Why Implement DNSSEC? Champika Wijayatunga from ICANN discusses the importance of implementing DNSSEC. DNSSEC introduces digital signatures to cryptographically secure DNS data and protect against threats like cache poisoning, spoofing, and man-in-the-middle attacks. While DNSSEC does not protect server threats or ensure data correctness, it does establish the authenticity and integrity of DNS data retrieved. Fully implementing DNSSEC allows businesses and users to be confident they are receiving unmodified DNS information. However, more needs to be done to increase awareness and provide turnkey solutions in order for widespread DNSSEC adoption.

1. Why Implement DNSSEC?
Champika Wijayatunga | ION – Hangzhou | 14 July 2016

2. | 2
Speaker Intro
• Champika Wijayatunga (ICANN)
– Regional SSR Engagement Manager – APAC
champika.wijayatunga@icann.org

3. DNS Recap
3

4. | 4
DNS in a Nutshell
• DNS is a distributed database
• Types of DNS servers
– DNS Authoritative
• Primary
• Secondaries
– DNS Resolver
• Recursive
• Cache
• Stub resolver
4

5. | 5
Client Resolver
(ISP)
www.example.net. ? www.example.net. ?
a.server.net.
1.2.3.4
DNS Resolution
5
10.1.2.3
.net
nameserver
a.server.net.
1.2.3.4"
Root
Server
l.root-servers.net."
199.7.83.42
2001:500:3::42"
example.net
nameserver
ns.example.net.
5.6.7.8"

6. Threats and Risks in DNS

7. | 7
Basic Cache Poisoning
Attacker
– Launches a spam campaign
where spam message
contains
http://loseweightfastnow.com
– Attacker’s name server will
respond to a DNS query for
loseweightnow.com with
malicious data about
ebay.com
– Vulnerable resolvers add
malicious data to local caches
– The malicious data will send
victims to an eBay phishing
site for the lifetime of the
cached entry
7
What is the IPv4 address
for
loseweightfastnow.com
My Mac
My local resolver
ecrime name
server
loseweightfastnow.com IPv4
address is 192.168.1.1
ALSO www.ebay.com is at
192.168.1.2
I’ll cache this
response… and
update
www.ebay.com

8. | 8
Query Interception (DNS Hijacking)
6/15/16 8
• A man in the middle (MITM) or spoofing attack forwards
DNS queries to a name server that returns forge
responses
– Can be done using a DNS proxy, compromised access router or
recursor, ARP poisoning, or evil twin Wifi access point
Bank
Web
SiteIntended path for online banking transactions
Redirected
path
Redirected
path
Fake
Bank
Web
Site
Evil
Twin
AP
Attacker’s
resolverEvil twin AP or
compromised router
redirects DNS queries
to attacker’s name
server
Attacker’s name
server returns fake
bank web site
address

9. Why DNSSEC?
9

10. | 10
DNS: Data Flow
10
Primary Caching
Servers
Resolvers
Zone administrator
Zone file
Dynamic
updates
1
2
Secondaries
3
4
5

11. | 11
DNS Vulnerabilities
11
Primary Caching
Servers
Resolver
Zone administrator
Zone file
Dynamic
updates
1
2
Secondaries
3
Server protection
4
5
Corrupting data Impersonating master
Unauthorized updates
Cache
impersonation
Cache pollution by
Data spoofing
Data protection
Altered zone data

12. | 12
Securing DNS
• There are two aspects when considering DNS Security
– Server protection
– Data protection
• Server protection
– Protecting servers
• Make sure your DNS servers are protected (i.e. physical security, latest DNS
server software, proper security policies, Server redundancies etc.)
– Protecting server transactions
• Deployment of TSIG, ACLs etc. (To secure transactions against server
impersonations, secure zone transfers, unauthorized updates etc.)
• Data protection
– Authenticity and Integrity of Data
• Deployment of DNSSEC (Protect DNS data against cache poisoning, cache
impersonations, spoofing etc.)

13. | 13
Where DNSSEC fits in
• CPU and bandwidth advances make legacy
DNS vulnerable to MITM attacks
• DNS Security Extensions (DNSSEC) introduces
digital signatures into DNS to cryptographically
protect contents
• With DNSSEC fully deployed a business can be
sure a customer gets un-modified data (and visa
versa)

14. | 14
DNS Security Extensions
• Uses public key cryptography to verify the
authenticity of DNS zone data (records)
– DNSSEC zone data is digitally signed using a private
key for that zone
– A DNS server receiving DNSSEC signed zone data can
verify the origin and integrity of the data by checking
the signature using the public key for that Zone
14

15. | 15
What DNSSEC does and doesn’t do
• Does not do
– Protect against host threats (DDoS, buffer
overruns in code, etc.)
– Keep DNS data private
– Ensure correctness of DNS data
• Does Do: Establish the legitimacy of data
retrieved from the DNS
– Protects end users from being redirected to
malicious sites
– Allows any data stored in the DNS to be validated
as trustworthy

16. | 16
Client Resolver
(ISP)
www.example.net. ? www.example.net. ?
a.server.net.
How DNSSEC Works
16
10.1.2.3
.net
nameserver
Root
Server
example.net
nameserver

17. | 17
How DNSSEC Works
• Data authenticity and integrity by signing the Resource
Records Sets with a private key
• Public DNSKEYs published, used to verify the RRSIGs
• Children sign their zones with their private key
– Authenticity of that key established by parent signing hash (DS) of
the child zone's key
• Repeat for parent…
• Not that difficult on paper
– Operationally, it is a bit more complicated
– DSKEY → KEY –signs→ zone data
17

18. | 18
The Business Case for DNSSEC
• Cyber security is becoming a greater concern to
enterprises, government, and end users. DNSSEC is a
key tool and differentiator.
• DNSSEC is the biggest security upgrade to Internet
infrastructure in over 20 years. It is a platform for new
security applications (for those that see the opportunity).
• DNSSEC infrastructure deployment has been brisk but
requires expertise. Getting ahead of the curve is a
competitive advantage.

19. | 19
DNSSEC ccTLD Map
https://rick.eng.br/dnssecstat/

20. | 20
DNSSEC Deployment
https://rick.eng.br/dnssecstat/

21. | 21
DNSSEC: So what’s the problem?
• Not enough IT departments know about it or are too busy
putting out other security fires.
• When they do look into it they hear old stories of FUD
and lack of turnkey solutions.
• Registrars*/DNS providers see no demand leading to
“chicken-and-egg” problems.
*but required by new ICANN registrar agreement

22. | 22
What you can do
• For Companies:
– Sign your corporate domain names
– Just turn on validation on corporate DNS resolvers
• For Users:
– Ask ISP to turn on validation on their DNS resolvers
• For All:
– Take advantage of DNSSEC education and training

23. DNSSEC: Internet infrastructure
upgrade to help address today’s needs
and create tomorrow’s opportunity.

24. | 24
Email: <champika.wijayatunga@icann.org>
Website: icann.org
gplus.to/icann
weibo.com/ICANNorg
flickr.com/photos/icann
slideshare.net/icannpresentations
twitter.com/icann
twitter.com/icann4biz
facebook.com/icannorg
linkedin.com/company/icann
youtube.com/user/icannnews
Thank you and Questions