough… – Secure the administration of DNS zones (registries and registrars): 2FA – DNS zone transfer operations are not secured through DNSSEC • TSIG (Transaction SIGnature protocol - RFC 3645) is used to authenticate both end- points of a DNS operation and add integrity • EPP (Extensible Provisioning Protocol - RFC 5730) – Originally designed for allocating objects from registrars to registries over the Internet with the goal to prevent DNS hijacking • Can be layered over multiple transport protocols • Provides session management through “<login>” (client identifier and plain text password) • Session persists until a “<logout>” is sent • “.es” supports EPP through HTTPS
16.
16 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com February 1st, 2019: DNS Flag Day • Slow DNS infrastructure performance due to systems non-compliant with original DNS RFC 1035 (1987) • DNS authoritative servers requirements: – Avoid implementations or firewalls that drop DNS packets with EDNS extensions (1999) • DNS resolver: major open source DNS vendors released updates to stop accommodating non-standard responses (Bind, Knot, PowerDNS, Unbound) https://dnsflagday.net
17.
17 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNS Flag Day [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone
18.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Practical Zone Signing
19.
19 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Zone Registrar / Operator Signing time (DS) DNSSEC Algorithm DNSKEYs DS Addition raulsil.es A/A (Spain) 8 hours Established by registrar RSASHA1-NSEC3-SHA1 (7) ZSK + KSK Not tried dinosec.info B/B (World Wide) 15 mins Established by registrar ECDSA-P256/SHA256 (13) KSK Not tried siles.info B/B à B/C (Cloud) 15 mins Established by registrar ECDSA-P256/SHA256 (13) KSK à ZSK + KSK Very easy dinosec.es D/D (Spain/WW) - NO WAY! - NO WAY! Signing a DNS Zone - Multiple Examples • Activation process: • Simple: One button • Timing: A few minutes (5-15 mins) or hours (e.g. 8-12 hours) • Impossible • Lack of customization or detailed DNSSEC parameters or options 1 2 3 4
20.
20 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com ICANN Encourages Complaining… https://forms.icann.org/en/resources/compliance/complaints/registrars/standards- complaint-form DNSSEC support required by ICANN for registrars with all available DS algorithm types (2014): 2013 RAA (Registrar Accreditation Agreement) https://www.icann.org/resources/pages/support-dnssec-ipv6-2014-01-29-en https://www.icann.org/registrar-reports/accredited-list.html Complain to ICANN
21.
21 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Supported DNSSEC Signing Algorithms (RFC 6944 ) https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec
22.
22 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Records and Signatures $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.raulsil.es +dnssec … www.raulsil.es. 3600 IN A 87.98.231.5 www.raulsil.es. 3600 IN RRSIG A 7 2 3600 20190319175117 20190217175117 33299 www.raulsil.es. 00I5xmLgMuxaaH/AX6y/KCNAE7x+iNUYcEa9hLIdnfj3KSKyeMa/puU9zqL81x jR5uI0DwIWjMBfUU1Egm8Wyx047jPQ+ANP2Ssdf7NwTpsVI9VOZrEMRmcxpjxi l1birMQm/M8ZJmgi+poZRnNwvTxCC7bjewmd56cSXyzJfAY= Signature validity period (start date & expiration date) Algorithm used Key ID
23.
23 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Enabling DNSSEC (1/2) REGISTRAR “A” REGISTRAR “B”
24.
24 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Enabling DNSSEC (2/2) REGISTRAR “C”
25.
