SlideShare uma empresa Scribd logo

DNS Security Strategy

Andreas Taudte
Andreas Taudte

Expert Webinar Series Part 2: DNS Security Strategy

Tecnologia
1 de 17
Baixar para ler offline
DNS Security Strategy N3K Expert Webinar Series Andreas Taudte Principal DDI Consultant Last updated April 2023
www.n3k.com 2 Housekeeping • Timing, Schedule, Q&A Session • Online Etiquette (microphones, distracting activities) • Recording and Privacy
www.n3k.com 3 DNS Building Blocks • Platform (hardware, operating system) of the Name Server or Resolver • Software of the Name Server or Resolver • Transactions (query/response, transfers, dynamic updates, notifications) • Database (zone files, journal files) • Configuration (named.conf, include files)
www.n3k.com 4 Disaster and Human Error Defences • Geographic Provisioning of Services against natural & unnatural Disasters (earthquakes, hurricanes, floods, terrorist attacks, acts of war) • Periodic User Trainings & Communication • Roles & Responsibilities clearly enumerated and understood • Change Control Meetings among relevant Stakeholders • IP Address Management System to identify & correct potential Config. Errors • Audit Logging to enable Review
www.n3k.com 5 Hardware and Operating System • Physical Access (unplug, disconnect, console access) • Updates & Patches for known Vulnerabilities (OS & service) • Protect Control Channel from unauthorized Access • Permissions to Servers, Directories & Files containing Service Configuration • Monitoring of Logs (OS & service)
www.n3k.com 6 DNS Monitoring • Monitoring of the Service itself (status, version, patch level, connectivity, probe, transfer, etc.) • Query Logging on caching Layers into SIEM1 System incl. ECS2 (further investigation of single and groups of DNS queries) • Monitoring of critical internal Records and Systems (databases, call servers or internal certificate authority, etc.) • Monitoring of critical public Records and Systems (web servers, mail exchange servers, delegations in parent zone, etc.) 1 Security Information and Event Management 2 EDNS Client Subnet
www.n3k.com 7 Reducing the Attack Surface • Different DNS Roles can be attacked differently (authoritative DNS, caching DNS, internal or public-facing DNS) • Authoritative Servers perform resource-consuming Tasks like dynamic Updates or Zone Transfers • Caching Servers handle Queries from Clients and get other Servers involved for Recursion • Multiple Roles provided by the same Server means bigger Attack Surface • Systems with separated Roles can be installed and managed in isolated Security Areas • Role-specific Updates and Patches address different Behaviours
www.n3k.com 8 • Internal Caching DNS • Configured as Stealth Secondary for faster Resolution • Subscription to Security Feed (known as DNS firewall) • Dedicated caching Layer “close” to Clients in remote Locations • External Caching DNS • Performs Internet Name Resolution • Only accept Queries from internal Caching Servers Internal and public-facing Caching Layer
www.n3k.com 9 • Provisioning multiple Servers in different geographic Locations • Running a Variety of Server Vendor Implementations • Using multiple external Hosting Providers Public DNS Diversity
www.n3k.com Stub Resolver 10 • Host Controls incl. physical, Operating Systems and Resolver Software • DHCP Server Audits • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 DNS-over-TLS 2 DNS-over-HTTPS 3 DNS-over-QUIC
www.n3k.com Recursive Server 11 • Planned Deployment (size, number & capacity of servers) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Network Interface and DNS Software ACLs1 • Randomization (source port, transaction ID, query case) • Limit Queries per Client (rate limiting) • DNS Firewall (RPZ), DNSSEC Validation, Query Log Auditing (tunnel & malware detection) • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 Access Control List
www.n3k.com Authoritative Server 12 • Planned Deployment (size, number & capacity of servers) • External DNS Service Provider (Backup or Diversity) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Disable Recursion • Restricted Zone Updates and Zone Transfers • Deployment-based Network Interface and DNS Software ACLs (internal, external, public-facing) • Signing of mission-critical Zones (DNSSEC) DNS Role-specific Defences
www.n3k.com Hosting Provider 13 • Encrypted and unique User Access with Multi-Factor Authentication • Integrity of every DNS Record (change history) • DNSSEC Signing with planned and Emergency Key Rollover • Support for other Security Features (ACLs, GeoDNS, Rate Limiting, DMARC1 policy etc.) • Service-Level Agreement (SLA) • Denial of Service (DoS) Mitigation • Parent Domain Security Controls DNS Role-specific Defences 1 Domain-based Message Authentication, Reporting and Conformance
www.n3k.com 14 Securing each Layer of DNS Transit Path Transit Endpoints Key Security Mechanisms Recursive Query Stub Resolver Recursive Server ACLs, DoT, DoH, DoQ, DNSSEC Iterative Query Recursive Server Authoritative Server DNSSEC Dynamic Update IPAM System DHCP Server/Client Authoritative Server ACLs, Transaction Signatures (TSIG) Zone Transfer Primary Server Secondary Server ACLs, TSIG DNS Configuration IPAM System File Editor Transfer to/from Server SSH, SCP, SFTP, TLS
www.n3k.com 15 What’s next?
www.n3k.com 16 Greedy for more? https://www.n3k.com/aktuelles/webinare/schulungen https://www.wiley.com/en-us/DNS+Security+Management-p-9781119331407
N3K Network Systems Ferdinand-Braun-Straße 2/1 | 74074 Heilbronn +49 7131 594 95 0 info@n3k.de Thank you for your Time. 17

