18 September 2017 - ION Malta
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the reasons for deploying DNSSEC, examine some of the challenges operators have faced, and address those challenges and move deployment forward.
3. | 3
The Domain Name System: DNS
• DNS converts names (www.bov.com) to numbers
(80.85.110.233)
• ..to identify services such as www and e-mail
• ..that identify and link customers to business and
visa versa
5. | 5
Domains registered by criminals for
• Counterfeit goods
• Data exfiltration
• Exploit attacks
• Illegal pharma
• Infrastructure (ecrime name resolution)
• Malware C&C
• Malware distribution, ransomware
• Phishing, Business Email Compromise
• Scams (419, reshipping, stranded traveler…)
5
..and used for all sorts of purposes
Not all good
6. | 6
E.g, DNSChanger - ‘Biggest Cybercriminal Takedown in
History’ – 4M machines, 100 countries
Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/
End-2-end DNSSEC validation would have avoided the problems
8. | 8
Other DNS hijacks*
*A Brief History of DNS Hijacking - Google
http://costarica43.icann.org/meetings/sanjose2012/presentation-dns-hijackings-marquis-boire-12mar12-en.pdf
• 25 Dec 2010 - Russian e-Payment Giant ChronoPay Hacked
• 18 Dec 2009 – Twitter – “Iranian cyber army”
• 13 Aug 2010 - Chinese gmail phishing attack
• 25 Dec 2010 Tunisia DNS Hijack
• 2009-2012 google.*
– April 28 2009 Google Puerto Rico sites redirected in DNS attack
– May 9 2009 Morocco temporarily seize Google domain name
• 9 Sep 2011 - Diginotar certificate compromise for Iranian users
• SSL / TLS doesn't tell you if you've been sent to the correct site, it only
tells you if the DNS matches the name in the certificate. Unfortunately,
majority of Web site certificates rely on DNS to validate identity.
• DNS is relied on for unexpected things though insecure.
9. | 9
• Dan exploits flaw in the DNS @DEFCON
• CPU and bandwidth advances made
legacy DNS vulnerable to MITM attacks
• Lots of press! Barriers to deployment of
DNSSEC seem to disappear.
Oops - 2008@DEFCON (Dan Kaminsky + Press)
https://en.wikipedia.org/wiki/Dan_Kaminsky
https://blog.cloudflare.com/dnssec-an-introduction/
10. | 10
• A humble bottom-up effort by techies that
is now on 90% of the Internet’s core
infrastructure.
• Encouraged by many governments
• Required by ICANN
Secure the DNS?
DNS Security Extensions - DNSSEC
To make sure everyone gets what they
asked for from the Internet’s phonebook
11. | 11
The Internet’s Phone Book - Domain Name System (DNS)
www.majorbank.se=?
Get page
Webserver
1.2.3.4
Username / Password
Account Data
DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server1.2.3.4
Login page
ISP Majorbank
*
*
DNS Hierarchy
se com
root
pl
majorbank.se www.majorbank.se = 1.2.3.4
12. | 12
Caching Responses for Efficiency
www.majorbank.se=?
Get page
webserver
www @
1.2.3.4
Username / Password
Account Data
DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server1.2.3.4
Login page
13. | 13
The Problem: DNS Cache Poisoning Attack
www.majorbank.se=? DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server5.6.7.8
Get page Attacker
webserver
www @
5.6.7.8
Username / Password
Error
Attacker
www.majorbank.se = 5.6.7.8
Login page
Password database
14. | 14
Argghh! Now all ISP customers get sent to attacker.
www.majorbank.se=? DNS
Resolver
www.majorbank.se = 1.2.3.4
DNS
Server5.6.7.8
Get page Attacker
webserver
www @
5.6.7.8
Username / Password
Error
Login page
Password database
15. | 15
Securing The Phone Book
DNS Security Extensions (DNSSEC)
www.majorbank.se=? DNS
Resolver
with
DNSSEC
www.majorbank.se = 1.2.3.4
DNS
Server with
DNSSEC
1.2.3.4
Get page
webserver
www @
1.2.3.4
Username / Password
Account Data
Login page
Attacker
www.majorbank.se = 5.6.7.8
Attacker’s record does not
validate – drop it
16. | 16
Resolver only caches validated records
www.majorbank.se=? DNS
Resolver
with
DNSSEC
www.majorbank.se = 1.2.3.4
DNS
Server with
DNSSEC
1.2.3.4
Get page
webserver
www @
1.2.3.4
Username / Password
Account Data
Login page
18. | 18
Securing it
• DNS converts names (www.bncr.fi.cr) to numbers
(201.220.29.26)
• Make sure we get the right numbers (DNSSEC)
• Verify the identity and encrypt data
19. | 19
DNSSEC interest from governments
• Sweden, Brazil, Netherlands, Czech Republic
and others encourage DNSSEC deployment
to varying degrees
• Mar 2012 - AT&T, CenturyLink (Qwest),
Comcast, Cox, Sprint, TimeWarner Cable,
and Verizon have pledged to comply and
abide by US FCC [1] recommendations that
include DNSSEC.. “A report by Gartner found 3.6
million Americans getting redirected to bogus websites in a
single year, costing them $3.2 billion.,”[2].
