SlideShare une entreprise Scribd logo

dns-sec-4-slides

kj teoh
kj teoh
1  sur  4
Télécharger pour lire hors ligne
DNS Lookups - How DNS Generally Works – NOT DNS SEC DNS is probably one of the most poorly understood protocols and its probably because it has many “faces”. The following example is an overview of how its all held together by Internet cloth. You send a “name”, you expect an IPv4 or IPv6 in return. www google.com.my a-m.root.servers .com.root.servers .com.my.root.servers ns.google.com.my root.hints file a.root.server xxx b.root.server yyy .. m.root.server.zzz ISP Recursive DNS Server 1 2 3 4 User will query ISP DNS who in turn refers to root.hints in local system 1. a-m.root servers queried for .com.my they will return with a list of .com.root servers 2. query goes to .com.root servers and a list is returned for .com.my.root 3. query goes to .com.my.root servers and a specific list is returned for ns.google.com.my 4. query goes to ns.google.com.my and a “A” record is returned (or AAAA) Onces this happens / completes, your ISP will cache the records for a specific period and does not have to repeat the entire process again and again. For some real samples, do “dig isc.org +trace” UDP/53 IPv4/IPv6 149.20.64.69 Zone Record www A 149.20.64.69 mail A xxx.yyy ftp A yyy.zzz May transport on IPv6 anycast / unicast Glue Records May transport on IPv4 but query for AAAA record or vice-versa
DNS Lookups - How DNS Generally Works – DNS Sec - Recursion DNS Sec in this context is taken to mean … if the recursion is “secure” and if the results being returned by my ISPs DNS server is authentic and/or correct. In otherwords, some due diligence employed by my provider to help ensure that the returned records are “real”. DNS Sec does not encrypt traffic. kjteoh@uruk:~$ dig isc.org +dnssec ; <<>> DiG 9.10.3 <<>> isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30990 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN A ;; ANSWER SECTION: isc.org. 1 IN A 149.20.64.69 isc.org. 1 IN RRSIG A 5 2 60 20151126190706 This is an example where validation / authentication has taken placed and it is marked with the “ad” which has been circled. EDNS enabled. Traditional UDP DNS was restricted to 512 bytes and this has since been extended with EDNS. Participating DNS servers will negotiated and settle on a “size”. Note: DNS can do TCP too The “problem” here is... not all zones are DNS signed/enabled. So it is not digs function to NOT display records which are not DNS Sec enabled. Records will display albeit w/o the “ad” marker. So ISPs should commit to a few extra CPU cycles and enable DNS Sec validation. This does not however appear to be happening. Users are then left none the wiser. On the one part, DNS Sec zone appear to be valid. All steps and procedures have been employed to make it good. But if the ISPs recursive element does not commit CPU cycles to DNS Sec, then all value associated is lost. See sample immediately on the lower left where all semblance of DNS Sec exist minus the validation... absurdity or ignorance? kjteoh@latitude:~$ dig isc.org +dnssec ; <<>> DiG 9.10.3 <<>> isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 545 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;isc.org. IN A ;; ANSWER SECTION: isc.org. 49 IN A 149.20.64.69 isc.org. 49 IN RRSIG A 5 2 60 20151126190706 This is where the problems begin to start. ISC.ORG is DNS Sec ready and the query being performed requires the +dnssec option. The flags returned however DO NOT indicate that its been validated. All other indications return indicate that it is DNS Sec validated, but in truth, not. Note: RRSIG. kjteoh@uruk:~$ delv isc.org ; fully validated isc.org. 60 IN A 149.20.64.69 isc.org. 60 IN RRSIG A 5 2 60 201 kjteoh@uruk:~$ delv -i isc.org ; answer not validated isc.org. 60 IN A 149.20.64.69 Preferred behavior – No RRSIG Missing “ad”
