Beruflich Dokumente
Kultur Dokumente
Guevara Noubir
Network Security
Northeastern University
Describe DNSSEC
neu mit cisco yahoo nasa nsf arpa navy acm ieee
madrid firenze
neu mit cisco yahoo nasa nsf arpa navy acm ieee
madrid firenze
Root
name server
servers
CCS ECE
name server name server
Strategy
Go to local name server
Local name server goes to root name server
Local name server goes to edu name server
Local name server goes to neu.edu name server
Local name server goes to ccs.neu.edu name server
and gets IP address
Queries/Responses typically use UDP
packets sent to server on port 53
G. Noubir DNS Security 10
Lesson 2: DNS Cache Poisoning
DNS servers cache information
Poisoning an ISP DNS cache impacts all the ISP users
How?
Attacker queries the ISP DNS server
ISP DNS Server starts resolving the query by asking the authoritative name
server
Attacker simultaneously sends a DNS response spoofing the IP address of the
authoritative name server and providing a malicious IP address
All the ISP users will be directed to the attacker sites
Problems? Adversary needs to
Respond before valid response (e.g., DoS legitimate server)
Guess the query identifier (i.e., Transaction ID)
In 2002, it appeared that all DNS implementation were using sequential numbers) =>
randomization was used
Wait for the information to not be in the cache of ISPs DNS Server
Current solutions:
Source port randomization
Randomized capitalization
Limiting ISP DNS replies to internal requests
DNSSEC
Issues:
PKI infrastructure / chain of trust following domain name hierarchy; Who control TLD
keys
Zone enumeration
Root name server only started supporting DNSSEC support in 2010
Performance
G. Noubir DNS Security 15
Summary
Domain Name System is a critical application of the
Internet
Major flaws have been identified and partially fixed
A strong solution (DNSSEC) is slowly being adopted
(typical problem with the Internet)
Thinking exercise:
Go back to Problem Set 1
Consider all the steps to connect to a website and the
vulnerabilities you are subject to
G. Noubir DNS Security 16