DNS 安全防護傘 - DNSSEC
description
Transcript of DNS 安全防護傘 - DNSSEC
DNS 安全防護傘 - DNSSEC報告者:劉旭哲
原因• 2008 駭客年會 Dan Kaminsky 公布重大安全漏洞「 DNS Cache Poisoning 」• 雲端運算的興起
Internet
Normal DNS
Website IpA.com 1.1.1.1
User
Local DNS
Master DNS
CacheQuery: A.com =?
Res: A.com=1.1.1.1
Found it in my cache
connect
Website
Query: B.com =?
Not Found in my cacheQuery: B.co
m =?
Res: B.co
m=2.2.2.2Update My
Cache
Website IpA.Com 1.1.1.1B.com 2.2.2.2
Res: B.com=2.2.2.2
connect
DNS Cache Poisoning
Internet
User
Local DNS
Master DNS
Cache
Fake C.com
Hacker
Website IpA.com 1.1.1.1
Query: C.com = ?
Query: C.co
m = ?
When I’m looking for…
Update
Res:C.co
m = 3.3.3.3
Res:C.com = 4.4.4.4
Website IpA.com 1.1.1.1C.com 4.4.4.4
When I found it…
No use
This user w
ill connect
to fake C.co
m
If I was same as the original C.com, it’s
easy to get info about user
Why need DNSSEC?
• VeriSign 發布的「 2010 年第二季度域名行業報告」• .com .net 網域總數破億,比第一季增加 2%
• VeriSign 的 DNS 查詢量每天 625 億次,最高峰每天 836 億次,均較以往提高超過15%
• Forrester 調查發現, 297 名 IT 決策者中– 51% 遇到過 DNS 相關攻擊– 38% 遭遇到中間人攻擊
DNS Security Extensions
• DNSSEC = DNS + digital signature• RFC 4034 & RFC 4035• 新增四種 RRsets– DNS Public Key (DNSKEY)– Resource Record Signature (RRSIG)– Next Secure (NSEC)– Delegation Signer (DS) - optionally
DNS Public Key (DNSKEY)
• 公布 Public key 的地方
固定為三
For example
• example.com. 86400 IN DNSKEY 256 3 5 ( AQP…………….== )
• Owner name TTL class RRtype Flag Pro. Algo. (PK)
Resource Record Signature (RRSIG)
• digital signatureRoot = 0
• host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( 20030220173103 2642 example.com. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTrPYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )
Algo.
KeyTag
Signer’s name
Base64 Encoding
Next Secure (NSEC)
• If next domain name doesn’t exist, itwill be the first domain name.
• chain
• alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG NSEC TYPE1234 )
Delegation Signer (DS)
• Protect user get right PK• Let upper manager sign
1 ( SHA-1 )
• dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQO……….== ) ; key id = 60485
• dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A 98631FAD1A292118 )
SHA-1
目前現況• VeriSign 與 美國商務部和 ICANN 合作,在 root 中部屬 DNSSEC
• 預計在年底完成 .net 的部屬• 2011 第一季在 .com 中實現 DNSSEC
• http://tech.hexun.com.tw/2010-09-27/125010169.html
• http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
• http://www.informationsecurity.com.tw/article/article_detail.aspx?tv=13&aid=5886
• http://phorum.study-area.org/index.php?topic=60268.0
• http://www.ietf.org/rfc/rfc4035.txt• http://www.ietf.org/rfc/rfc4034.txt