• 2008 US .gov mandate. 85% operational. [3]
[1] FCC=Federal Communications Commission=US communications Ministry
[2] http://securitywatch.pcmag.com/security/295722-isps-agree-to-fcc-rules-on-anti-botnet-dnssec-internet-routing
[3] http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf
http://fedv6-deployment.antd.nist.gov/snap-all.html
20. | 20
NL
Thank you Geoff
Huston
https://stats.labs.apnic.net/dnssec
https://rick.eng.br/dnssecstat/
22. | 22
• Deployed on 1397/1545 TLDs (1 Sep 2017 .pl .ax .sa .vn .cn .jp .nz .la
.mm .th .in .id .tw .au .sg .lk .se .de .ru .рф .com .uk .nl .fr .us .my مليسيا
.asia .tw 台灣, .kr 한국 .net, .org, .post, +ntlds, .ibm .berlin)
• Root signed** and audited
• 90% of domain names could have DNSSEC
• Required in new gTLDs. Basic support by ICANN registrars
• Growing ISP support* - ~15% end users “validate”.
• 3rd party signing solutions***
• Growing S/W H/W support: BIND, NSD, KNOT, Microsoft DNS,
PowerDNS, InfoBlox, Nominum, Secure64…openssl, postfix, XMPP,
mozilla: DANE support
• IETF standard on DNSSEC TLS certificates (RFC6698, RFC8162) and
others
• Growing support from major players…(Apple iPhone/iPad, Google
8.8.8.8, hosting co Cloudflare DNSSEC by default, German email
providers…)
DNSSEC - Where we are
**Int’l bottom-up trust model /w 21 TCRs from: TT, BF, RU, CN, US, SE, NL, UG, BR, Benin, PT, NP,
Mauritius, CZ, CA, JP, UK, NZ…
Stats: https://rick.eng.br/dnssecstat/
* COMCAST /w 20M and others; most ISPs in SE ,CZ.
23. | 23
But…
• But deployed on only ~3% of 2nd level
domains. Many have plans. Few have
taken the step (e.g., yandex.com,
paypal.com*, comcast.com).
• DNSChanger and other attacks highlight
today’s need. (e.g end-2-end DNSSEC
validation would have avoided the problems)
• Innovative security solutions (e.g., DANE)
highlight tomorrow’s value.
* http://fedv6-deployment.antd.nist.gov/cgi-bin/generate-com
http://www.thesecuritypractice.com/the_security_practice/2011/12/all-paypal-domains-are-now-using-dnssec.html
http://www.nacion.com/2012-03-15/Tecnologia/Sitios-web-de-bancos-ticos-podran-ser-mas-seguros.aspx
24. | 24
DNSSEC: So what’s the problem?
• Not enough IT departments know about it or are
too busy putting out other security fires.
• When they do look into it they hear old stories of
FUD and lack of turnkey solutions; some CDN and
resolver architectures break DNSSEC.
• Registrars*/DNS providers see no demand
leading to “chicken-and-egg” problems.
*but required by new ICANN registrar agreement
25. | 25
• For Companies:
– Sign your corporate domain names
– Just turn on validation on corporate DNS
resolvers
• For Users:
– Ask ISP to turn on validation on their DNS
resolvers
• For All:
– Take advantage of ICANN, ISOC and other
organipltions offering DNSSEC education and
training
What you can do
26. | 26
DNSSEC: A Global Platform for Innovation
or..
I* $mell opportunity !
27. | 27
• “More has happened here today than
meets the eye. An infrastructure has been
created for a hierarchical security system,
which can be purposed and re‐purposed in
a number of different ways. ..” – Vint Cerf
(June 2010)
Game changing Internet Core Infrastructure Upgrade
28. | 28
Business Reasons for DNSSEC
• TRUST – You can be sure customers are
reaching your sites – and that you are
communicating with their servers
• SECURITY – You can be sure you are
communicating with the correct sites and not
sharing business information with attackers
• INNOVATION – Services such as DANE built on
top of DNSSEC enable innovative uses
• CONFIDENTIAITY – DANE removes barriers to
mass encryption for applications and services
across the Internet
29. | 29
DNSSEC: Internet infrastructure upgrade to
help address today’s needs and create
tomorrow’s opportunity.
32. | 32| ‹#›
Arghh…What should I do about this?
• Get angry, tell the media they are
wrong, and try to correct them?
• Ignore them and do nothing?
• Maybe this is an opportunity. Take
advantage of attention to raise
awareness.