25 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSKEYs: 3 DNS Operators, 3 Signing Models $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY raulsil.es raulsil.es. 2835 IN DNSKEY 256 3 7 AwEAAeBQ29zEisimlv+ybOPYCTin4hrl1pCBDtz6nVFO/r2BY1Y7LAnuX3doSBZi9Z6OliMJ5NWqhvNUoUi1n3U4g hxGRf5i1P5qWfNZ5gLuwT2M5Yd4NoOAZnKlmdkGGLrqEiw45riNdB+/MbQwYozGr6tBE/4Kx1+M/UWkNnEi2HdZ raulsil.es. 2835 IN DNSKEY 257 3 7 AwEAAaX0kus7MxJGgo5zuTmflEPH2dJkgDGbvepfG8tBH8y8gw036eTBbJDPf9DoOBdV2MMRa9QLptpwHQtYssKtZ ooIFZxHv70UeQSKmSyz/1OCoUJXI5ahm7VU0AqfPcWC4B568gLv3LR7O47Syh+AJXvWUEE/uvK+chgEHqIE9j7v $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY dinosec.info ;; ANSWER SECTION: dinosec.info. 3601 IN DNSKEY 257 3 13 Ei8CWVmqMGXW/fpfihKoJl7xF70RZLhp3FspO0DGycb49sBZocMJMcixB6dx+WbvwPZak7QY78ytOjnkHdB22g== $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info siles.info. 3601 IN DNSKEY 257 3 13 h6RG7m0QEsIlpvpFpPNS+mlSOirDS+NQC41S/yG0wFd1WAT/mc2zEDtT8lJCC9aHgy6i8Bj01+cFwBQ05ke2IA== siles.info. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== siles.info. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== A B B C
26.
26 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DS Records $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY es +dnssec +multiline es. 65022 IN DNSKEY 256 3 8 ( AwEAAbdNeJQOckpcbVVTEHgKmHogfgezh6s6OrwZ m6uMgzC9KhrqAwIX6PDfd2MDflwSlmfRPsVm/dq5 BzzbXQFZINCb2fzCer9S1e9gQiRX6/L/xDGH9gYP rfU3eA1xB3RPgcfNRcvzAeAd3z3yylSBmWco2oHN QWNLQqGs6jpI27cZ ) ; ZSK, RSASHA256 (1024b), id = 489 $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS raulsil.es +dnssec raulsil.es. 43200 IN DS 34464 7 2 97880FA96BCF744FAC85F073FFBCA679F053393C834F7837F44D1BD0A0A9C686 raulsil.es. 86400 IN RRSIG DS 8 2 86400 20190329081541 20190315005946 489 es. qIYoNmkznp9gg53PNvoVkfGB3ytG+zFNAvrZVGDPvoc/Tx8z9D/3xWaK/p5l+yAbSB25UzPRlMXQ3TdmEzCUDAJz5LYTy 2Ly66xEsGjFi9yUGai4okSrIJdty6atlKpe78Qy6MGubKPUewDMOd7jhfKlIl2mP/UE8VZfbmp1tno= $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS dinosec.info +dnssec dinosec.info. 86170. IN DS 16285 13 1 74FFB23176C36384D454A5CB87E78D228094667E dinosec.info. 86170. IN RRSIG DS 7 2 86400 20190407153004 20190317143004 24332 info. foiwm18puMTPY610HxluGehc20ES1iClXToh7GzVGyO4EjzP5wmHhvgPLeD9fb0xcyi0QxX14Zc64fgSt9cqSw6eAwsQt gjAN4Djdz/nLMwp50T7cnQ1JHjpjxai5PdJqJ6j7069BVg46wWFlSsNyhsICTgXsJo0ljnofr5mKz8= A B TLD
27.
27 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: “siles.info” DNS Operator Transfer (1/2) • Domain registered and operated by B • Zone operation transferred from operator B to operator C – Zone registration was not transferable initially from B to C since a minimum of 60 days is needed before a domain transfer request can be undertaken by the a new registrar – DNSSEC was previously enabled in B with just a KSK and ECDSA P256/SHA256 – DNSSEC was enabled in C with KSK and ZSK and ECDSA P256/SHA256
28.
