Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

lecture 4

VIEWS: 12 PAGES: 4

									 Domain Name Service Security                                                       The Problem
           CS 239                                          • The Domain Name Service (DNS)
  Advanced Topics in Network                                 translates human-readable names to IP
                                                             addresses
           Security
                                                              – E.g., thesiger.cs.ucla.edu translates to
         Peter Reiher                                           131.179.192.144
        April 14, 2004                                        – DNS also provides other similar services
                                                           • It wasn’t designed with security in mind
                                              Lecture 4                                                               Lecture 4
 CS 239, Spring 2004                          Page 1          CS 239, Spring 2004                                     Page 2




                       DNS Threats                           What Could Really Go Wrong?
• Threats to name lookup secrecy                           • DNS lookups could be faked
  – Definition of DNS system says this data                   – Meaning packets go to the wrong place
    isn’t secret
                                                           • The DNS service could be subject to a DoS
• Threats to DNS information integrity                       attack
  – Very important, since everything trusts
    that this translation is correct                          – Or could be used to amplify one
• Threats to DNS availability                              • Attackers could “bug” a DNS server to
  – Potential to disrupt Internet service                    learn what users are looking up
                                              Lecture 4                                                               Lecture 4
 CS 239, Spring 2004                          Page 3          CS 239, Spring 2004                                     Page 4




 Where Does the Threat Occur?                                             The DNS Lookup Process

• Unlike routing, threat can occur in                     lookup thesiger.cs.ucla.edu      answer   131.179.191.144

  several places
   – At DNS servers
   – But also at DNS clients
                                                          ping thesiger.cs.ucla.edu
      • Which is almost everyone                                                               If the answer is
• Core problem is that DNS responses                        Should result in a ping                wrong, in
                                                             packet being sent to            standard DNS the
  aren’t authenticated                                        131.179.191.144                 client is screwed
                                              Lecture 4                                                               Lecture 4
 CS 239, Spring 2004                          Page 5          CS 239, Spring 2004                                     Page 6




                                                                                                                                  1
    How Did the DNS Server Perform
                                                                                       Where Did That Table Come From?
             the Lookup?
 • Leaving aside details, it has a table of                                           • Ultimately, the table entries are created by
   translations between names and                                                       those owning the domains
   addresses                                                                             – On a good day . . .
                                                                                      • And stored at servers that are authoratative
 • It looked up thesiger.cs.ucla.edu in the                                             for that domain
   table                                                                              • In this case, the UCLA Computer Science
 • And replied with whatever the address                                                Department DNS server ultimately stored it
   was                                                                                • Other servers use a hierarchical lookup
                                                                                        method to find the translation when needed
                                                                         Lecture 4                                                                               Lecture 4
    CS 239, Spring 2004                                                  Page 7          CS 239, Spring 2004                                                     Page 8




    Doing Hierarchical Translation                                                           Where Can This Go Wrong?
                                     Where’s edu?
lookup thesiger.cs.ucla.edu                                                           • Someone can spoof the answer from a
                                                         DNS root server
                                                                                        DNS server
                                   Where’s ucla.edu?
                                                                                        – Relatively easy, since UDP is used
                                                         edu root server              • One of the DNS servers can lie
    Where’s
thesiger.cs.ucla.                                                                     • Someone can corrupt the database of
      edu?                      Where’s cs.ucla.edu?
                                                       ucla.edu root server             one of the DNS servers
        cs.ucla.edu root server                                          Lecture 4                                                                               Lecture 4
    CS 239, Spring 2004                                                  Page 9          CS 239, Spring 2004                                                     Page 10




                  The Spoofing Problem                                                                         DNS Servers Lying
                                                                                                                         answer   97.22.101.53
lookup thesiger.cs.ucla.edu                   answer   131.179.191.144               lookup thesiger.cs.ucla.edu
                                                                                                                                          ...              . . .


                                                           Unfortunately,                                                                 ...

                                                                                                                                          ...
                                                                                                                                                           . . .

                                                                                                                                                           . . .

                                                           most DNS stub                                                                  ...              . . .


                                                           resolvers will                                                                 ...

                                                                                                                                          ...
                                                                                                                                                           . . .

                                                                                                                                                            . . .
                                                                                                                                  Thesiger.cs.ucla.edu 131.178.192.144

                                                           take the first                                                                 ...              . . .

                                                           answer                     That wasn’t very nice of him!                       ...              . . .

                                                                                                                                          ...              . . .

                                                                                                                                          ...              . . .
                      answer   97.22.101.53
                                                                                                                                          ...              . . .




                                                                         Lecture 4                                                                               Lecture 4
    CS 239, Spring 2004                                                  Page 11         CS 239, Spring 2004                                                     Page 12




                                                                                                                                                                             2
            DNS Database Corruption                                                                The DNSSEC Solution
                                  answer   97.22.101.53
lookup thesiger.cs.ucla.edu                                                          • Sign the translations
                                                  ...              . . .

                                                  ...

                                                  ...
                                                                   . . .

                                                                   . . .
                                                                                     • Who does the signing?
                                                  ...

                                                  ...
                                                                   . . .

                                                                   . . .
                                                                                       – The server doing the response?
                                                                                       – Or the server that “owns” the
                                                   ...              . . .
                                           Thesiger.cs.ucla.edu 97.22.101.53.

                                                  ...              . . .

                                                  ...

                                                  ...
                                                                   . . .

                                                                   . . .
                                                                                         namespace in question?
                                                  ...

                                                  ...
                                                                   . . .

                                                                   . . .
                                                                                     • DNSSEC uses the latter solution
                                                                         Lecture 4                                               Lecture 4
    CS 239, Spring 2004                                                  Page 13      CS 239, Spring 2004                        Page 14




           Implications of the DNSSEC
                     Solution                                                                      Checking the Signature
 • DNS databases must store signatures                                               • Basically, use certificates to validate
   of resource records                                                                 public keys for namespaces
 • There must be a way of checking the                                               • Who signs the certificates?
   signatures                                                                          – The entity controlling the higher
 • The protocol must allow signatures to                                                 level namespace
   be returned                                                                       • This implies a hierarchical solution
                                                                         Lecture 4                                               Lecture 4
    CS 239, Spring 2004                                                  Page 15      CS 239, Spring 2004                        Page 16




                          An Example                                                                   Implications for Use
 • Who signs the translation for thesiger.cs.ucla.edu to
   131.179.192.144?                                                                  • To be really secure, you must check
 • The UCLA CS DNS server                                                              signatures yourself
 • How does someone know that ’s the right server to sign?
 • Because the UCLA server says so                                                   • Next best is to have a really trusted
    – Securely, with signatures                                                        authority check the signatures
 • Where do you keep that information?
    – In DNS databases                                                                  – And to have secure, authenticated
 • Ultimately, hierarchical signatures leading up to ICANN’s                              communications between trusted
   attestation of who controls the edu namespace
                                                                                          authority and you
                                                                         Lecture 4                                               Lecture 4
    CS 239, Spring 2004                                                  Page 17      CS 239, Spring 2004                        Page 18




                                                                                                                                             3
 Some Questions for Discussion
• Partial deployment and
  interoperability?
• Costs?
• Susceptibility to denial of service?
• Handling negative answers?
• Need also for authenticated
  communications with server?
                                         Lecture 4
 CS 239, Spring 2004                     Page 19




                                                     4

								
To top