DNS Lookups - How DNS Generally Works – DNS Sec – Record Types I think there is some confusion about DNS Sec record types. DNS Sec does introduce a few new records but too, no human intervention is really needed for its creation... unlike say, an MX record or a A record which had to be written by hand to a “zone” file. The general procedure of creating a DNS Sec zone/record is to firstly set it up in the traditional fashion, and create all the required MX, A & CNAME records. Only after you're satisfied with this do you then proceed with a ZSK & KSK. After that, you would create a DS Key and have this installed at your Parent DNS Server. This will be used as a Secure Entry Point (SEP). In truth, it is the SEP that becomes the single most important factor in ensuring that your DNS Sec set up or zones work accordingly. Without which, your zone (DNS Sec enabled) is worthless. DNSKEY Used: Sign the zone (ZSK Zone Signing Key – shorter bits) Sign the Key that signed the zone (KSK – longer bits) RRSIG – Resource Record Signature Used: Signature typically for: IN NS ns1.xxx.com / IN A www.xxx.com DS – Delegation Signer Used: Records given to your PARENT to confirm your identity xxx.com DLV – DNSSEC Look-aside Validation Similar to DS above. The parent may not be DNSSEC ready … use DLV If I buy a domain from godaddy.com I will have to do the following: i. Use a DNS server to sign the zone (DNSKEY process ZSK/KSK) ii. RRSIG record will be created automatically iii. Generate a DS record which looks like MD5/SHA(2) key iv. Go to godaddy.com fill in the blanks... v. Eg. My ns1.xxx is IP Address, ns2.xxx is IP Address vi. Eg. My DS hash is “677b80bcf6712c04669bc97b7” .com.my.root.servers ns.google.com.my www DS Record/Hash is installed … for zone/domain record xxx.com This is the SEP. The response must have come from here ONLY. When the ISPs recursion DNS can properly identify that the SEP is indeed valid, the validation of the zone is complete. This can only be achieved where few conditions are met. One, ISP DNS is DNS Sec enabled. Two, the zone is duly ZSK/KSK'ed. Last, a DS Key is obtained and properly installed on the Parent DNS Server (which too must be DNS Sec enabled). Otherwise, use DLV – BUT is becoming depreciated as more and more root servers are becoming DNS Sec aware.
DNS Lookups - How DNS Generally Works – DNS Sec – NSEC DNS Servers have traditionally returned NXDOMAIN when no record is found. With DNS Sec however, a new NSEC record is returned in place of NXDOMAIN. What DNS Sec does here is attempt to prove that the queries-for record is non-existing by returning the NEXT available record in its “dovetail”. kjteoh@my-anoc0:~$ dig gone.isc.org ; <<>> DiG 9.4-ESV-R4 <<>> gone.isc.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9945 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 NSEC – Next Secure – returns NSEC __name__.isc.org NSEC3 – Next Secure (v3) – returns NSEC3 __hash__record__isc.org kjteoh@uruk:~$ dig GONE.isc.org +dnssec ; <<>> DiG 9.10.3 <<>> GONE.isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47298 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 isc.org. 3293 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT …. NOTE: isc.org NS server proving to you that next record is adsp...isc.org Traditional Response Note: NSEC will return text records and NSEC3 will returned hashed records which will in turn totally prevent domain “walking”. We should remember that these records do not required explicit configuration by hand. The process of creating the ZSK / KSK will “encapsulate” the regular ZONE record and create the additional records required. In otherwords, while you would need to write out an A record, you DO NOT need to do the same for an NSEC or DS KEY or RRSIG entry. Steps Required to create DNS Sec Zone 1. ready to host zone raj.com.my - regular zone file created 2. dnssec-keygen -a RSASHA256 -b 1024 raj.com.my (this will create pub/pri key ZSK) 3. dnssec-keygen -a RSASHA256 -b 2048 -f KSK raj.com.my (this will create pub/pri key KSK – NOTE) 4. config named.conf to include path to keys. Continue → zone "raj.com.my" IN { type master; file "bind/keys/raj.com.my.db"; key-directory "bind/keys/raj.com.my"; inline-signing yes; auto-dnssec maintain; }; 5. reload Bind and run dig @locahost raj.com.my +dnssec You should get RRSIG values 7. dnssec-dsfromkey -a SHA1 your-PUB-KSK-KEY raj.com.my. IN DS 1495 8 1 78E72B-Shortened

