ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

DNS Security

?
?
J
johnmcclure00

This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.

1 of 12
Downloaded 17 times
DNS ?Security DNS SECURITY John ?F. ?McClure, ?KimberSystems, ?LLC john@kimbersystems.com
DNS ?Security Topics ? What ?is ?DNS? ? Why ?is ?DNS ?important ? How ?does ?DNS ?work? ? Corrupting ?DNS ?responses ? What ?happens ?when ?DNS ?goes ?bad? ? Introduction ?to ?DNSSEC ? Why ?doesn¡¯t ?everyone ?use ?DNSSEC? ? Deploying ?and ?maintaining ?DNSSEC ? Using ?the ?GSA ?DNSSEC ?Cloud ?Signing ?Service ? Questions ?& ?Answers 2
DNS ?Security What ?is ?DNS? ? Provides ?www ?address ?to ?IP ?translation. ? ?Sample: 3
DNS ?Security How ?does ?DNS ?work? User: ? 123.example.com ISP ROOT . .com dns.example.com: ? 123.example.com 1 2 3 4 5 6 7 8 1. A ?user ?types ?in ?123.example.com ? (this ?information ? isn¡¯t ?in ?a ? local ?host ?file). 2. The ?ISP ?doesn¡¯t ?have ?the ?answer ?so ?asks ?root ?. ?for ?the ? answer. ? 3. Root ?doesn¡¯t ?have ?the ?answer ?but ?knows ?who ?owns ?.com. 4. The ?ISP ?now ?knows ?to ?ask ?.comfor the ?answer. 5. .com ?doesn¡¯t ?know ?the ?answer ?but ?knows ?who ?has ?name ? services ?for ?example. 6. The ?ISP ?now ?knows ?to ?ask ?dns.example.com for ?the ?answer. 7. dns.example.com responds ?with ?the ?answer ?to ?the ?ISP. 8. The ?ISP ?delivers ?the ?IP ?address ?to ?the ?user ?who ?can ?now ?go ?to ? the ?website. 4
DNS ?Security Corrupting ?DNS ?responses User: ? 123.example.com ISP ROOT . .com dns.example.com: ? 123.example.com 1 2 3 4 5 6 7 8 Corruption Corruption Corruption Impersonation Impersonation Impersonation There ?are ?A ?LOT ?of ?place ?to ?corrupt ?a ? DNS ?response ?to ?a ?user. ? ?DNS ? response ?corruption ?can ?occur ?through ? data ?corruption ?or ?impersonation. 5
DNS ?Security What ?happens ?when ?DNS ?goes ?bad? ? A ?user ?may ?not ?be ?able ?to ?browse/view ?network ?locations. ? Facebook, ?Twitter, ?Cloud ?services, ?etc. ? Business ?applications, ?calendars, ?email, ?time ?card ?system, ?etc. ? A ?user ?may ?be ?directed ?to ?an ?unintended ?location. ? Possible ?transmission ?of ?sensitive ?data ?or ?PII ? Inability ?to ?conduct ?business ?operations ? A ?user ?may ?be ?intentionally ?directed ?to ?a ?malicious ?site. ? Possible ?infection ?of ?malicious ?software/virus ? Possible ?transmission ?of ?sensitive ?data ?or ?PII ? Inability ?to ?conduct ?business ?operations 6
DNS ?Security Introduction ?to ?DNSSEC ? DNSSEC ?was ?introduced ?to ?address ?security ?challenges ? of ?traditional ?DNS ? DNS ?was ?built ?to ?be ?open ?with ?little ?concern ?for ?security ? DNS ?did ?not ?have ?mechanisms ?to ?detect ?forged ?information ? DNS ?did ?not ?have ?the ?ability ?to ?digitally ?sign ?information ? DNS ?announces ?extensive ?information ?about ?your ?architecture ? DNSSEC ? Addresses ?all ?of ?the ?above ?and¡­ ? Provides ?authentication ?that ?your ?DNS ?information ?came ?from ?who ? it ?should ?have ? Provides ?upstream ?protection 7
DNS ?Security Why ?is ?DNSSEC ?important? ? DNSSEC ?addresses ?real ?world ?cyber-?threats ?to ?US ? Government ?data ?and ?networks. ? DNSSEC ?is ?mandated ?by ?OMB ?Memo ?08-?23. ? ?All ? Government ?agencies ?were ?mandated ?to ?deploy ?DNSSEC ? by ?December ?2009. ? DNSSEC ?addresses ?numerous ?FISMA ?security ?controls. ? DNSSEC ?makes ?you ?more ?compliant ?and ?secure! 8
DNS ?Security Why ?doesn¡¯t ?everyone ?use ?DNSSEC? ? Why ?doesn¡¯t ?everyone ?use ?DNSSEC? ? Organizations ?don¡¯t ?understand ?DNS ?vulnerabilities ?and ?threats. ? Organizations ?don¡¯t ?understand ?the ?benefits ?of ?DNSSEC. ? Deploying ?and ?maintaining ?DNSSEC ?is ?more ?complex ?than ? traditional ?DNS. ? DNSSEC ?requires ?actions ?every ?time ?a ?zone ?is ?changed ?(e.g. ?a ? new ?website ?name ?is ?added). ? Failure ?to ?deploy ?and ?maintain ?DNSSEC ?properly ?can ?lead ?to ? inaccessibility ?of ?a ?domain. 9
DNS ?Security Deploying ?and ?maintaining ?DNSSEC ? There ?are ?a ?number ?of ?options ?for ?deploying ?and ? maintaining ?a ?DNSSEC ?solution ? Run ?DNSSEC ?within ?your ?own ?infrastructure ?and ?utilizing ?your ?own ? staff ?(high ?resource ?requirement) ? Complete ?outsourcing ?of ?DNS ?services, ?to ?include ?DNSSEC, ?to ?a ? commercial ?provider ?(high ?cost) ? Outsource ?DNSSEC ?services ?to ?the ?GSA ?(in ?the ?case ?of ?USG) 10
DNS ?Security Using ?the ?GSA ?DNSSEC ?CSS ? The ?GSA ?offers ?a ?DNSSEC ?Cloud ?Signing ?Service ?(CSS) ? offering ?to ?all ?domains ?in ?.gov ? This ?service ?is ?provided ?at ?no ?charge ?to ?.gov domains. ? You ?can ?subscribe ?to ?the ?service ?when ?registering ?a ?domain ?name ? (dotgov.gov). ? The ?DNSSEC ?CSS ?takes ?the ?complexities ?out ?of ?DNSSEC ? You ?still ?control ?your ?DNS ? CSS ?handles ?zone ?signing ? CSS ?handles ?ZSK ?and ?KSK ?roll-?overs ? CSS ?detects ?changes ?in ?your ?zone ?files ?and ?resigns ?zones ? Additional ?information, ?FAQs, ?and ?contact ?information ?is ?available ? at ?www.dotgov.gov. ? Using ?this ?service ?makes ?you ?more ?compliant ?and ?secure. 11
DNS ?Security Questions ?& ?Answers John ?F. ?McClure john@kimbersystems.com (202) ?630-?0726 12

