What We are Learning About DNS Security: DNSSEC and Much More..

What We are Learning
About DNS Security
DNSSEC and Much More

7/27/2011

Edward Lewis
Director, Member of Technical Staff

1 © Neustar Inc. / Proprietary and Confidential

8/1/2011

Joseph is unhappy about my talk
» This is the first day since
my son was born that I
have not been home
» He's 6 1/2 months old
» When I told him I'd be
away July 27, he had
this frown
» This talk is dedicated to
» Still, it is an honor to be
little Joe
invited to speak here
today


8/1/2011

Agenda
»The significance of DNSSEC

»What you should be doing about DDoS

»What you need to do


8/1/2011

In the Wake of DNSSEC
» The protocol and code has been strengthened
» We've improved the state of operations
» Cooperation has become very important


8/1/2011

Briefly, What is DNSSEC?
»DNSSEC is an add-on to the DNS protocol
»It adds information to DNS answers that provide
proof that the data is genuine
» DNSSEC is like automobile safety belts for DNS
»The greatest benefit is preventing ISP caches from
accepting forged answers, misdirecting customers


8/1/2011

Protocol Strengthening
» The DNS protocol, as specified, is a very weak
base to secure

» One of the benefits of DNSSEC is that is made us
take a critical look at the protocol

DNSSEC


8/1/2011

Why securing DNS is so hard
»DNS goals are
» global scale, fast response, high availability
»It's a crowd, not one person


8/1/2011

...and...
»The original specifications are informal, incomplete
» Leading to a wide range of interpretations
» And thus a wide range of different implementations
» Rely on the memories of the "old guys"


8/1/2011

Updates to DNS
»Security throughout the DNS
» Data Loading (EPP & WhoIs-related too)
» Data Replication (zone transfers)
» Queries and Responses (e.g., DNSSEC, TSIG, wild card)

»New code, new code everywhere
»And new ways to operate


8/1/2011

What DNSSEC got right
»DNSSEC is a technical success
»DNSSEC was designed with adoption by transition
in mind
» This is what IPv6 lacks
»But adoption by slow transition is not easy and
requires patience, it's a good plan and a lot of
execution
» Slow adoption is a beneficial thing, a feature, really!
»And the path to DNSSEC's completion can teach
us much about security improvements


8/1/2011

Strengthening Cooperation
»When teaching the ISO seven layer protocol
model I came across this in an old textbook
» There are times when it is necessary to handle an error in
the layer above the one you are designing
»Translating this into DNS and security events
» Duringtimes of attack, out-of-band coordination must
have already been established


8/1/2011

Coordinate?
»Who?: Anyone that teams in a defense
» Government and Private Industry
» Competitors
» Across borders and oceans
»When?
» Strategicand tactical
» Frequently, openly
» During exercises, events

»Where?
» Conferences, workshops
» In-person meetings at offices
» And don't forget - happy hours!

8/1/2011

Government - Industry cooperation
»Government and Industry relationship is important
»Government learns from experts in industry
»Government always maintains legal authority
»Government provides leadership in mandates and
funding
»Industry provides innovation and takes the risk


8/1/2011

DDoS
»You can be a target of a DDoS
» Solutions include capacity, reserves, and traffic scrubbing
»You can be used to launch a DDoS
» Open recursive servers can reflect and amplify an attack
»(You could also be the attacker...;))


8/1/2011

Anti-DDOS
»Expertise is needed to defend against these
attacks
» Target owners, ISPs and other security entities have this
»This is why cooperation, set up ahead of time, is
critical

»If you need to "click here" ... it is too late for you!


8/1/2011

Failure to set up cooperation
»There are two possible outcomes
»"Fail closed" and not respond adequately
» Examples are one person having a password and being
on vacation when the attack happens
»"Fail open" and be open to be fooled (social
engineered) by an attacker
» Examples are attackers causing a diversion and then
acting as "first responders"/emergency workers to monitor
damage and adjust attacks


8/1/2011

Securing the DNS system
»The DNS is spread amongst many elements
» Registries,registrars, web hosters, dns operators
» ISPs, open/remote recursive servers
» Policy elements, law enforcement

»Each element can self-secure, but end-to-end
security is also needed
»This is one final push to form cooperative groups!


8/1/2011

Better DNS & cooperation is not enough
»Attacks will happen
»Defenses will not stop all damage
» If a defense stops all attacks, it is probably too tight!
»This makes logging or tracing activity an important
element


8/1/2011

What do we learn from logging events
»The information left behind by an attack is valuable
»We learn the techniques
»We learn the level of sophistication
»We learn the weaknesses of the attack
»We learn how the attackers are learning
»We learn who the attackers are

»We might even be able to convict and punish them


8/1/2011

A stronger system
»DNS is becoming a stronger system
»We know it takes more than a good protocol,
because "good" depends on the way you measure
»We know it takes world-wide cooperation and in-
depth cooperation to run a network that opens
communication without letting it be overrun with
abuse
»We want citizens to have access to government
services to help their lives, not gangs like
ANONYMOUS to disrupt lives


8/1/2011

What You Need to Do to Prepare
»Learn about DNSSEC
» It's like getting used to
seatbelts
» It's not scary but it takes work

»And begin to get to know
others in the Industry &
Government
» Help defend the network


What We are Learning About DNS Security: DNSSEC and Much More..

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (8)

Similar to What We are Learning About DNS Security: DNSSEC and Much More..

Similar to What We are Learning About DNS Security: DNSSEC and Much More.. (20)

Recently uploaded

Recently uploaded (20)

What We are Learning About DNS Security: DNSSEC and Much More..