Post on 24-Mar-2019
transcript
9/7/16
1
Securing DNS and TLS Using DNSSEC and DANE
Dan York, CISSP, Internet Society york@isoc.org
2
About the Internet Society (ISOC) » Founded in 1992 as the organizaEonal home of the
Internet Engineering Task Force (IETF) » Works in the areas of technology, policy and development
to promote an open accessible Internet for everyone. » 90,000 individual members, 141 organizaEonal members,
122 chapters, 87 staff, acEve in 103 countries. » 2016 focus: connecFng the unconnected and promoFng
and restoring trust in the Internet. » www.internetsociety.org
9/7/16
2
Trusted Internet Trust in privacy of informaEon (ex. encrypEon)
Trust in online idenEty systems (ex. Kantara)
Trust in network communicaEon (ex. TLS, DANE)
Trust in Internet idenEfiers (ex. DNSSEC)
Trust in the Internet’s core infrastructure (ex. MANRS)
Trust in cryptography (ex. Cryptech)
4
h^ps://www.flickr.com/photos/powerbooktrance/466709245/ CC BY
Email Hijacking – A Current Threat » CERT-‐CC researchers have idenEfied that someone is
hijacking email by using DNS cache poisoning of MX records » Could be prevented by DNSSEC deployment » CERT-‐CC (Sept 10, 2014):
- h^ps://www.cert.org/blogs/certcc/post.cfm?EntryID=206 » Deploy360 blog post (Sept 12, 2014):
- h^p://wp.me/p4eijv-‐5jI
9/7/16
3
What Problem Is DNSSEC Trying To Solve? » DNSSEC = "DNS Security Extensions"
• Defined in RFCs 4033, 4034, 4035 • OperaEonal PracEces: RFC 4641
» Ensures that the informaEon entered into DNS by the domain name holder is the SAME informaEon retrieved from DNS by an end user.
» Let's walk through an example to explain… 7
A Normal DNS InteracEon
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
example.com? 1
2
3
4
10.1.1.123
Resolver checks its local cache. If it has the answer, it sends it back.
example.com 10.1.1.123
If not…
8
A Normal DNS InteracEon
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123 4
example.com NS
.com NS
example.com?
9
9/7/16
4
DNS Works On Speed » First result received by a DNS resolver is treated as the
correct answer.
» Opportunity is there for an a^acker to be the first one to get an answer to the DNS resolver, either by: • Genng to the correct point in the network to provide faster responses;
• Blocking the responses from the legiEmate servers (ex. execuEng a Denial of Service a^ack against the legiEmate servers to slow their responses)
10
A^acking DNS
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
192.168.2.2 4
A^ackingDNS Svr example.com
192.168.2.2
example.com NS
.com NS
example.com?
11
A Poisoned Cache
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver 1
2
3
4
192.168.2.2
Resolver cache now has wrong data:
example.com 192.168.2.2
This stays in the cache unEl the Time-‐To-‐Live (TTL) expires!
example.com?
12
9/7/16
5
How Does DNSSEC Help? » DNSSEC introduces new DNS records for a domain:
• RRSIG – a signature ("hash") of a set of DNS records • DNSKEY – a public key that a resolver can use to validate RRSIG
» A DNSSEC-‐validaEng DNS resolver: • Uses DNSKEY to perform a hash calculaEon on received DNS records
• Compares result with RRSIG records. If results match, records are the same as those transmi^ed. If the results do NOT match, they were potenEally changed during the travel from the DNS server.
13
A DNSSEC InteracEon
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123 DNSKEY RRSIGs
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123 4
example.com?
14
A DNSSEC InteracEon
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123 DNSKEY RRSIGs
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123 4
example.com NS DS
.com NS DS
example.com?
15
9/7/16
6
The Global Chain of Trust
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123 DNSKEY RRSIGs
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123 4
example.com NS DS
.com NS DS
example.com?
16
A^empEng to Spoof DNS
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123 DNSKEY RRSIGs
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
A^ackingDNS Svr example.com
192.168.2.2 DNSKEY RRSIGs
example.com NS DS
.com NS DS
example.com?
17
A^empEng to Spoof DNS
Web Server
Web Browser
h^ps://example.com/
web page
DNS Resolver
10.1.1.123 DNSKEY RRSIGs
125
6
DNS Svr example.com
DNS Svr .com
DNS Svr root
3
SERVFAIL 4
A^ackingDNS Svr example.com
192.168.2.2 DNSKEY RRSIGs
example.com NS DS
.com NS DS
example.com?
18
9/7/16
7
What DNSSEC Proves: • "These ARE the IP addresses you are looking for." (or they are not)
• Ensures that informaEon entered into DNS by the domain name holder (or the operator of the DNS hosEng service for the domain) is the SAME informaEon that is received by the end user.
9/7/16 19
The Two Parts of DNSSEC Signing ValidaEng
ISPs
Enterprises
ApplicaEons
DNS HosEng
Registrars
Registries
20
DNSSEC Signing -‐ The Individual Steps
Registry
Registrar
DNS Operator (or ”DNS HosEng
Provider”)
Domain Name Registrant
• Signs TLD • Accepts DS records • Publishes/signs records
• Accepts DS records • Sends DS to registry • Provides UI for mgmt
• Signs zones • Publishes all records • Provides UI for mgmt
• Enables DNSSEC (unless automaEc)
21
9/7/16
8
DNSSEC and TLS/SSL
22
Why Do I Need DNSSEC If I Have TLS? • A common quesEon:
• why do I need DNSSEC if I already have a SSL cer8ficate? (or an "EV-‐SSL" cer8ficate?)
