Information Document 17-E.pptVIP

Information Document 17-E ITU-T Study Group 2 May 2002 QUESTION: Q.1/2 SOURCE: TSB TITLE: INTRODUCTION TO SECURE DNS (by Jim Reid) The purpose of this document is to provide some basic introductory material on security features of the Domain Name System (DNS) Introduction to Secure DNS Introduction Explaining the problem Weaknesses in the DNS resolution process Attacks on the name servers Consequences of those attacks Spoofing, mangled DNS answers Solutions to the problem Transaction Signatures (TSIG) DNS Security Extensions (DNSSEC) The Resolution Process The workstation annie asks its configured name server, dakota, for ’s address The Resolution Process Let’s look at the resolution process step-by-step: The Resolution Process The name server dakota asks a root name server, m, for ’s address The Resolution Process The root server m refers dakota to the com name servers This type of response is called a “referral” The Resolution Process The name server dakota asks a com name server, f, for ’s address The Resolution Process The com name server f refers dakota to the name servers The Resolution Process The name server dakota asks an name server, ns1.sanjose, for ’s address The Resolution Process The name server ns1.sanjose responds with ’s address The Resolution Process The name server dakota responds to annie with ’s address What’s Wrong With That? Nothing: it all works fine….. BUT there’s no authentication at all! A client can’t tell: Where an answer really came from If the server that replied is telling the truth or not If it received exactly what the server sent Cracking the DNS Bombard client with bogus answers Guess what the answer might be Intercept an answer packet modify it Only works well if adjacent to client or server Set up a fake server for some zone Trick other servers into querying the fake one Evil routing/peering tricks hi-jack traffic Inject bogus routes for the root servers (or the servers for any other “interesting” zone) What