Recomendados

DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
CNS @ Infoblox Exchange
CNS @ Infoblox ExchangeCNS @ Infoblox Exchange
CNS @ Infoblox ExchangeAndreas Taudte
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinalRafał Kucharski
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
DHCP Security Consideration
DHCP Security ConsiderationDHCP Security Consideration
DHCP Security ConsiderationAndreas Taudte
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
Troubleshooting DNS with dig
Troubleshooting DNS with digTroubleshooting DNS with dig
Troubleshooting DNS with digAndreas Taudte
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 

Recomendados

DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
CNS @ Infoblox Exchange
CNS @ Infoblox ExchangeCNS @ Infoblox Exchange
CNS @ Infoblox ExchangeAndreas Taudte
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinalRafał Kucharski
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
DHCP Security Consideration
DHCP Security ConsiderationDHCP Security Consideration
DHCP Security ConsiderationAndreas Taudte
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
Troubleshooting DNS with dig
Troubleshooting DNS with digTroubleshooting DNS with dig
Troubleshooting DNS with digAndreas Taudte
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS SecurityNihal Pasham, CISSP
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator97148881557
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Irm solutions 09 2014
Irm solutions 09 2014Irm solutions 09 2014
Irm solutions 09 2014Cathy Anderson
 
IPAM Security Considerations
IPAM Security ConsiderationsIPAM Security Considerations
IPAM Security ConsiderationsAndreas Taudte
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECDeploy360 Programme (Internet Society)
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020n|u - The Open Security Community
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksNitesh Shilpkar
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1DNS Entrepreneurship Center
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Cloud DNS Challenges
Cloud DNS ChallengesCloud DNS Challenges
Cloud DNS ChallengesAndreas Taudte
 
Next-Gen DHCP
Next-Gen DHCPNext-Gen DHCP
Next-Gen DHCPAndreas Taudte
 

Mais conteúdo relacionado

Semelhante a DNS Security Strategy

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator97148881557
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
IPAM Security Considerations
IPAM Security ConsiderationsIPAM Security Considerations
IPAM Security ConsiderationsAndreas Taudte
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksNitesh Shilpkar
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 

Semelhante a DNS Security Strategy (20)

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
Mcitp server administrator
Mcitp server administratorMcitp server administrator
Mcitp server administrator
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Irm solutions 09 2014
Irm solutions 09 2014Irm solutions 09 2014
Irm solutions 09 2014
 
IPAM Security Considerations
IPAM Security ConsiderationsIPAM Security Considerations
IPAM Security Considerations
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
Denodo Data Virtualization Platform: Security (session 5 from Architect to Ar...
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 

Mais de Andreas Taudte

AI Possibilities for DDI
AI Possibilities for DDIAI Possibilities for DDI
AI Possibilities for DDIAndreas Taudte
 
DDI in University Environments
DDI in University EnvironmentsDDI in University Environments
DDI in University EnvironmentsAndreas Taudte
 
IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017Andreas Taudte
 
Who is Andreas Taudte?
Who is Andreas Taudte?Who is Andreas Taudte?
Who is Andreas Taudte?Andreas Taudte
 
DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6Andreas Taudte
 
The what-you-may-call-it Internet
The what-you-may-call-it InternetThe what-you-may-call-it Internet
The what-you-may-call-it InternetAndreas Taudte
 
Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015Andreas Taudte
 
BlueCat's Open Customer Meeting
BlueCat's Open Customer MeetingBlueCat's Open Customer Meeting
BlueCat's Open Customer MeetingAndreas Taudte
 
IPAM in University Environments
IPAM in University EnvironmentsIPAM in University Environments
IPAM in University EnvironmentsAndreas Taudte
 
The Security Capabilities of Everything IP
The Security Capabilities of Everything IPThe Security Capabilities of Everything IP
The Security Capabilities of Everything IPAndreas Taudte
 
The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015Andreas Taudte
 
Security Capabilities of IPAM
Security Capabilities of IPAMSecurity Capabilities of IPAM
Security Capabilities of IPAMAndreas Taudte
 

Mais de Andreas Taudte (20)

Cloud DNS Challenges
Cloud DNS ChallengesCloud DNS Challenges
Cloud DNS Challenges
 
Next-Gen DHCP
Next-Gen DHCPNext-Gen DHCP
Next-Gen DHCP
 
AI Possibilities for DDI
AI Possibilities for DDIAI Possibilities for DDI
AI Possibilities for DDI
 
Extended DNS Errors
Extended DNS ErrorsExtended DNS Errors
Extended DNS Errors
 
Core Network Services
Core Network ServicesCore Network Services
Core Network Services
 
DDI in University Environments
DDI in University EnvironmentsDDI in University Environments
DDI in University Environments
 
DDI Project Planning
DDI Project PlanningDDI Project Planning
DDI Project Planning
 
DNS still partying
DNS still partyingDNS still partying
DNS still partying
 
IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017IT-as-a-Service - BlueCat @ NUBIT 2017
IT-as-a-Service - BlueCat @ NUBIT 2017
 
Who is Andreas Taudte?
Who is Andreas Taudte?Who is Andreas Taudte?
Who is Andreas Taudte?
 
DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6DNS, DHCP & IPAM with IPv6
DNS, DHCP & IPAM with IPv6
 
6 Myths about IPv6
6 Myths about IPv66 Myths about IPv6
6 Myths about IPv6
 
The Power of DNS
The Power of DNSThe Power of DNS
The Power of DNS
 
The what-you-may-call-it Internet
The what-you-may-call-it InternetThe what-you-may-call-it Internet
The what-you-may-call-it Internet
 
Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015Network Control Forum - Vienna 2015
Network Control Forum - Vienna 2015
 
BlueCat's Open Customer Meeting
BlueCat's Open Customer MeetingBlueCat's Open Customer Meeting
BlueCat's Open Customer Meeting
 
IPAM in University Environments
IPAM in University EnvironmentsIPAM in University Environments
IPAM in University Environments
 
The Security Capabilities of Everything IP
The Security Capabilities of Everything IPThe Security Capabilities of Everything IP
The Security Capabilities of Everything IP
 
The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015The Future of Enterprise Mobility, London 2015
The Future of Enterprise Mobility, London 2015
 
Security Capabilities of IPAM
Security Capabilities of IPAMSecurity Capabilities of IPAM
Security Capabilities of IPAM
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

