Date post: | 17-Jan-2018 |
Category: |
Documents |
Upload: | melinda-cummings |
View: | 221 times |
Download: | 0 times |
By Team Trojans -1 Arjun Ashok
Priyank MohanBalaji Thirunavukkarasu
AgendaDNS & its structureDNS ThreatsDNSSECTrust Models for Key ValidationDNSSEC VulnerabilitiesDNSSEC RoadblocksAlternatives to DNS SecurityThe Road ahead
Domain Name System (DNS)Hierarchical distributed database which provides
the service of translating the domain names to IP addresses.
Follows a hierarchical tree structure – analogous to the Unix file system
DNS Threats:Packet interceptionName Chaining
DNS Communication
Denial of ServiceBrute Force
DNSSECFirst introduced in RFC 2535 "Domain Name System
Security Extensions" in 1999.Provides authentication and integrity of DNS data
Authentication of Name Server (NS) data by resolverIntegrity of data checked through signed, hashed
public key.Resolver is configured with public key of NSsA resolver that knows the zone’s public key can verify the
signature and authenticate the DNS response. Can be visualized as a sealed transparent envelope,
wherein seal applied to envelope and not to message, by the sender.
Trust Models for Key Validation A Tree Based approach:Follows a strict chain/hierarchy of trust.Zone public key considered valid only if
signed by parent.
Disadvantages:Creates a single point of failure.Places all the peer zones under the same
umbrella of security.
Trust Models for Key ValidationA Web of Trust approach:Allows servers to choose their own trust
relationships.A public key is considered valid as long as it
has been signed by another server.No single point of failure.Robust and scalable.Disadvantages:An impersonated malicious zone can create
its own set of keys and establish a trust relationship.
DNSSec Vulnerabilities Zone private/public key compromise – Key
compromise can lead to an entire sub-domain being marked as bogus.
A server’s current time could be changed in order to validate expired signatures. Hence there should be some means to sync the time between primary and secondary servers.
An attacker can spoof an entire zone server by querying the NSEC RR’s, which store an ordered list of all the existing domain names.
Roadblocks and ChallengesIt is infeasible to implement a PKI
infrastructure. No third party authority of trust (CA) exists in
DNSSec, highly dependable on private key usage.trade-off between performance and security.
It is difficult to ensure all the servers have the updated keys. Servers high up in hierarchy are unaware of the
state of the child nodes.All servers need to be online within a specified time
frame in order to receive the updated keys.
Alternatives to DNSSECName Server Software
Configuration and maintenance of name server to avoid
DOS, Attacks such as Zone transfer, packet flooding, ARP spoofing.
To counter these attacks, the following steps are implemented:
Using secure OS, Using software to check integrity of zone files and Restricting access privileges on name server.
Contd..TSIG – Transition Signature
Involves mutual Authentication of servers based on shared secret key, Source side it employs HMAC
Threats avoided by TSIG
Road Ahead..The main hindrance in adopting DNSSEC
Implementation complexity and ScalabilityTo overcome this Software64 DNS signer is used to
automate processes like generation, backup, restoration, roll over and zone signing in configuration file.
Higher scalability achieved using high speed crypto. Algorithms 6,000 RSA operations/sec with 1024 bit key.
Another improvisation is implementation of DNSSEC till the client stub resolver level (user level).
QUESTIONS