Post on 29-May-2020
| 1
Champika WijayatungaRegional Security Engagement Manager – Asia Pacific<champika.wijayatunga@icann.org>
11 Sep 2017
DNS/DNSSECAPNIC44 – Taichung - Taiwan
| 2
Domain Name System (DNS)
TLDs gTLDs ccTLDs IDNs
| 3
Root Server Operation
| 4
How Secure are the Root Servers?
• Physically protected • Tested operational procedures • Experienced, professional, trusted staff• Defense against major operational threat – i.e. DDoS.
– Anycast• Setting up identical copies of existing servers • Same IP address• Exactly the same data. • Standard Internet routing will bring the queries to the nearest server• Provides better service to more users.
| 5
DNS Servers
• Root Servers• DNS Authoritative
– Primary / Master – Secondary / Slaves
• DNS Resolver– Recursive– Cache– Stub resolver
5
| 6
Who’s who in the DNS Ecosystem?
6
| 7
Domain Name Registration
How to register a domain:•Choose a string e.g., example•Visit a registrar to check string availability in a TLD•Pay a fee to register the name•Submit registration information•Registrar and registries manage:
– “string” + TLD (managed in registry DB)
– Contacts, DNS (managed in Whois)
– DNS, status (managed in Whois DBs)
– Payment information
| 8
Registration Data Directory Services
• Domain Whois– Sponsoring Registrar– Domain Name Servers– Domain Status– Creation/Expiry dates– Point of Contact– DNSSEC data
• Address Whois– Regional Internet Registry– IPv4/v6 address allocation– ASN allocation– Creation/Expiry dates– Point of Contact
WHOISDatabases containing records of registrations
| 9
WHOIS Inaccuracy Complaint
Filing Tips:• Responds to ICANN requests for more
information in the requested time frame.
• If you think the contact email address for the domain is incorrect, give evidence that emails you sent to the email address were undeliverable.
• Make sure your complaint is valid – e.g., a contact telephone doesn’t need to be in the same geographic location as the mailing address.
| 10
What is a DNS zone data?
• DNS zone data are hosted atan authoritative name server• Each “cut” has zone data
(root, TLD, delegations) • DNS zones contain resource
records that describe• name servers,• IP addresses, • Hosts, • Services • Cryptographic
keys & signatures…Only US ASCII-7 letters, digits, and hyphens
can be used as zone data.
In a zone, IDNs strings begin with XN--
| 11
How DNS Works
| 12
DNS: Data Flow
12
Primary Caching Servers
Resolvers
Zone administrator
Zone file
Dynamicupdates
1
2
Secondaries
3
4
5
| 13
DNS Vulnerabilities
13
Primary Caching Servers
Resolver
Zone administrator
Zone file
Dynamicupdates
1
2
Secondaries
3
Server protection
4
5
Corrupting data Impersonating master
Unauthorized updates
Cache impersonation
Cache pollution byData spoofing
Data protection
Altered zone data
| 14
The Bad
• Cache Poisoning Attacks– Vulnerable resolvers add malicious data to local caches
• DNS Hijacking– A man in the middle (MITM) or spoofing attack forwards DNS queries to a name server that
returns forge responses• E.g. DNSChanger
– One of the biggest cybercriminal takedown in history• And many other DNS hijacks in recent times• SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you
if the DNS matches the name in the certificate. • DNS is relied on for unexpected things though insecure.
| 15
Securing DNS
• There are two aspects when considering DNS Security– Server protection– Data protection
• Server protection– Protecting servers
• Make sure your DNS servers are protected (i.e. physical security, latest DNS server software, proper security policies, Server redundancies etc.)
– Protecting server transactions• Deployment of TSIG, ACLs etc. (To secure transactions against server impersonations, secure
zone transfers, unauthorized updates etc.)
• Data protection– Authenticity and Integrity of Data
• Deployment of DNSSEC (Protect DNS data against cache poisoning, cache impersonations, spoofing etc.)
| 16
Name Server Considerations
• Support technical standards
• Handle load multiple times the measured peak
• Diverse bandwidth to support above
• Must answer authoritatively
• Turn off recursion!
• Should “NOT” block access from a valid Internet hosts
| 17
Secondary Name Server Choice
Diversity, Diversity and Diversity!