More Related Content

DNS Security

  • 1. DNS ?Security DNS SECURITY John ?F. ?McClure, ?KimberSystems, ?LLC john@kimbersystems.com
  • 2. DNS ?Security Topics ? What ?is ?DNS? ? Why ?is ?DNS ?important ? How ?does ?DNS ?work? ? Corrupting ?DNS ?responses ? What ?happens ?when ?DNS ?goes ?bad? ? Introduction ?to ?DNSSEC ? Why ?doesn¡¯t ?everyone ?use ?DNSSEC? ? Deploying ?and ?maintaining ?DNSSEC ? Using ?the ?GSA ?DNSSEC ?Cloud ?Signing ?Service ? Questions ?& ?Answers 2
  • 3. DNS ?Security What ?is ?DNS? ? Provides ?www ?address ?to ?IP ?translation. ? ?Sample: 3
  • 4. DNS ?Security How ?does ?DNS ?work? User: ? 123.example.com ISP ROOT . .com dns.example.com: ? 123.example.com 1 2 3 4 5 6 7 8 1. A ?user ?types ?in ?123.example.com ? (this ?information ? isn¡¯t ?in ?a ? local ?host ?file). 2. The ?ISP ?doesn¡¯t ?have ?the ?answer ?so ?asks ?root ?. ?for ?the ? answer. ? 3. Root ?doesn¡¯t ?have ?the ?answer ?but ?knows ?who ?owns ?.com. 4. The ?ISP ?now ?knows ?to ?ask ?.comfor the ?answer. 5. .com ?doesn¡¯t ?know ?the ?answer ?but ?knows ?who ?has ?name ? services ?for ?example. 6. The ?ISP ?now ?knows ?to ?ask ?dns.example.com for ?the ?answer. 7. dns.example.com responds ?with ?the ?answer ?to ?the ?ISP. 8. The ?ISP ?delivers ?the ?IP ?address ?to ?the ?user ?who ?can ?now ?go ?to ? the ?website. 4
  • 5. DNS ?Security Corrupting ?DNS ?responses User: ? 123.example.com ISP ROOT . .com dns.example.com: ? 123.example.com 1 2 3 4 5 6 7 8 Corruption Corruption Corruption Impersonation Impersonation Impersonation There ?are ?A ?LOT ?of ?place ?to ?corrupt ?a ? DNS ?response ?to ?a ?user. ? ?DNS ? response ?corruption ?can ?occur ?through ? data ?corruption ?or ?impersonation. 5
  • 6. DNS ?Security What ?happens ?when ?DNS ?goes ?bad? ? A ?user ?may ?not ?be ?able ?to ?browse/view ?network ?locations. ? Facebook, ?Twitter, ?Cloud ?services, ?etc. ? Business ?applications, ?calendars, ?email, ?time ?card ?system, ?etc. ? A ?user ?may ?be ?directed ?to ?an ?unintended ?location. ? Possible ?transmission ?of ?sensitive ?data ?or ?PII ? Inability ?to ?conduct ?business ?operations ? A ?user ?may ?be ?intentionally ?directed ?to ?a ?malicious ?site. ? Possible ?infection ?of ?malicious ?software/virus ? Possible ?transmission ?of ?sensitive ?data ?or ?PII ? Inability ?to ?conduct ?business ?operations 6