• Transport Layer Security (TLS), someEmes called by its older name of “SSL”, solves a different issue – it provides encrypEon and protecEon of the communicaEon between the browser and the web server
23
The Typical TLS Web InteracEon Web Server
Web Browser
h^ps://example.com/
TLS-‐encrypted web page
DNS Resolver
example.com?
10.1.1.123 1
2
5
6DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123 4
9/7/16
9
The Typical TLS Web InteracEon Web Server
Web Browser
h^ps://example.com/
TLS-‐encrypted web page
DNS Resolver
10.1.1.123 1
2
5
6DNS Svr example.com
DNS Svr .com
DNS Svr root
3
10.1.1.123 4
Is this encrypted with the CORRECT cerEficate?
example.com?
What About This? Web Server
Web Browser
h^ps://www.example.com/ TLS-‐encrypted web page with CORRECT cerEficate
DNS Server
www.example.com?
1.2.3.4 1
2
Firewall (or a^acker)
h^ps://www.example.com/
TLS-‐encrypted web page with NEW cerEficate (re-‐signed by firewall)
26
Problems? Web Server
Web Browser
h^ps://www.example.com/ TLS-‐encrypted web page with CORRECT cerEficate
DNS Server
www.example.com?
1.2.3.4 1
2
Firewall
h^ps://www.example.com/
TLS-‐encrypted web page with NEW cerEficate (re-‐signed by firewall)
27
9/7/16
10
Problems? Web Server
Web Browser
h^ps://www.example.com/ TLS-‐encrypted web page with CORRECT cerEficate
DNS Server
www.example.com?
1.2.3.4 1
2
Firewall
h^ps://www.example.com/
Log files or other servers
PotenEally including personal informaEon
TLS-‐encrypted web page with NEW cerEficate (re-‐signed by firewall)
28
Issues » A CerEficate Authority (CA) can sign ANY domain.
» Now over 1,500 CAs – there have been compromises where valid certs were issued for domains.
» Middle-‐boxes such as firewalls can re-‐sign sessions.
29
DNS-‐Based AuthenEcaEon of Named EnEEes (DANE) » Q: How do you know if the TLS (SSL) cerEficate is the correct one
the site wants you to use? » A: Store the cerEficate (or fingerprint) in DNS (new TLSA record)
and sign them with DNSSEC.
» An applicaEon that understand DNSSEC and DANE will then know when the required cerEficate is NOT being used.
» CerEficate stored in DNS is controlled by the domain name holder. It could be a cerEficate signed by a CA – or a self-‐signed cerEficate.
30
9/7/16
11
A Powerful CombinaEon • TLS = encrypEon + limited integrity protecEon • DNSSEC = strong integrity protecEon
• How to get encrypEon + strong integrity protecEon?
• TLS + DNSSEC = DANE
31
DANE Web Server
Web Browser w/DANE
h^ps://example.com/ TLS-‐encrypted web page with CORRECT cerEficate
DNS Server
10.1.1.123 DNSKEY RRSIGs TLSA
1
2Firewall (or a^acker)
h^ps://example.com/
TLS-‐encrypted web page with NEW cerEficate (re-‐signed by firewall) Log files
or other servers DANE-‐equipped browser
compares TLS cerEficate with what DNS / DNSSEC says it should be.
example.com?
32
DANE Success – Not Just For The Web » SMTP • 1000+ SMTP servers with TLSA records • h^p://dane.sys4.de/ -‐ tesEng service
» XMPP (Jabber) • 400+ servers • client-‐to-‐server & server-‐to-‐server • h^ps://xmpp.net/reports.php#dnssecdane
33
9/7/16
12
DANE Resources » DANE Overview and Resources:
• h^p://www.internetsociety.org/deploy360/resources/dane/ » IETF Journal arEcle explaining DANE:
• h^p://bit.ly/dane-‐dnssec » RFC 6394 -‐ DANE Use Cases:
• h^p://tools.ie{.org/html/rfc6394 » RFC 6698 – DANE Protocol:
• h^p://tools.ie{.org/html/rfc6698
34
Business Reasons For Deploying DNSSEC » TRUST – You can be sure your customers are reaching your
sites – and that you are communicaEng with their servers. » SECURITY – You can be sure you are communicaEng with
the correct sites and not sharing business informaEon with a^ackers, ex. email hijacking.
» INNOVATION – Services such as DANE built on top of DNSSEC enable innovaEve uses of TLS cerEficates.
» CONFIDENTIALITY – DANE enables easier use of encrypEon for applicaEons and services that communicate across the Internet.
35
Three Requests For ParEcipants 1. Deploy DNSSEC validaEon (or ask your IT team / network
operator) 2. Sign your domains
• Work with your registrar and/or DNS hosEng provider to make this happen.
3. Help promote support of DANE protocol • Let browser vendors and others know you want to use DANE. If you use SSL, deploy a TLSA record if you are able to do so. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.
36
9/7/16
13
Internet Society Deploy360 Programme » Providing real-‐world
deployment info for IPv6, DNSSEC and other Internet technologies: • Case Studies • Tutorials • Videos • Whitepapers • News, informaEon www.internetsociety.org/deploy360/
37
Thank you » www.internetsociety.org/deploy360/dnssec/
» Dan York york@isoc.org @danyork
38