DNSbased Security of the Internet Infrastructure Benno Overeinder NLnet Labs INTRO About NLnet Labs Notforprofit RampD company open standards open source software innovation amp expertise for benefit of open Internet ID: 932067
Download Presentation The PPT/PDF document "From the Ground Up Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
From the Ground Up SecurityDNS-based Security of the Internet Infrastructure
Benno Overeinder
NLnet Labs
Slide2INTRO
Slide3About NLnet LabsNot-for-profit R&D companyopen standardsopen source software
innovation & expertise for benefit of open Internet
Mission & goal
contribute to bridge gap between research and
practical
deployments
https://www.nlnetlabs.nl/labs/mission
/
Slide4About NLnet Labs cont’dOpen source software
infrastructure: NSD, Unbound
provisioning:
OpenDNSSEC
,
…
libraries:
getdns
API,
ldns
Community activities
standards: IETF
(drafts and RFCs)
research & operational insights: RIPE
,
DNS OARC,
…
policy and governance: ICANN, ...
Slide5From the Ground Up SecurityHow DNS(SEC) provides building blocks for security and privacy
Slide6Use-/Showcase Scenarios End-to-end authenticated and secured/encrypted communicationSecure customer interaction in web portal
S
ecure email
I
nstant messages/chat with OTR
…
✘
Slide7Customer–Web Portal Interaction
host
browser
web portal
portal.acme.com
com.
acme.
portal.
IP address
IP address
http/https
http server
customer
auth
name servers
full recursive resolver
Slide8DNS SpoofingDNS Spoofing by cache poisoningattacker flood
a DNS resolver with phony information with bogus DNS
results
by the law of large numbers, these
attacks get a match
and
plant a bogus result into the
cache
Man-in-the-middle attacks
redirect to wrong Internet sites
email to non-authorized email server
Slide9PKIX/X.509 Certificate TreeCertification authorities (CAs)sign child certificates
should verify child identity
can be trust anchors (TAs)
TLS clients
trust their trust anchors
All is good? CAs are trustworthy?
credits
wes.hardaker@parsons.com
Slide10The “Too Many CAs” ProblemTLS clients have abundance of TAsmodern web browsers have 1300+ TAs
any of them can issue certificate for
example.com
TLS client accepts both!
credits
wes.hardaker@parsons.com
Slide11Customer–Web Portal Interaction Revisited
host
browser
web portal
portal.acme.com
com.
acme.
portal.
IP address
IP address
http/https
http server
customer
auth
name servers
full recursive resolver
too many CAs
DNS spoofing
CA pinning/
HSTS?
Slide12DNS Security Extensions & DNS-Based Authentication of Named Entities
Slide13DNSSEC and DANE to the RescueDNSSECvalidates the authenticity of the DNS data using digital signatures
DANE
allows one to
securely specify
which
TLS/SSL certificate an application or service should use
Slide14What is DNSSEC?Digital signatures are added to responses by authoritative
servers for a zone
Validating resolver
can use signature to verify that response is not tampered with
Trust anchor
is the key used to sign the DNS root
Signature validation
creates a chain of overlapping signatures from trust anchor to signature of response
the one slide version
credits Geoff Huston
Slide15DNSSEC and Validation
.
nlnetlabs.nl
.
A record www.nlnetlabs.nl.
+
signature
.
nl
.
.
validating resolver
DNSKEY
record .
nlnetlabs.nl
. +
signature
DS
record .
nlnetlabs.nl
. +
signature
DNSKEY
record .
nl
. +
signature
DS
record .
nl
.
+
signature
local root key (preloaded)
1
2
3
4
5
in a single picture
Slide16DANE: DNS-based Authentication of Named EntitiesSecurely specify which certificate an application or service should use
works perfectly fine with existing CA
certificates
DANE defines TLSA resource record and usage field
0 – CA specification
1 – specific TLS certificate
2 – trust anchor assertion
3 – domain issued certificate
Slide17DNSSEC, DANE and X.509
credits
wes.hardaker@parsons.com
Slide18DNS-based Secure Customer–Web Portal Interaction
host
browser
web portal
portal.acme.com
com.
acme.
portal.
IP address
IP address
http/https
http server
customer
auth
name servers
full recursive resolver
too many CAs
DNS spoofing
DNSSEC
DANE
Slide19Securing the First MileClosing the gap
Slide20The First Mile: From Host to Resolver
Host/application DNS reliance on validating full resolver
resolver in trust realm?
resolver in local network, ISP, or open validating
recursor
(Google Public
DNS,
Verisign
,
…)
Privacy and authentication of resolver
DNS queries considered privacy sensitive information
Slide21The First Mile:From Host to Resolver
host
browser
web portal
portal.acme.com
com.
acme.
portal.
IP address
IP address
http/https
http server
customer
auth
name servers
val. recursive resolver
Slide22DPRIVE: DNS over TLSHost stub resolver or application queries recursive resolver over encrypted TLS
TLSA records for
stub/app
to full
recursor
Privacy
DNS queries to resolver are encrypted on the wire
In-band authentication of recursive resolver
TLS
chain
extension (draft-
ietf
-
tls
-dnssec-chain-extension)not solved yet: resolver IP configured on host or with DHCP
Slide23Other Showcases of DNSSEC, DANE and DPRIVE
Slide24Email and SMTP
Slide25XMPP/CHAT
Slide26Wrapping Up
Slide27Open Source Software for Security from the Ground Up
host
browser
web portal
portal.acme.com
com.
acme.
portal.
IP address
IP address
http/https
http server
customer
auth
name servers
val. recursive resolver
DNS servers
NSD
BIND
Knot
PowerDNS
resolvers
Unbound
BIND
Knot Resolver
PowerDNS
resolver
stub/app
getdns
API
ldns
p
rovisioning
OpenDNSSEC
Slide28SummaryDNSSEC, DANE and new DPRIVE bring security to next levelDeploy DNSSEC!
not trivial, but open source deploy and provisioning tools are available
DANE and DPRIVE for “free” with DNSSEC
Encrypt all in face of privacy and confidentiality (RFC 7624)