28 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: “siles.info” DNS Operator Transfer (2/2) Steps perfomed by zone owner at DNS provider’s managent console Registrar / Operator B Operator C 0) B is registrar and operator for zone 1) Zone operation requested by owner 2) NS provided by C 3) NS servers pointed to C’s: it takes hours for the change to be applied 4) DNSSEC disabled by B: DS(zone) removed from TLD 3) Owner requests enabling DNSSEC for the zone 4) C signs the zone: Since C knows the zone registrar is a third party, C provides the DS record for the zone 5) Zone owner manually adds DS record generated by C 6) B transfers DS record to TLD (.info) DNSSEC zone is now signed and operational again at C
29.
29 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: siles.info (Steps 4 & 5) DS generation at C DS addition at B Hash(KSK) = DS KSK SEP
30.
30 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CDS and CDNSKEY: Simplifying DS Updates • RFC 8078 (March 2017) • KSK renewal through standard DNS mechanisms • New DS (and/or new DNSKEY) records are added to the child zone upon KSK renewal • Parent zone get news of child’s zone KSK renewal intention through: – Polling: parent zone polls child zones periodically – Pushing: child zone notifies parent zone of CDS/CDNSKEY avalibility • Pros: – KSK renewal independent of registrars • Cons: – Not “de facto” standards yet & Not mandatory (yet)
31.
31 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: DNSSEC Records After Transfer to C $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec siles.info. 43200 IN DS 2371 13 2 4101DF3DCCE5291E11C450BBEBB16009378A11D0CF20C4B2E8842273025DC305 siles.info. 85653 IN RRSIG DS 7 2 86400 20190415152146 20190325142146 24332 info. cSM+n8J6gy0A5q5RgU7hdifJEtU1ZPsfPx89lEH1GCZ3EG7Wkymx3drkdGJ5uBEzXJfwue8CG0fQveSvVL3MheC/jz8 5KCCwXwyHtCmdJHjXcPrwFKyHWHNsSznLcn0zugeAYWJwxN0DDOmHmM15+rBbvdNZ8Q3b535c7PtdDes= $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info +dnssec +multiline siles.info. 2949 IN DNSKEY 256 3 13 ( oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== ) ; ZSK, ECDSAP256SHA256 (256b), id = 34505 siles.info. 2949 IN DNSKEY 257 3 13 ( mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== ) ; KSK, ECDSAP256SHA256 (256b), id = 2371 siles.info. 2949 IN RRSIG DNSKEY 13 2 3600 20190409082227 ( 20190208082227 2371 siles.info. 3QjU1QlBeQrhsJssRUJ3cBojHPon1hXJ80GT79gHYR3fMXLAE6f8vjLgTKBHb7PIyXvCU2LqgwqPYYbJHlJvog==) B TLD C $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec siles.info. 43115 IN DS 53189 13 1 419700DF0777F6839E2E368A1BAEF9044E8B30B7 C
32.
32 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Tracking The Trust Chain (https://dnsviz.net) dinosec.info siles.info
33.
33 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Root Zone TLD Database • Very interesting information through the “curl” command – All NS in the root zone: – All DS in the root zone: curl -s http://www.internic.net/domain/root.zone | awk '$4 == "DS" { print $1 " " $6 }' | uniq -c http://www.internic.net/domain/root.zone curl -s http://www.internic.net/domain/root.zone | awk '$4 == "NS" { print $1 " " $4 $5 }' | uniq -c
34.
34 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Algorithm Number of TLDs 5 (RSA/SHA-1) 163 7 (RSA/SHA1-NSEC3) 551 8 (RSA/SHA-256) 2206 10 (RSA/SHA-512) 37 13 (ECC P-256) 6 Signing Algorithms Comparison • DNSSEC key types – RSA: Larger key length needed - Longer signatures • (5) RSA/SHA1 - not recommended (weak) • (7) RSASHA1-NSEC3-SHA1 - if NSEC3 is required to avoid zone enumeration • (8) RSA/SHA-256 – ECC: not currently supported by all TLDs - Small signatures and robust • (13) ECDSA Curve P-256 / SHA-256 • (14) ECDSA Curve P-384 / SHA-384 TLDs using ECC ccTLD Brazil .br Switzerland .ch Czech Republic .cz Liechtenstein .li Moldova .ld Niue (*New Zeland) .nu 0 in May ´18 1 in July ´18 2 in Dec ´18 6 in Mar ´19
35.