Recommandé

DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webappPROIDEA
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 

Recommandé

DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webappPROIDEA
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Linux System Administration - DNS
Linux System Administration - DNSLinux System Administration - DNS
Linux System Administration - DNSSreenatha Reddy K R
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSDeploy360 Programme (Internet Society)
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Deploy360 Programme (Internet Society)
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN ServerManish Kc
 
ION San Diego - ARIN Support for DNSSEC and RPKI
ION San Diego - ARIN Support for DNSSEC and RPKIION San Diego - ARIN Support for DNSSEC and RPKI
ION San Diego - ARIN Support for DNSSEC and RPKIDeploy360 Programme (Internet Society)
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
DNSSEC: What a Registrar Needs to Know (Part 2)
DNSSEC: What a Registrar Needs to Know (Part 2)DNSSEC: What a Registrar Needs to Know (Part 2)
DNSSEC: What a Registrar Needs to Know (Part 2)laurenrprice
 
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshowsman_dk
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name ServiceJohnny Fortune
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSECCarlos Martinez Cagnazzo
 
Detailed information of f21 18 d radio remote controls from cynthia
Detailed information of f21 18 d radio remote controls from cynthiaDetailed information of f21 18 d radio remote controls from cynthia
Detailed information of f21 18 d radio remote controls from cynthiaCynthia Wang
 
Details of f21 16 d radio remote controls
Details of f21 16 d radio remote controls Details of f21 16 d radio remote controls
Details of f21 16 d radio remote controls Cynthia Wang
 

Contenu connexe

Tendances

DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Linux System Administration - DNS
Linux System Administration - DNSLinux System Administration - DNS
Linux System Administration - DNSSreenatha Reddy K R
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN ServerManish Kc
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
DNSSEC: What a Registrar Needs to Know (Part 2)
DNSSEC: What a Registrar Needs to Know (Part 2)DNSSEC: What a Registrar Needs to Know (Part 2)
DNSSEC: What a Registrar Needs to Know (Part 2)laurenrprice
 
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshowsman_dk
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name ServiceJohnny Fortune
 

Tendances (20)

DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Linux System Administration - DNS
Linux System Administration - DNSLinux System Administration - DNS
Linux System Administration - DNS
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
 
ION San Diego - ARIN Support for DNSSEC and RPKI
ION San Diego - ARIN Support for DNSSEC and RPKIION San Diego - ARIN Support for DNSSEC and RPKI
ION San Diego - ARIN Support for DNSSEC and RPKI
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
DNSSEC: What a Registrar Needs to Know (Part 2)
DNSSEC: What a Registrar Needs to Know (Part 2)DNSSEC: What a Registrar Needs to Know (Part 2)
DNSSEC: What a Registrar Needs to Know (Part 2)
 
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
2012 07-24 dnssec-og_open_dnssec_-_martin_toft_og_georg_sluyterman_slideshow
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 

En vedette

Detailed information of f21 18 d radio remote controls from cynthia
Detailed information of f21 18 d radio remote controls from cynthiaDetailed information of f21 18 d radio remote controls from cynthia
Detailed information of f21 18 d radio remote controls from cynthiaCynthia Wang
 
Details of f21 16 d radio remote controls
Details of f21 16 d radio remote controls Details of f21 16 d radio remote controls
Details of f21 16 d radio remote controls Cynthia Wang
 
Vertigo solutions, what medication is prescribed for vertigo natural solution...
Vertigo solutions, what medication is prescribed for vertigo natural solution...Vertigo solutions, what medication is prescribed for vertigo natural solution...
Vertigo solutions, what medication is prescribed for vertigo natural solution...Peternel Velasquez
 
Scenario Trois-Rivieres
Scenario Trois-RivieresScenario Trois-Rivieres
Scenario Trois-Rivieresnetoperek
 
Prova lliure graduat en educació secundària d
Prova lliure graduat en educació secundària dProva lliure graduat en educació secundària d
Prova lliure graduat en educació secundària dFrancesca Marti
 
Presentación educacion fisica sistemas de entrenamiento jean
Presentación educacion fisica sistemas de entrenamiento jeanPresentación educacion fisica sistemas de entrenamiento jean
Presentación educacion fisica sistemas de entrenamiento jeanjeanjaspe1
 
How does DNS works?
How does DNS works?How does DNS works?
How does DNS works?Jorich Ponio
 

En vedette (11)

Detailed information of f21 18 d radio remote controls from cynthia
Detailed information of f21 18 d radio remote controls from cynthiaDetailed information of f21 18 d radio remote controls from cynthia
Detailed information of f21 18 d radio remote controls from cynthia
 
Details of f21 16 d radio remote controls
Details of f21 16 d radio remote controls Details of f21 16 d radio remote controls
Details of f21 16 d radio remote controls
 
Antivirus panda
Antivirus pandaAntivirus panda
Antivirus panda
 
Vertigo solutions, what medication is prescribed for vertigo natural solution...
Vertigo solutions, what medication is prescribed for vertigo natural solution...Vertigo solutions, what medication is prescribed for vertigo natural solution...
Vertigo solutions, what medication is prescribed for vertigo natural solution...
 
Scenario Trois-Rivieres
Scenario Trois-RivieresScenario Trois-Rivieres
Scenario Trois-Rivieres
 
Ball
BallBall
Ball
 
Prova lliure graduat en educació secundària d
Prova lliure graduat en educació secundària dProva lliure graduat en educació secundària d
Prova lliure graduat en educació secundària d
 
PSA
PSAPSA
PSA
 
Presentación educacion fisica sistemas de entrenamiento jean
Presentación educacion fisica sistemas de entrenamiento jeanPresentación educacion fisica sistemas de entrenamiento jean
Presentación educacion fisica sistemas de entrenamiento jean
 
Reglamento de trabajo
Reglamento de trabajoReglamento de trabajo
Reglamento de trabajo
 
How does DNS works?
How does DNS works?How does DNS works?
How does DNS works?
 