DNS Security Strategy

  • 1. DNS Security Strategy N3K Expert Webinar Series Andreas Taudte Principal DDI Consultant Last updated April 2023
  • 2. www.n3k.com 2 Housekeeping • Timing, Schedule, Q&A Session • Online Etiquette (microphones, distracting activities) • Recording and Privacy
  • 3. www.n3k.com 3 DNS Building Blocks • Platform (hardware, operating system) of the Name Server or Resolver • Software of the Name Server or Resolver • Transactions (query/response, transfers, dynamic updates, notifications) • Database (zone files, journal files) • Configuration (named.conf, include files)
  • 4. www.n3k.com 4 Disaster and Human Error Defences • Geographic Provisioning of Services against natural & unnatural Disasters (earthquakes, hurricanes, floods, terrorist attacks, acts of war) • Periodic User Trainings & Communication • Roles & Responsibilities clearly enumerated and understood • Change Control Meetings among relevant Stakeholders • IP Address Management System to identify & correct potential Config. Errors • Audit Logging to enable Review
  • 5. www.n3k.com 5 Hardware and Operating System • Physical Access (unplug, disconnect, console access) • Updates & Patches for known Vulnerabilities (OS & service) • Protect Control Channel from unauthorized Access • Permissions to Servers, Directories & Files containing Service Configuration • Monitoring of Logs (OS & service)
  • 6. www.n3k.com 6 DNS Monitoring • Monitoring of the Service itself (status, version, patch level, connectivity, probe, transfer, etc.) • Query Logging on caching Layers into SIEM1 System incl. ECS2 (further investigation of single and groups of DNS queries) • Monitoring of critical internal Records and Systems (databases, call servers or internal certificate authority, etc.) • Monitoring of critical public Records and Systems (web servers, mail exchange servers, delegations in parent zone, etc.) 1 Security Information and Event Management 2 EDNS Client Subnet
  • 7. www.n3k.com 7 Reducing the Attack Surface • Different DNS Roles can be attacked differently (authoritative DNS, caching DNS, internal or public-facing DNS) • Authoritative Servers perform resource-consuming Tasks like dynamic Updates or Zone Transfers • Caching Servers handle Queries from Clients and get other Servers involved for Recursion • Multiple Roles provided by the same Server means bigger Attack Surface • Systems with separated Roles can be installed and managed in isolated Security Areas • Role-specific Updates and Patches address different Behaviours
  • 8. www.n3k.com 8 • Internal Caching DNS • Configured as Stealth Secondary for faster Resolution • Subscription to Security Feed (known as DNS firewall) • Dedicated caching Layer “close” to Clients in remote Locations • External Caching DNS • Performs Internet Name Resolution • Only accept Queries from internal Caching Servers Internal and public-facing Caching Layer
  • 9. www.n3k.com 9 • Provisioning multiple Servers in different geographic Locations • Running a Variety of Server Vendor Implementations • Using multiple external Hosting Providers Public DNS Diversity
  • 10. www.n3k.com Stub Resolver 10 • Host Controls incl. physical, Operating Systems and Resolver Software • DHCP Server Audits • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 DNS-over-TLS 2 DNS-over-HTTPS 3 DNS-over-QUIC
  • 11. www.n3k.com Recursive Server 11 • Planned Deployment (size, number & capacity of servers) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Network Interface and DNS Software ACLs1 • Randomization (source port, transaction ID, query case) • Limit Queries per Client (rate limiting) • DNS Firewall (RPZ), DNSSEC Validation, Query Log Auditing (tunnel & malware detection) • Connection Encryption (DoT, DoH, DoQ, etc.) DNS Role-specific Defences 1 Access Control List
  • 12. www.n3k.com Authoritative Server 12 • Planned Deployment (size, number & capacity of servers) • External DNS Service Provider (Backup or Diversity) • Host Controls incl. physical, Operating Systems and Resolver Software • Anycast Addressing • Disable Recursion • Restricted Zone Updates and Zone Transfers • Deployment-based Network Interface and DNS Software ACLs (internal, external, public-facing) • Signing of mission-critical Zones (DNSSEC) DNS Role-specific Defences
  • 13. www.n3k.com Hosting Provider 13 • Encrypted and unique User Access with Multi-Factor Authentication • Integrity of every DNS Record (change history) • DNSSEC Signing with planned and Emergency Key Rollover • Support for other Security Features (ACLs, GeoDNS, Rate Limiting, DMARC1 policy etc.) • Service-Level Agreement (SLA) • Denial of Service (DoS) Mitigation • Parent Domain Security Controls DNS Role-specific Defences 1 Domain-based Message Authentication, Reporting and Conformance
  • 14. www.n3k.com 14 Securing each Layer of DNS Transit Path Transit Endpoints Key Security Mechanisms Recursive Query Stub Resolver Recursive Server ACLs, DoT, DoH, DoQ, DNSSEC Iterative Query Recursive Server Authoritative Server DNSSEC Dynamic Update IPAM System DHCP Server/Client Authoritative Server ACLs, Transaction Signatures (TSIG) Zone Transfer Primary Server Secondary Server ACLs, TSIG DNS Configuration IPAM System File Editor Transfer to/from Server SSH, SCP, SFTP, TLS
  • 16. www.n3k.com 16 Greedy for more? https://www.n3k.com/aktuelles/webinare/schulungen https://www.wiley.com/en-us/DNS+Security+Management-p-9781119331407
  • 17. N3K Network Systems Ferdinand-Braun-Straße 2/1 | 74074 Heilbronn +49 7131 594 95 0 info@n3k.de Thank you for your Time. 17