35 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DANE: DNSSEC Beyond DNS • Most TLS-based services rely on an external CA • Problem: if that CA gets compromised and a new certificate is generated for a domain, all the services will be in danger • DNSSEC key signing schema advantages: – The key is associated to a domain (not to an entity identified by a chain of characters) – The keys are signed by the zone owner and the zone parent (not a single point of failure) • The trust anchor is defined in the resolver’s side for a single domain (“.”), not for hundreds of distinct CAs
36.
36 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DANE: RFC 7673 DNS-Based Authentication of Named Entities • TLS certificates stored and signed within a specific DNS domain server – Minimum privilege: if keys are compromised, only services under that DNS hierarchy will be in danger – Certificates are tied to domain names through DNSSEC trust relationships • New DNS records to link TLS certificates with the domain – TLSA (Transport Layer Security Authentication) • Upon connection establishment, a TLS certificate is requested at the same time a DNSSEC query is launched to check the received certificate matches the received TLSA record TLSA FORMAT: port._tcp_protocol.domain _443._tcp.www.zone1.com (HTTPS) _25._tcp.mail.zone1.com (SMTPS)
37.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Validation
38.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags)
39.
39 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Acronyms DO CD AD DOCDAD DOC DAD 2019 DNSSEC DNS
40.
40 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Traffic • Wireshark
41.
41 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Meaning • DO: DNSSEC OK – ”I do support DNSSEC, so I want to receive the DNSSEC records…” (RRSIGs) – https://tools.ietf.org/html/rfc4035#section-3.2.1 • CD: Checking Disabled – ”Do not take care of validating the response through DNSSEC, as I will validate it… Simply, send me the DNSSEC records." – https://tools.ietf.org/html/rfc4035#section-3.2.2 • AD: Authentic Data (or “Validated Data”) – ”All DNS records in this response are authentic, as I have already validated them…" – https://tools.ietf.org/html/rfc4035#section-3.2.3
42.
42 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The DO bit in DNSSEC • DO: "DNSSEC OK" – The resolver requests the DNSSEC records to be included in the response – If the DO bit is not set in the request, the DNSSEC records must be removed from the response • Unless explicitly requested https://tools.ietf.org/html/rfc3225#section-3 https://tools.ietf.org/html/rfc4035#section-3.2.1
43.
43 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The CD bit in DNSSEC • CD: Checking Disabled – The resolver can disable the DNSSEC validation (RRSIGs) in its own upstream “DNS server” (another resolver) – The CD bit in the query is reflected back in the response – The CD bit in the query is reflected in the associated upstream queries (recursive DNS resolution) – As a result, the response includes the non-validated DNSSEC records (to be validated locally) – Flexibility to establish who will validate the records and the criteria to apply (different time references, security islands, etc.) https://tools.ietf.org/html/rfc4035#section-3.2.2
44.
44 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The AD bit in DNSSEC • AD: Authentic (or Authenticated) Data – All the DNS records (RRSets) included in the Answer and Authority sections of the response are authentic (from the DNSSEC perspective) – If so, set the AD bit in the response – They have been validated by an upstream DNS resolver – Originally the AD bit was not set in requests, but… https://tools.ietf.org/html/rfc4035#section-3.2.3
45.
45 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Managing the DNSSEC bits: DO, CD & AD (1/2) • RFC 4035: Protocol Modifications for the DNS Security Extensions – DO bit set in requests, to indicate the availability of DNSSEC support – CD bit set in requests between DNS clients and recursive servers • Who will take care of validating the responses? – The DO and CD bits are reflected back in the DNS responses based on its value in the associated DNS requests – AD bit set in responses between DNS clients and recursive servers • Is the response data (DNS records) authentic? • AD bit removed from requests: https://tools.ietf.org/html/rfc4035#section-4.6 – But later, in RFC 3655 and RFC 6840… https://tools.ietf.org/html/rfc4035
46.