•Don’t place all on the same LAN/building/segment
•Network diversity
•Geographical diversity
•Institutional diversity
•Software and hardware diversity
| 18
When It All Goes Wrong
• DNS is a known target for hackers.
• You will be targeted at some point!
• Have plans in place to deal with attacks, failures and disasters.
• Test those plans regularly!
| 19| 19
DNSSEC
19
| 20
How DNSSEC Works
| 21
DNSSEC ccTLD Map
| 22
DNSSEC Deployment
| 23
DNSSEC: So what’s the problem?
• Not enough IT departments know about it or are too busy putting out other security fires.
• When they do look into it they hear old stories of FUD and lack of turnkey solutions.
• Registrars*/DNS providers see no demand leading to “chicken-and-egg” problems.
*but required by new ICANN registrar agreement
| 24
What you can do
• For Companies:– Sign your corporate domain names– Just turn on validation on corporate DNS resolvers
• For Users:– Ask ISP to turn on validation on their DNS resolvers
• For All:– Take advantage of DNSSEC education and training
| 25| 25
2017 Root Zone DNSSEC KSK Rollover
25
| 26
The Root Zone DNSSEC KSK
DATA
¤The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy
¤Public portion of the KSK is configuration parameter in DNS validating revolvers
KSK
| 27
Rollover of the Root Zone DNSSEC KSK
¤There has been one functional, operational Root Zone DNSSEC KSK¤Called "KSK-2010"¤Since 2010, nothing before that
¤A new KSK will be put into production later this year¤Call it "KSK-2017"¤An orderly succession for continued smooth operations
¤Operators of DNSSEC recursive servers may have some work¤As little as review configurations¤As much as install KSK-2017
| 28
Important Milestones
Event Date
Creation of KSK-2017 October 27, 2016
Production Qualified February 2, 2017
Out-of-DNS-band Publication July 11, 2017
In-band (Automated Updates) Publication July 11, 2017 and onwards
Sign (Production Use) October 11, 2017 and onwards
Revoke KSK-2010 January 11, 2018
Remove KSK-2010 from systems Aug, 2018
| 29
Call to Action
¤All the work is for operators, developers and distributors of software that performs DNSSEC validation – keep reading/listening!
¤What if you’re not one of them? What if you’re an Internet user?¤Be aware that the root KSK rollover is happening on
11 October 2017¤Do you know a DNS operator, software developer or software
distributor?¤Ask them if they know about the root KSK rollover and if
they’re ready¤Direct them to ICANN’s educational and information resources
| 30
What does an operator need to do?
¤Be aware whether DNSSEC is enabled in your servers
¤Be aware of how trust is evaluated in your operations
¤Test/verify your set ups
¤ Inspect configuration files, are they (also) up to date?
¤ If DNSSEC validation is enabled or planned in your system¤Have a plan for participating in the KSK rollover¤Know the dates, know the symptoms, solutions
| 31
Three Steps to Recovery
1. Stop the tickets! It's OK to turn off DNSSEC validation while you fix (but do turn it back on!)
2. Debug. If the problem is the trust anchor, find out why it isn't correct
¤ Did RFC 5011 fail? Did configuration tools fail to update the key?
¤ If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments
3. Test the recovery. Make sure your fixes take hold
| 32
Tools and Resources Provided by ICANN
¤A python-language script to retrieve KSK-2010 and KSK-2017¤get_trust_anchor.py
¤An Automated Updates testbed for production(test) servers¤https://automated-ksk-test.research.icann.org
¤Documentation¤https://www.icann.org/resources/pages/ksk-rollover
| 33
When Does the Rollover Take Place?
The KSK rollover is a process, not a single event
The following dates are key milestones in the process when end users may experience interruption in Internet services:
| 34
Be aware whether DNSSEC is enabled in your servers
Be aware of how trust is evaluated in your operations
Test/verify your set ups
Inspect configuration files, are they (also) up to date?
If DNSSEC validation is enabled or planned in your system
o Have a plan for participating in the KSK rollovero Know the dates, know the symptoms, solutions
What Do Operators Need to Do?
| 35
Engage with ICANN
Visit us at icann.org
Thank You and Questions
Email: champika.wijayatunga@icann.org
flickr.com/icann
linkedin/company/icann
@icann
facebook.com/icannorg
youtube.com/icannnews
soundcloud/icann
slideshare/icannpresentations