Date post: | 14-Apr-2017 |
Category: |
Business |
Upload: | cybera-inc |
View: | 343 times |
Download: | 0 times |
DO
MA
INS
(and
the
Dom
ain
Nam
e Sy
stem
)
Why are we looking at this
The DNS is as old as WWW so why do we need to learn about it?
Because of this
Because of this
And because of thisSource: Arbor Networks Digital Attack Map (digitalattackmap.com)
First
A stark reality
94% of
Higher education websites
are
exposed to DNS outages
100% are candidates for DNS hijacking
WHO IS CIRA?
• The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the .CA domain name registry for over 2.4 million domains
• Provide DNS for .CA, answering 3 billion DNS queries per month
• CIRA is a non-profit member-driven organization of 75 employees and an elected 12-person board
• CIRA supports the growth of a strong and reliable Internet for all Canadians by investing in Internet projects, and helping to represent Canadian Internet interests around the world
The organization responsible for a critical part of the Internet infrastructure, is expanding its services to help organizations secure their DNS systems in Canada
In short
Manage the .CA domain
Provide infrastructure and services
Do good things for the Internet
Agenda
• Best practices for protecting your domain name
• Best practices for protecting your domain’s DNS
• What is happening with new gTLDs (and why it matters to your domain)
DomainName Protection
Owning a domain requires good parenting skills
Domain Hijacking
• Domain hijacking could be the act of a hacker using social engineering to trick the technical support workers at a registrar (like GoDaddy, Webnames, Domains at Cost, etc.) into making critical changes to the DNS.
• OR…It can be done by the malicious act of someone within your organization
It looks like this…
…or this
Recent Domain Name Hijackings
• The dancing banana appeared on the City of Ottawa website (apparently) in response to the arrest of a person who had been arrested for SWATting and other nuisance cyber crimes
• The smoking lizard appeared on Air Malaysia’s website just as it was trying to recover from two high profile crashes.
What is common with these? They are not traditional targets. They aren’t Microsoft, they aren’t e-commerce sites and they aren’t banks.
The responsibility for locking the domain rests with the IT Administrator
• Domain locking is a manual process in a cloud world because it provides the highest level of protection
– Not an application – Not a vendor
• Highest security Lock Flag placed on your domain that prevents any changes. Turned on and off by CIRA (or other Registries).
Registry Lock
• When Registry Lock is applied to a domain name, no attributes of the domain are changeable and no transfer or deletion transactions can be processed against the domain name, with the exception of renewals. .CA, .com, and others all offer this service.
• If the Registrant wishes to make any changes to their domain, the Registrant must first work with their Registrar, who will in turn work with the .CA Registry.
• The .CA Registry will respond to any lock and unlock requests in under one hour (typically under 5 mins), on a 24x7 basis, so accessing your .CA domain name is not an administrative burden.
Registrant Requests unlocking
RegistrarKey contacts use admin protocols to authenticate with
CIRA
CIRAUnlocks the domain for the proscribed
period of time
Four top tips for managing your domain
1. Conduct a good domain name audit
2. Know your Registrar(s)
3. Keep your .CA contact information current
4. Don't lose control: Renew your domain name
We learn a lot by managing a technical support desk. These tips are based on the hundreds of calls we field every day.
Good domain hygiene Oops!
Other Tips and Tricks
1. Don’t let a supplier register your domains
2. Select the right Registrant and Administrative Contacts
3. Avoid free email services
4. Password selection and storage
5. Use security tools provided by your Registrar
6. Whitelist the domain names for your service providers (eg GoDaddy)
These sound simple, they are important, and they cause problems to somebody every single day
BES
T PR
AC
TIC
ES
FOR
TH
E D
NS
(the
Ach
illes
hee
l of t
he In
tern
et)
What does the DNS mean to an Education IT Administrator
DNS
website
emailcourses
schedules
accountingmaintenance
E-learningAssignment submissions
conferences
Researcher profiles
Coop programs
Faculty microsites Satellite
campuses
EXTERNAL DNS IS VULNERABLE
• Failures – equipment, network, power etc.
• DDoS attacks – 10% of all attacks are directed at the DNS– DNS resources can be flooded in any type of attack
• High latency – global lookups, local DNS servers
Authoritative external DNS infrastructure is vulnerable to failures, attack and performance issues
DNS IS MISSION CRITICAL
• During a DNS outage websites, web applications, and email are down
• DNS outages result in brand damage and/or lost revenue– Losses range from hundreds to millions of dollars per hour– Damage to reputation is another cost
• DNS lookups contribute to website performance– 40% of people abandon a website after only 3 seconds– Amazon calculated that a 1 second increase in page load time would
result in $1.6 billion in lost revenue per year– Google calculated 400ms delay in returning search results would
result in 8 million less searches per day
DNS is a mission critical service that requires 100% uptime and low latency
STRENGTHEN DNS WITH ANYCASTUnicast – Traditional DNS deployments• Nameservers are
implemented on single nodes, each with a unique IP address
Anycast – Adding resiliency to your DNS• Nameservers are
implemented on a multiple geographically distributed nodes that share a single IP address
• Layer 3 routing sends packets to the geographically nearest nameserver
• Built in redundancy, failover and load distribution
UNICAST
ANYCAST
CHALLENGES WITH ANYCAST
Anycast is expensive to setup and operate
• High capital expense, high operating expense, complex to manage
• Commercial offerings are available as a service
• CIRA saw that no commercial organizations were providing a solution for Canada’s Internet
A GLOBAL ANYCAST DNS SERVICE THAT PUTS CANADA AND CANADIAN TRAFFIC FIRST
Location Cloud
Miami, FL 1Los Angeles, CA 1London, UK 1Hong Kong, CN 1Calgary, AB 1Montreal, QC 1Toronto, ON 1Winnipeg, MB 1
Location Cloud
Vancouver, BC 2Montreal, QC 2Toronto, ON 2Halifax 2
University Customer Example
1000 Queries Per Minute40M Queries Per Month
60% Canadian20% US20% Europe
Summary on Anycast DNS
• If you aren’t currently using anycast, then it is worth an investigation
• CIRA delivers an anycast solution called D-Zone that several Canadian universities have added to their infrastructure
• We are on the show floor and interested in getting every institution in this room on board – it takes less than ten minutes to set up and if it saves one outage, “the service pays for itself many times over”
In summary
• Follow-the tips and tricks to avoid administrative headaches and mitigate the risk of bad actors bringing down your applications or embarrassing your institution
• Unicast is old. Get an anycast DNS solution to improve the performance, resilience, and DDoS protection for your site
Protecting your domains and websites requires the consistent application of best practices – like parenting
D-ZONE Anycast DNS
• Contact Mark Gaudet or Shawn Beaton for more information on participating in an enterprise trial of D-Zone Anycast DNS.
Mark GaudetManager, Business Development Canadian Internet Registration Authority ( CIRA )Tel: (613) 237-5335 x 223Cell: (613)-799-5789 www.cira.ca
CIRA is inviting CANHEIT participants to evaluate D-Zone
Sign up today and receive wireless Bluetooth headphones.(no commitment)