46 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Managing the DNSSEC bits: DO, CD & AD (2/2) • RFC 6840: Clarifications and Implementation Notes for DNS Security (DNSSEC) – DO bit must be ignored by DNS recursive servers in responses – AD bit set in requests to indicate interest in receiving the AD bit set in the associated response (meaning, “I want you to validate the response”) • Additionally to the DO bit already indicating DNSSEC support – “The AD bit MUST only be set if DNSSEC records have been requested via the DO bit…” • RFC 3655: Redefinition of DNS Authenticated Data (AD) bit – https://tools.ietf.org/html/rfc3655 – E.g. Bind 9.11.x does not set the AD bit in the requests (still following the previous RFC 4035) https://tools.ietf.org/html/rfc6840
47.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Responses
48.
48 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Responses • Valid (or correct) response – RCODE 0 (No Error: NOERROR) • DNSSEC validation error (by the resolver) – RCODE 2 (Server Failure: SERVFAIL) • dig: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL • Domain does not exist – RCODE 3 (Non-eXistent Domain: NXDOMAIN) • The DNS server refuses to answer the request – RCODE 5 (Refused: REFUSED) DNS Flags section: Reply Code (RCODE) - 4 bits DNSSEC is backwards compatible with DNS: Both worlds running simultaneously…
49.
49 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Imagine you are already convinced and we all have deployed DNSSEC…
50.
50 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
51.
51 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com April 1st, 2018
52.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CPE (Customer Premises Equipment)
53.
53 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Testing 1.1.1.1 (or one.one.one.one) with the Local DNS Resolver… What about DNSSEC? Connecting to 1.1.1.1 through HTTP(S) you get the CPE (router) admin web interface, but it can resolve all DNS queries properly…
54.
54 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Local Web and DNS Server at 1.1.1.1 $ nmap -sS -sU -p 53 -n --reason -A 1.1.1.1 Starting Nmap 7.60 ( https://nmap.org )... Nmap scan report for 1.1.1.1 Host is up, received echo-reply ttl 63 (0.0019s latency). PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 63 dnsmasq 2.78 53/udp open domain udp-response ttl 63 dnsmasq 2.78 | dns-nsid: |_ bind.version: dnsmasq-2.78 |_dns-recursion: Recursion appears to be enabled ... Aggressive OS guesses: Linux 2.6.32 - 3.0 (96%), ... Network Distance: 2 hops TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 1.28 ms 172.16.8.1 2 2.62 ms 1.1.1.1 $
55.
55 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com 1.0.0.0/8 Conflicts • Trying to reach 1.1.1.1 – https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/ – https://community.cloudflare.com/t/have-problems-with-1-1-1-1-read-me-first/15902 • The 1.0.0.0/8 range was assigned to APNIC in 2010 – Previously it was not assigned, but that didn’t mean it was available (or reserved) for private usage (RFC 1918) • https://seclists.org/nanog/2010/Jan/776 • Multiple CPEs are using that IP address internally… • Multiple ISPs are using that IP address in their internal network… • Testing DNS Resolution in Spanish ISPs… – Thanks to some collaborators, we could test the DNS resolution for a few Spanish ISPs…: Thanks RootedCON, Román, José, Pedro, Jorge…!!!!
56.
56 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 9985 IN A 212.110.167.157 www.isoc.org. 9985 IN RRSIG A 7 3 86400 20180723085001 20180709085001 36614 isoc.org. BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs= ;; Query time: 1833 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jul 10 10:08:40 CEST 2018 ;; MSG SIZE rcvd: 225 $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.isoc.org. IN ;; ANSWER SECTION: www.isoc.org. 9985 IN A 212.110.167.157 www.isoc.org. 9985 IN RRSIG A 7 3 86400 20180723085001 20180709085001 36614 isoc.org. BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs= ;; Query time: 1833 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jul 10 10:08:40 CEST 2018 ;; MSG SIZE rcvd: 225 Using Other DNS Public Resolvers with DNSSEC Support • Can you find the differences? J $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31624 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 13790 IN A 212.110.167.157 ;; Query time: 92 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Jul 06 20:14:33 CEST 2018 ;; MSG SIZE rcvd: 57
57.
