intro to dns security with cory von wallenstein & chris brenton
DESCRIPTION
With DNS hijacks happening more frequently, website security has never been more important for your company. However, it can be a daunting task to figure out where you're getting started, and to evaluate if what you are doing is working. That's why our Director of Security Chris Brenton and Chief Technologist Cory von Wallenstein teamed up for a special webinar on that topic. Enjoy the slides and watch the show: http://dyn.com/webinar-what-you-need-to-know-about-dns-security/TRANSCRIPT
Intro To DNS SecurityOctober 23, 2013
Cory von WallensteinChief Technologist
@cvwdyn
Chris BrentonDirector of Security
@chris_brenton
Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton
Your Presenters
Cory von Wallenstein
Chief Technologist
@cvwdyn
Chris BrentonDirector of
Security@Chris_Brenton
Pg. 3 Intro To DNS Security @cvwdyn @chris_brenton
What We Will Cover
DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info
Pg. 4 Intro To DNS Security @cvwdyn @chris_brenton
Pg. 5 Intro To DNS Security @cvwdyn @chris_brenton
Pg. 6 Intro To DNS Security @cvwdyn @chris_brenton
Pg. 7 Intro To DNS Security @cvwdyn @chris_brenton
Pg. 8 Intro To DNS Security @cvwdyn @chris_brenton
Pg. 9 Intro To DNS Security @cvwdyn @chris_brenton
Is DNS Still Sexy?
It’s old tech, so we must have it secured by now…right?
Pg. 10 Intro To DNS Security @cvwdyn @chris_brenton
Is DNS Still Sexy?
DNS is effectively our root of trust:
You “ass-u-me” typing in www.google.com will always bring you to a Google server
If sent to the wrong IP address, would you even notice?
Pg. 11 Intro To DNS Security @cvwdyn @chris_brenton
Is DNS Still Sexy?
If DNS is compromised, everything else falls apart.
Pg. 12 Intro To DNS Security @cvwdyn @chris_brenton
Architecture
Run split DNS:
Pg. 13 Intro To DNS Security @cvwdyn @chris_brenton
Architecture
Two separate sets of name server records:
One for use by internal clients One for use by the rest of the world
Pg. 14 Intro To DNS Security @cvwdyn @chris_brenton
Architecture
Helps protect internal systems from cache poisoning and other various nastiness
Pg. 15 Intro To DNS Security @cvwdyn @chris_brenton
Internal Name Servers
Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals
Pg. 16 Intro To DNS Security @cvwdyn @chris_brenton
External Name Servers
Accessed by the rest of the Internet Contains only records you want the world to
see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals
Pg. 17 Intro To DNS Security @cvwdyn @chris_brenton
Recursive Answers
DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an
answer is not in cache
Pg. 18 Intro To DNS Security @cvwdyn @chris_brenton
Recursive Answers
Recursive = Do the lookup work for the client
Non-Recursive = Don't be so friendly
Pg. 19 Intro To DNS Security @cvwdyn @chris_brenton
Non-Recursive Possibilities
Hand back the list of root name servers Referred to as an “upward referral”
Hand back the error code “Refused” Let the client figure out what to do next
Pg. 20 Intro To DNS Security @cvwdyn @chris_brenton
Why Recursion Can Be Bad
Can be leveraged for cache poisoning attacks:
Redirect your employees to an IP owned by the attacker
Pg. 21 Intro To DNS Security @cvwdyn @chris_brenton
Why Recursion Can Be Bad
Can be leveraged for DDoS attacks:
Most DNS is UDP based Connectionless, so its easy to spoof the
source IP Small questions that result in big answers =
amplification A savvy attacker can get 30X amplification
Pg. 22 Intro To DNS Security @cvwdyn @chris_brenton
Why Upward Referrals Are Bad
Non-recursive servers have historically handed back a list of root name server
Considered the polite thing to do
Pg. 23 Intro To DNS Security @cvwdyn @chris_brenton
Why Upward Referrals Are Bad
Every name server should already maintain a current list of root name servers
That “polite” answer still provides a 10X amplification in a DDoS attack
Pg. 24 Intro To DNS Security @cvwdyn @chris_brenton
Configuring Bind
Disabling Recursion and upward referrals
In /etc/named.conf:
recursion no;additional-from-cache no;
Pg. 25 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS
Pg. 26 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy
Pg. 27 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust
Designed to create “trusted” responses
Pg. 28 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust
Designed to create “trusted” responses Protect against cache poisoning
Pg. 29 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust
Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records
Pg. 30 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Pg. 31 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse
Pg. 32 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment
Pg. 33 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus
answers are “a feature”
Pg. 34 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus
answers are “a feature” Still no data privacy
Pg. 35 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus
answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved
Pg. 36 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call
Pg. 37 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call Useful when IP filtering is problematic
for protecting zone transfers
Pg. 38 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call Useful when IP filtering is problematic
for protecting zone transfers May be mandated in some situations
Pg. 39 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call Useful when IP filtering is problematic
for protecting zone transfers May be mandated in some situations Will probably be a requirement
Someday...maybe
Pg. 40 Intro To DNS Security @cvwdyn @chris_brenton
Dyn Makes DNSSEC Easier To Enable
Pg. 41 Intro To DNS Security @cvwdyn @chris_brenton
Protecting Your Registration
The easiest way to compromise all of your servers is to compromise your zone
Popular attack pattern Rapid7 owned by attackers with a…
Pg. 42 Intro To DNS Security @cvwdyn @chris_brenton
Bit.ly/DynSec1
Pg. 43 Intro To DNS Security @cvwdyn @chris_brenton
Domain Status Codes
Many registrars support codes to protect your domain
Permits you to limit zone management
Pg. 44 Intro To DNS Security @cvwdyn @chris_brenton
Domain Status Codes
Predefine authentication process for changes:
Requires call back to a specified phone number
Only certain individuals can make changes
Pg. 45 Intro To DNS Security @cvwdyn @chris_brenton
Status Code Examples
• Transfer prohibited• Delete prohibited• Update prohibited• Renew prohibited
Bit.ly/DynSec2
Pg. 46 Intro To DNS Security @cvwdyn @chris_brenton
Protected Zone
foo$ whois dyn.com[whois.dyndns.com]Registrant: Hostmaster, Dyn-Inc [email protected]
…Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited
Pg. 47 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?
Questions to Ask Your Registrar
Pg. 48 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?
Questions to Ask Your Registrar
Pg. 49 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?
Questions to Ask Your Registrar
Pg. 50 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?
Questions to Ask Your Registrar
Pg. 51 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?• Can auth be circumvented via API or portal?
Questions to Ask Your Registrar
Pg. 52 Intro To DNS Security @cvwdyn @chris_brenton
Questions?
Cory von Wallenstein
Chief Technologist
@cvwdyn
Chris BrentonDirector of
Security@Chris_Brenton
Pg. 53 Intro To DNS Security @cvwdyn @chris_brenton
Next Webinar: Wed., Nov. 20th
Cory von Wallenstein
Chief Technologist
@cvwdyn
Chris BrentonDirector of
Security@Chris_Brenton
DNS Security: PCI in The Public Cloud