Similaire à dns-sec-4-slides

DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
 

Similaire à dns-sec-4-slides (20)

DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
M7 - Manual
M7 - ManualM7 - Manual
M7 - Manual
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
 
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
DNS.docx
DNS.docxDNS.docx
DNS.docx
 

Plus de kj teoh

junos-firewall-filter
junos-firewall-filterjunos-firewall-filter
junos-firewall-filterkj teoh
 

Plus de kj teoh (6)

junos-firewall-filter
junos-firewall-filterjunos-firewall-filter
junos-firewall-filter
 
bgp-01
bgp-01bgp-01
bgp-01
 
mpls-05
mpls-05mpls-05
mpls-05
 
mpls-02
mpls-02mpls-02
mpls-02
 
mpls-04
mpls-04mpls-04
mpls-04
 
mpls-06
mpls-06mpls-06
mpls-06
 

dns-sec-4-slides

  • 1. DNS Lookups - How DNS Generally Works – NOT DNS SEC DNS is probably one of the most poorly understood protocols and its probably because it has many “faces”. The following example is an overview of how its all held together by Internet cloth. You send a “name”, you expect an IPv4 or IPv6 in return. www google.com.my a-m.root.servers .com.root.servers .com.my.root.servers ns.google.com.my root.hints file a.root.server xxx b.root.server yyy .. m.root.server.zzz ISP Recursive DNS Server 1 2 3 4 User will query ISP DNS who in turn refers to root.hints in local system 1. a-m.root servers queried for .com.my they will return with a list of .com.root servers 2. query goes to .com.root servers and a list is returned for .com.my.root 3. query goes to .com.my.root servers and a specific list is returned for ns.google.com.my 4. query goes to ns.google.com.my and a “A” record is returned (or AAAA) Onces this happens / completes, your ISP will cache the records for a specific period and does not have to repeat the entire process again and again. For some real samples, do “dig isc.org +trace” UDP/53 IPv4/IPv6 149.20.64.69 Zone Record www A 149.20.64.69 mail A xxx.yyy ftp A yyy.zzz May transport on IPv6 anycast / unicast Glue Records May transport on IPv4 but query for AAAA record or vice-versa
  • 2. DNS Lookups - How DNS Generally Works – DNS Sec - Recursion DNS Sec in this context is taken to mean … if the recursion is “secure” and if the results being returned by my ISPs DNS server is authentic and/or correct. In otherwords, some due diligence employed by my provider to help ensure that the returned records are “real”. DNS Sec does not encrypt traffic. kjteoh@uruk:~$ dig isc.org +dnssec ; <<>> DiG 9.10.3 <<>> isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30990 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN A ;; ANSWER SECTION: isc.org. 1 IN A 149.20.64.69 isc.org. 1 IN RRSIG A 5 2 60 20151126190706 This is an example where validation / authentication has taken placed and it is marked with the “ad” which has been circled. EDNS enabled. Traditional UDP DNS was restricted to 512 bytes and this has since been extended with EDNS. Participating DNS servers will negotiated and settle on a “size”. Note: DNS can do TCP too The “problem” here is... not all zones are DNS signed/enabled. So it is not digs function to NOT display records which are not DNS Sec enabled. Records will display albeit w/o the “ad” marker. So ISPs should commit to a few extra CPU cycles and enable DNS Sec validation. This does not however appear to be happening. Users are then left none the wiser. On the one part, DNS Sec zone appear to be valid. All steps and procedures have been employed to make it good. But if the ISPs recursive element does not commit CPU cycles to DNS Sec, then all value associated is lost. See sample immediately on the lower left where all semblance of DNS Sec exist minus the validation... absurdity or ignorance? kjteoh@latitude:~$ dig isc.org +dnssec ; <<>> DiG 9.10.3 <<>> isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 545 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;isc.org. IN A ;; ANSWER SECTION: isc.org. 49 IN A 149.20.64.69 isc.org. 49 IN RRSIG A 5 2 60 20151126190706 This is where the problems begin to start. ISC.ORG is DNS Sec ready and the query being performed requires the +dnssec option. The flags returned however DO NOT indicate that its been validated. All other indications return indicate that it is DNS Sec validated, but in truth, not. Note: RRSIG. kjteoh@uruk:~$ delv isc.org ; fully validated isc.org. 60 IN A 149.20.64.69 isc.org. 60 IN RRSIG A 5 2 60 201 kjteoh@uruk:~$ delv -i isc.org ; answer not validated isc.org. 60 IN A 149.20.64.69 Preferred behavior – No RRSIG Missing “ad”