57 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com www.example.com (& .org)
58.
58 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Basic Mode • No DNS settings
59.
59 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Expert Mode (1/2) • Internet – DNS & DDNS: • DNS Seguro – OFF que quiero que me interceptes todo el tráfico
60.
60 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Expert Mode (2/2) • You cannot change the DNS servers!! • You can only see them… if you’re lucky J
61.
61 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Getting Admin Mode and Researching
62.
62 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Mode (1/2) • Internet – DNS & DDNS: • EDNS0 – OFF • Secure DNS – OFF No significant changes
63.
63 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Mode (2/2) • Settings – LAN – IPv4: • DNS Proxy – ON (Setting not available in Expert Mode) No significant changes
64.
64 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CPE Internals (SSH) • Who is Disabling DNSSEC: CPE or ISP or …? • References to 1.1.1.1 or 1.0.0.1? # ps 630 admin 1412 S /usr/sbin/dnsmasq -u admin # ifconfig –a br0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:192.168.1.1 Bcast:192.168.1.255... br0:0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:1.1.1.1 Bcast:1.255.255.255... # iptables -t nat –L ... (no DNS or special IP addresses references)
65.
65 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (1/3) Request:
66.
66 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (2/3) Response:
67.
67 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (3/3) • They are compatible with EDNS0 • They are selectively removing all DNSSEC flags!!!! • Let’s call it “Client-side DNSSEC Flag Day”!!!! – Selectively removing DNNSEC support from the client side! – If AD or DO flags are set in the query, they are removed from the response L – If CD flag is set in the query, it is removed from the response too, breaking RFC 4035 J • When using the CPE DNS resolvers (or 1.1.1.1) • Same scenario if ISP transparently intercepts all DNS traffic
68.
68 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Client-Side DNSSEC Flag Day [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone
69.
69 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Final Conclusions (1/2) • “Secure DNS” enables a single iptables rule for DNS traffic • How to bypass it client-side and be able to use DNSSEC, at least with the public DNS resolvers (e.g. Quads)? – Use TCP (look at the iptables rule) J… or DoH or DoT – The traffic goes via TCP to the public DNS resolver # iptables -t nat –L ... DNAT udp -- 192.168.1.0/24 !www.evil.isp udp dpt:domain to:192.168.1.1:53 $ dig -t A www.dinosec.info +dnssec @9.9.9.9 +tcp DNSSEC reponse J
70.
70 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Final Conclusions (2/2) • This UDP vs TCP difference does not apply to the ISP DNS resolvers (e.g. when “Secure DNS” is turned off) – They remove the DNSSEC flags for both, UDP and TCP • The only solution, if the transparent DNS proxies are not in the middle, is to force all clients to use a custom DNS resolver (public, or private, different from the CPE) – If the transparent DNS proxies are in the middle… $ dig -t A www.dinosec.info +dnssec +tcp No DNSSEC reponse L
71.
71 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wright’s Principle "Security won't get better until tools for practical exploration of the attack surface are made available." – Joshua Wright, 2011
72.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Tool
73.
73 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com dnssecchef • DNS/DNSSEC proxy tool by DinoSec (Python) – Fake DNS/DNSSEC responses (file or command line options) – TCP and UDP support • Based on dnschef (v0.3): https://github.com/iphelix/dnschef/ – Peter Kacherginsky (iPhelix) • Requires dnslib v0.9.10+: https://bitbucket.org/paulc/dnslib/ – Paul Chakravarti – Added support for DNSSEC flag getters/setters in v0.9.9 • Use it as a direct DNS server or as a transparent DNS proxy
74.