44. | 44
Trusted Community Representative (TCR)
Photo by Kim Davies
Crypto Officer (CO)
Each smart card is assigned to different
community members, known as Trusted
Community Representatives
45. | 45
Safe # 2 – Credential Safe
Smart Cards
Can only be opened by a designated staff,
Credential Safe Controller
Photo: www.dj.cx
Photo: Olaf Kolkman
46. | 46
Safe #1 – Hardware Safe
Hardware Security
Module (HSM)
Laptop
Can only be opened by a designated staff,
Hardware Safe Controller
Photo: www.dj.cx
51. | 51
• Working together there is hope to stem
the tide of cybercrime
• One example is DNSSEC. This upgrade
to the Internet’s core infrastructure will
help address today’s problems and
support tomorrow’s security solutions
52. | 52
Thank You
linkedin/company/icann
youtube.com/icannnews
Email: richard.lamb@icann.org
www.icann.org
ICANN provided KSK Rollover
Information and Tools:
https://www.icann.org/kskroll
https://github.com/iana-org/get-trust-anchor
https://go.icann.org/KSKtest
Root Zone DNSSEC Trust Anchor:
https://data.iana.org/root-anchors
Call for TCRs:
https://www.iana.org/help/tcr-application
I had help and material from many.
Key mangment: Punky Duero
Hinweis der Redaktion
Every time you create an account on a service, logon, buy something you rely on the honesty of DNS.
Even CAs rely on DNS to issue credentials so SSL is suspect. “lazy” CA is as good as “thorough” CA.
PKI and ID systems also rely on DNS to connect to databases to offer services and transfer authentication info.
VoIP relies on the e164 DNS zone as well.
Even with a FOB, you are relying on non-MITM connectivity to the service.
MAKE THE DISTINCTION HERE THAT
CRIMINALS INTENTIONALLY REGISTER SOME DOMAINS TO FACILITATE A CRIME – WE CALL THESE MISUSE DOMAINS OR MALICIOUS REGISTRATIONS
end-2-end DNSSEC validation would have avoided the problems.
Discovery of DNS vulnerability: Bellovin 1995 then Aug 2008 Dan Kaminsky reveals DNS vulnerability shortcut.
Being able to cryptographically trust Internet infrastructure data, think about what that means…can I now click and download a .exe file?
Actually MANY phone books
So DNSSEC is a good thing.
So DNSSEC is a good thing.
Plug in to show DNSEC lock available at https://www.dnssec-validator.cz/
Side note: dnssec may help remove chaff in determining the source of cyber attacks. Attribution is one of the the key elements in a successful approach to stemming the tide of cyber attacks.
http://rick.eng.br/dnssecstat/
Major layers: 8.8.8.8/Google, IOS6/Apple
Root: 21 TCRs from TT, BF, RU, CN, US, SE, NL, UG, BR, Togo, PT, NP, Mauritius, CZ, CA, JP, UK, NZ.
DNS over HTTP Chrome-ish, proprietary solutions: MSFT active directory, OpenDNS
All 18M COMCAST Internet customers. Also TeliaSonera SE, Vodafone, Telefonica, CZ, T-mobile NL
US ISP Comcast DNSSEC deployment plan for 18M customers and >5000 domain names http://blog.comcast.com/2011/12/dnssec-deployment-update.html
http://www.icann.org/en/news/in-focus/dnssec/deployment
I was beaten into submission by APNIC’s to-notch PC to clarify this.
The future value of end2end dnssec as a foothold for securing applications.
OS or browser needs to validate. Not too hard a nut to crack but will take patience.
Note that “hotel/airport/hotspot” and other DNS interception networks would have saved you from DNSChanger as well since many force DNS requests to their own DNS resolvers regardless.
“people still get their domains social engineered out from under them at the registry/registar level, but would agree that it is a useful component to a larger solution”
Paypal deploys DNSSEC http://www.thesecuritypractice.com/the_security_practice/2011/12/all-paypal-domains-are-now-using-dnssec.html
Ask 1) how many have dnssec deployed on corporate domains
and 2) if any of their resolvers have validation turned on.
“ISP support for DNSSEC is necessary even in a future in which end points perform all validation. They must be able to, at a minimum, recognize DNSSEC-related traffic and allow it to pass for the smooth functioning of an end-to-end, DNSSEC-secured system.”
Tools like DNS-Trigger, the CZ plug-in, etc help test this.
~6000 .COM 12 Dec 2011
For a virtuous cycle of secure DNSSEC implementations towards full deployment.
…and brings to bear improvements in overall IT security processes and practices that will address growing number of exploits such as hijacking.
Many options:
Build your own DNSSEC signer and submit keys to Registrar.
Or use GoDaddy service.
Could cost as little as $2/year (VRSN). Free (and training provided) if ccTLD with pch.net and some others.
Popular resolvers all support DNSSEC validation.
*and a few others. See all the patent filings relying on DNSEC !!
Dan
Fips 140-2 level 4
Gsa class 5
Biometrics
Multi-person control
Publicly documented
Draw from CA
Dcid 6/9 9 gauge mesh drywall