  • 3. DNS Lookups - How DNS Generally Works – DNS Sec – Record Types I think there is some confusion about DNS Sec record types. DNS Sec does introduce a few new records but too, no human intervention is really needed for its creation... unlike say, an MX record or a A record which had to be written by hand to a “zone” file. The general procedure of creating a DNS Sec zone/record is to firstly set it up in the traditional fashion, and create all the required MX, A & CNAME records. Only after you're satisfied with this do you then proceed with a ZSK & KSK. After that, you would create a DS Key and have this installed at your Parent DNS Server. This will be used as a Secure Entry Point (SEP). In truth, it is the SEP that becomes the single most important factor in ensuring that your DNS Sec set up or zones work accordingly. Without which, your zone (DNS Sec enabled) is worthless. DNSKEY Used: Sign the zone (ZSK Zone Signing Key – shorter bits) Sign the Key that signed the zone (KSK – longer bits) RRSIG – Resource Record Signature Used: Signature typically for: IN NS ns1.xxx.com / IN A www.xxx.com DS – Delegation Signer Used: Records given to your PARENT to confirm your identity xxx.com DLV – DNSSEC Look-aside Validation Similar to DS above. The parent may not be DNSSEC ready … use DLV If I buy a domain from godaddy.com I will have to do the following: i. Use a DNS server to sign the zone (DNSKEY process ZSK/KSK) ii. RRSIG record will be created automatically iii. Generate a DS record which looks like MD5/SHA(2) key iv. Go to godaddy.com fill in the blanks... v. Eg. My ns1.xxx is IP Address, ns2.xxx is IP Address vi. Eg. My DS hash is “677b80bcf6712c04669bc97b7” .com.my.root.servers ns.google.com.my www DS Record/Hash is installed … for zone/domain record xxx.com This is the SEP. The response must have come from here ONLY. When the ISPs recursion DNS can properly identify that the SEP is indeed valid, the validation of the zone is complete. This can only be achieved where few conditions are met. One, ISP DNS is DNS Sec enabled. Two, the zone is duly ZSK/KSK'ed. Last, a DS Key is obtained and properly installed on the Parent DNS Server (which too must be DNS Sec enabled). Otherwise, use DLV – BUT is becoming depreciated as more and more root servers are becoming DNS Sec aware.
  • 4. DNS Lookups - How DNS Generally Works – DNS Sec – NSEC DNS Servers have traditionally returned NXDOMAIN when no record is found. With DNS Sec however, a new NSEC record is returned in place of NXDOMAIN. What DNS Sec does here is attempt to prove that the queries-for record is non-existing by returning the NEXT available record in its “dovetail”. kjteoh@my-anoc0:~$ dig gone.isc.org ; <<>> DiG 9.4-ESV-R4 <<>> gone.isc.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9945 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 NSEC – Next Secure – returns NSEC __name__.isc.org NSEC3 – Next Secure (v3) – returns NSEC3 __hash__record__isc.org kjteoh@uruk:~$ dig GONE.isc.org +dnssec ; <<>> DiG 9.10.3 <<>> GONE.isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47298 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 isc.org. 3293 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT …. NOTE: isc.org NS server proving to you that next record is adsp...isc.org Traditional Response Note: NSEC will return text records and NSEC3 will returned hashed records which will in turn totally prevent domain “walking”. We should remember that these records do not required explicit configuration by hand. The process of creating the ZSK / KSK will “encapsulate” the regular ZONE record and create the additional records required. In otherwords, while you would need to write out an A record, you DO NOT need to do the same for an NSEC or DS KEY or RRSIG entry. Steps Required to create DNS Sec Zone 1. ready to host zone raj.com.my - regular zone file created 2. dnssec-keygen -a RSASHA256 -b 1024 raj.com.my (this will create pub/pri key ZSK) 3. dnssec-keygen -a RSASHA256 -b 2048 -f KSK raj.com.my (this will create pub/pri key KSK – NOTE) 4. config named.conf to include path to keys. Continue → zone "raj.com.my" IN { type master; file "bind/keys/raj.com.my.db"; key-directory "bind/keys/raj.com.my"; inline-signing yes; auto-dnssec maintain; }; 5. reload Bind and run dig @locahost raj.com.my +dnssec You should get RRSIG values 7. dnssec-dsfromkey -a SHA1 your-PUB-KSK-KEY raj.com.my. IN DS 1495 8 1 78E72B-Shortened