Interop - Dyn Inc on DNSSEC for InteropNET
description
Transcript of Interop - Dyn Inc on DNSSEC for InteropNET
![Page 1: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/1.jpg)
Securing InteropNET with DNSSEC
Cory von WallensteinVP, Engineering – Dyn Inc.
![Page 2: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/2.jpg)
Internet Infrastructure
as a Service
DynECT Managed DNS
& Email Delivery
• DNS is names to numberstwitter.com -> 199.59.148.82
• 5+ Million active users/clients
• 1000+ Enterprise clients
• 250,000+ Zones managed
• 100,000+ Domains registered
• 17 World-wide datacenters
• Billions of queries per day
• Billions of messages annually
![Page 3: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/3.jpg)
User My Bank
Insecure HTTP… end user beware!
http – http://www.local.mybank.com
![Page 4: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/4.jpg)
User My Bank
Add HTTPS… verify domain owner.
https – https://www.local.mybank.com
Is the domain correct?
![Page 5: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/5.jpg)
User My Bank
But what verifies the IP in DNS?
https – https://www.local.mybank.com
Is the domain correct?
But what about the IP address 1.2.3.4 that www.local.mybank.com resolved to…
What verifies that?
www.local.mybank.com A 1.2.3.4
![Page 6: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/6.jpg)
Quick DNS Terminology
Recap
• Authoritative DNS– The “authority” for DNS records– You as a web site owner or
operator designate your authoritative DNS servers at your registrar.
– Trusted information. Keys to the kingdom.
• Recursive DNS– Query authoritative servers on
behalf of clients (performing recursion as necessary) and caching answers for faster future lookups by other clients.
![Page 7: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/7.jpg)
DNS Recursion – Query the recursive server
![Page 8: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/8.jpg)
DNS Recursion – Recursive server queries root...
![Page 9: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/9.jpg)
DNS Recursion – Recursive server queries com
![Page 10: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/10.jpg)
DNS Recursion – Recursive server queries mybank.com
![Page 11: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/11.jpg)
DNS Recursion – Recursive server queries local.mybank.com
![Page 12: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/12.jpg)
DNS Recursion – Recursive server responds to original request
![Page 13: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/13.jpg)
But I see the lock in the
browser window! I see “https” in the
URL!
Aren’t I safe?
• Partially!– The domain is verified– The IP address is not– Implicit trust in your
recursive DNS servers.
• Attack vectors– Single computer
• Edit /etc/hosts– One or more computers
• Man in the middle attack– Many, many computers
• Recursive DNS cache poisoning
![Page 14: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/14.jpg)
DNS Cache Poisoning
![Page 15: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/15.jpg)
You would be securely connected... but to the wrong computer!
![Page 16: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/16.jpg)
Need a way to verify the
information in DNS.
Enter DNSSEC.
• Recursive resolvers and end users alike can verify the information in DNS.
• Chain of trust.– I trust the root nameservers.– The root servers trust .com,
and give me the information I need to verify .com hasn’t been tampered with.
– The .com servers trust mybank.com, and give me the information I need to verify mybank.com hasn’t been tampered with…
![Page 17: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/17.jpg)
DNSSEC Secured
![Page 18: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/18.jpg)
![Page 19: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/19.jpg)
Cisco providing DHCP service through their
CNR
![Page 20: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/20.jpg)
CNR pushes updates to Dynect show
floor hidden master
![Page 21: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/21.jpg)
It's good to have redundancy plus
redundancy is good to have
![Page 22: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/22.jpg)
Sign the update and propagate it to Dynect
![Page 23: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/23.jpg)
Need to handle DNS requests too!
![Page 24: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/24.jpg)
Handle it by show floor anycast recursive
servers.... and here is the complete DNS
picture
![Page 25: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/25.jpg)
How do you sign a zone?
The BIND way (for each and every zone...)– Generate the keys using dnssec-keygen twice, once for the ZSK and
once for the KSK– Store the private keys someplace safe (since anyone with the private
keys can sign as you)– Include the correct keys in the zone file– Actually sign the zone using dnssec-signzone
The DynECT way...
![Page 26: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/26.jpg)
Click “Add DNSSEC”, publish to registrar!
![Page 27: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/27.jpg)
dnsviz.net • Great visualization and debugging tool
• Verify chain of trust
• There’s a computer on this network called:– soloru.ny.enet.interop.n
et.
![Page 28: Interop - Dyn Inc on DNSSEC for InteropNET](https://reader036.fdocuments.net/reader036/viewer/2022062701/55381d244a79590a7f8b467b/html5/thumbnails/28.jpg)
Get started with DNSSEC.
• Visit our booth - 236
• Reach out–[email protected]–@cvonwallenstei
n–@DynInc–Dyn.com