74 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Manipulation [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone
75.
75 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com dnssecchef Options • Multiple DNSSEC related options… $ sudo ./dnssecchef --nodnssec _ _ __ | | version 0.5 | | / _| __| |_ __ ___ ___ ___ ___ ___| |__ ___| |_ / _` | '_ / __|/ __|/ _ / __|/ __| '_ / _ _| | (_| | | | __ __ __/ (__| (__| | | | __/ | __,_|_| |_|___/|___/___|___|___|_| |_|___|_| (c) 2019 DinoSec monica@dinosec.com & raul@dinosec.com [*] DNSSECChef started on interface: 127.0.0.1 [*] Using the following nameservers: 8.8.8.8 [>] Disabling DNSSEC support completely... [*] No parameters were specified. Running in full proxy mode [*] DNSSECChef is running in both UDP and TCP modes (default) [*] ... By default, no DNSSEC changes (standard). --dnssec: Enable DNSSEC flags manipulation. --nodnssec: Disable DNSSEC support. --file=dnssecchef.ini Fake DNS responses.https://github.com/dinosec/dnssecchef
76.
2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Conclusions
77.
77 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Nobody Said It Was Going To Be Easy or Costless… DNSSEC environment does not differ from real life: There are few people in the “right side”… And many more in the “wrong side” DNS Operators ISPs Obsolete network devicesREGISTRARs Non-RFC compliant resolvers Security unaware DNS domain holders Security aware DNS zone holders & responsible resolver administrators Great admin complexity
78.
78 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The One that Appeares to Be Bad… Turn out to be good!! And the wise people are on our side…
79.
79 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com So We Know in the End… • Good will triumph and terror will be vanquished!!!!
80.
80 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who Do You Trust in the DNS World? • Preferred DNS resolver for privacy reasons: – Your ISP – “The Quads” (large public servers) • 8.8.8.8 • DNS Cloud providers – Small public servers – Your own https://twitter.com/raulsiles/status/1090003636510429185
81.
81 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Thanks! • Implementing DNSSEC • “Capacidades de next-generation threat intelligence para red teams y purple teams, centradas en defenderse frente a APTs y amenazas híbridas, mediante soluciones big-data de sensores IoT en la nube basadas en deep y machine learning empleando blockchain y computación cuántica.”
82.
82 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Spanish Collection of Proverbs “Quien a DNSSEC se arrima, buena firma le cobija…” “Quién sin DNSSEC se acuesta, suplantado se levanta…”
83.
83 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com References
84.
84 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com References • “To SEC or Not to SEC: DNS Question” – CCN-CERT. Dec 2018 – https://www.dinosec.com/en/lab.html#JornadasCCN-CERT2018 – https://www.youtube.com/watch?v=HmiK51kA1QY • Estudio del estado de DNSSEC en España – Oct 2018 – https://www.incibe-cert.es/guias-y-estudios/estudios/estudio-del-estado-dnssec-espana • Guía de implantación y buenas prácticas de DNSSEC – Oct 2018 – https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec • DNS over TLS (DoT) – RFC7858 – https://tools.ietf.org/html/rfc7858 – https://developers.cloudflare.com/1.1.1.1/dns-over-tls/ • DNS (Queries) over HTTPS (DoH) – RFC8484 – https://tools.ietf.org/html/rfc8484 – https://developers.cloudflare.com/1.1.1.1/dns-over-https/ – https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/ • "Sunrise DNS over TLS, sunset DNSSEC?" & "DNSSEC and DNS over TLS" (Aug 2018) – https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/ – https://blog.apnic.net/2018/08/20/dnssec-and-dns-over-tls/
85.
www.d in o
s e c.c o m @d in o s ec Mó n ic a S a la s mo n ic a @ d in o s e c .c o m R aú l S iles ra u l@ d in o s e c .c o m
86.
86 2019 © Dino
Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Questions? www.d in o s ec.co m @ d in o s e c
Download now