Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

Transcript of Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

Intro To DNS SecurityOctober 23, 2013

Cory von WallensteinChief Technologist

@cvwdyn

Chris BrentonDirector of Security

@chris_brenton

http://www.linkedin.com/company/dyn

http://www.facebook.com/Dyn

http://twitter.com/dyninc

http://www.youtube.com/dyninc

Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton

Your Presenters

Cory von Wallenstein

Chief Technologist

@cvwdyn

Chris BrentonDirector of

Security@Chris_Brenton

What We Will Cover

DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info

Is DNS Still Sexy?

It’s old tech, so we must have it secured by now…right?

Is DNS Still Sexy?

DNS is effectively our root of trust:

You “ass-u-me” typing in www.google.com will always bring you to a Google server

If sent to the wrong IP address, would you even notice?

Is DNS Still Sexy?

If DNS is compromised, everything else falls apart.

Architecture

Run split DNS:

Architecture

Two separate sets of name server records:

One for use by internal clients One for use by the rest of the world

Architecture

Helps protect internal systems from cache poisoning and other various nastiness

Internal Name Servers

Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals

External Name Servers

Accessed by the rest of the Internet Contains only records you want the world to

see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals

Recursive Answers

DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an

answer is not in cache

Recursive Answers

Recursive = Do the lookup work for the client

Non-Recursive = Don't be so friendly

Non-Recursive Possibilities

Hand back the list of root name servers Referred to as an “upward referral”

Hand back the error code “Refused” Let the client figure out what to do next

Why Recursion Can Be Bad

Can be leveraged for cache poisoning attacks:

Redirect your employees to an IP owned by the attacker

Why Recursion Can Be Bad

Can be leveraged for DDoS attacks:

Most DNS is UDP based Connectionless, so its easy to spoof the

source IP Small questions that result in big answers =

amplification A savvy attacker can get 30X amplification

Why Upward Referrals Are Bad

Non-recursive servers have historically handed back a list of root name server

Considered the polite thing to do

Why Upward Referrals Are Bad

Every name server should already maintain a current list of root name servers

That “polite” answer still provides a 10X amplification in a DDoS attack

Configuring Bind

Disabling Recursion and upward referrals

In /etc/named.conf:

recursion no;additional-from-cache no;

DNSSEC

Spec to secure DNS

DNSSEC

Spec to secure DNS Provides authentication but not data privacy

DNSSEC

Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust

Designed to create “trusted” responses

DNSSEC

Designed to create “trusted” responses Protect against cache poisoning

DNSSEC

Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records

DNSSEC Pitfalls

Large responses make DDoS issues even worse

DNSSEC Pitfalls

Large responses make DDoS issues even worse Can be problematic with split zone deployment

DNSSEC Pitfalls

Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus

answers are “a feature”

DNSSEC Pitfalls

answers are “a feature” Still no data privacy

DNSSEC Pitfalls

answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved

Should I Use DNSSEC?

Case-by-case judgment call

Case-by-case judgment call Useful when IP filtering is problematic

for protecting zone transfers

for protecting zone transfers May be mandated in some situations

for protecting zone transfers May be mandated in some situations Will probably be a requirement

Someday...maybe

Dyn Makes DNSSEC Easier To Enable

Protecting Your Registration

The easiest way to compromise all of your servers is to compromise your zone

Popular attack pattern Rapid7 owned by attackers with a…

Bit.ly/DynSec1

Domain Status Codes

Many registrars support codes to protect your domain

Permits you to limit zone management

Domain Status Codes

Predefine authentication process for changes:

Requires call back to a specified phone number

Only certain individuals can make changes

Status Code Examples

• Transfer prohibited• Delete prohibited• Update prohibited• Renew prohibited

Bit.ly/DynSec2

Protected Zone

foo$ whois dyn.com[whois.dyndns.com]Registrant: Hostmaster, Dyn-Inc hostmaster@dyn-inc.com

…Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited

• What are my authentication options?

Questions to Ask Your Registrar

• What are my authentication options?• How will authorized changes be verified?

• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?

• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?

• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?• Can auth be circumvented via API or portal?

Questions?

Chief Technologist

@cvwdyn

Next Webinar: Wed., Nov. 20th

Chief Technologist

@cvwdyn

DNS Security: PCI in The Public Cloud

Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

Technology

Transcript of Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

Woodchippers Forestry Equipment€¦ · Skidloader Log Splitters 814-349-4484 mail@woodwardcrossings.com Wallenstein Logsplitters—Made in North America Wallenstein WX410 & WX430

JOSEF JANÁCEK: WALLENSTEIN ÉS KORA*...JOSEF JANÁCEK: WALLENSTEIN ÉS KORA* Előszó (Prédmluv 7-a 8 pp.) Albert Wallenstein korabelt portréinai alighanek legismertebbikém n az

Brenton Export Diversification Indicators

L IVE ON - Buffalo Arts Studio · 2020. 6. 15. · Fata Haskovic Evan Hawkins. Brenton Heath Sandra Heath. Allan Hebeler Gina Herron. Cory Hill Kathleen Howell. Jayne Hughes Richard

Parts and Service Reference TechBook - Wallenstein Equipment

La muerte de Wallenstein by Friedrich von Schiller - Teatro.pdf

Wallenstein Outdoor Power Equipment

Presentación Brenton Caffin (Nesta, UK)

2014 Product Catalogue - Dealer.com USpictures.dealer.com/ljpattersonsalesampservicedieppetc/...6 Wallenstein 2014 Product Catalogue LOG SPLITTERS WHY WALLENSTEIN? The wide wedge splits

7 BioPolitics Wallenstein (1)

Setting tHe Stage - Red Chair Press_RTscript.pdf · Older Brenton, Brenton Dixon in 1857, age 63; a Mississippi steamboat pilot; narrator of the main story Younger Brenton, age 13

Dyn Roadshow: Cricket Liu & Cory von Wallenstein On Scalability & Availability

Dyn Roadshow: Cory von Wallenstein & Eric Rosenberry talk scalability & availability

Happy 20th birthday brenton

LX100 Boom & Log Grapple Parts Manual - Wallenstein Equipment

Wilkie brenton professional_persona_project

Craftsman Brenton Marketing Brochure · Craftsman Brenton Marketing Brochure Created Date: 12/5/2019 7:52:20 PM ...

Schiller - - Wallenstein

Wallenstein - Schiller

BXT4213 Chipper Parts Manual - Wallenstein Equipment

JOSEF JANÁCEK: WALLENSTEIN ÉS KORA...JOSEF JANÁCEK: WALLENSTEIN ÉS KORA Előszó (Prédmluv 7-a 8 pp.) Albert Wallenstein korabelt portréinai alighanek legismertebbikém n az