  • 7. DNS ?Security Introduction ?to ?DNSSEC ? DNSSEC ?was ?introduced ?to ?address ?security ?challenges ? of ?traditional ?DNS ? DNS ?was ?built ?to ?be ?open ?with ?little ?concern ?for ?security ? DNS ?did ?not ?have ?mechanisms ?to ?detect ?forged ?information ? DNS ?did ?not ?have ?the ?ability ?to ?digitally ?sign ?information ? DNS ?announces ?extensive ?information ?about ?your ?architecture ? DNSSEC ? Addresses ?all ?of ?the ?above ?and¡­ ? Provides ?authentication ?that ?your ?DNS ?information ?came ?from ?who ? it ?should ?have ? Provides ?upstream ?protection 7
  • 8. DNS ?Security Why ?is ?DNSSEC ?important? ? DNSSEC ?addresses ?real ?world ?cyber-?threats ?to ?US ? Government ?data ?and ?networks. ? DNSSEC ?is ?mandated ?by ?OMB ?Memo ?08-?23. ? ?All ? Government ?agencies ?were ?mandated ?to ?deploy ?DNSSEC ? by ?December ?2009. ? DNSSEC ?addresses ?numerous ?FISMA ?security ?controls. ? DNSSEC ?makes ?you ?more ?compliant ?and ?secure! 8
  • 9. DNS ?Security Why ?doesn¡¯t ?everyone ?use ?DNSSEC? ? Why ?doesn¡¯t ?everyone ?use ?DNSSEC? ? Organizations ?don¡¯t ?understand ?DNS ?vulnerabilities ?and ?threats. ? Organizations ?don¡¯t ?understand ?the ?benefits ?of ?DNSSEC. ? Deploying ?and ?maintaining ?DNSSEC ?is ?more ?complex ?than ? traditional ?DNS. ? DNSSEC ?requires ?actions ?every ?time ?a ?zone ?is ?changed ?(e.g. ?a ? new ?website ?name ?is ?added). ? Failure ?to ?deploy ?and ?maintain ?DNSSEC ?properly ?can ?lead ?to ? inaccessibility ?of ?a ?domain. 9
  • 10. DNS ?Security Deploying ?and ?maintaining ?DNSSEC ? There ?are ?a ?number ?of ?options ?for ?deploying ?and ? maintaining ?a ?DNSSEC ?solution ? Run ?DNSSEC ?within ?your ?own ?infrastructure ?and ?utilizing ?your ?own ? staff ?(high ?resource ?requirement) ? Complete ?outsourcing ?of ?DNS ?services, ?to ?include ?DNSSEC, ?to ?a ? commercial ?provider ?(high ?cost) ? Outsource ?DNSSEC ?services ?to ?the ?GSA ?(in ?the ?case ?of ?USG) 10
  • 11. DNS ?Security Using ?the ?GSA ?DNSSEC ?CSS ? The ?GSA ?offers ?a ?DNSSEC ?Cloud ?Signing ?Service ?(CSS) ? offering ?to ?all ?domains ?in ?.gov ? This ?service ?is ?provided ?at ?no ?charge ?to ?.gov domains. ? You ?can ?subscribe ?to ?the ?service ?when ?registering ?a ?domain ?name ? (dotgov.gov). ? The ?DNSSEC ?CSS ?takes ?the ?complexities ?out ?of ?DNSSEC ? You ?still ?control ?your ?DNS ? CSS ?handles ?zone ?signing ? CSS ?handles ?ZSK ?and ?KSK ?roll-?overs ? CSS ?detects ?changes ?in ?your ?zone ?files ?and ?resigns ?zones ? Additional ?information, ?FAQs, ?and ?contact ?information ?is ?available ? at ?www.dotgov.gov. ? Using ?this ?service ?makes ?you ?more ?compliant ?and ?secure. 11
  • 12. DNS ?Security Questions ?& ?Answers John ?F. ?McClure john@kimbersystems.com (202) ?630-?0726 12