Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Secure DNS for DMZ Clients

advertisement 
BI BE BU VA Computer Science
Secure DNS for DMZ Clients
IT Security / Hansjürg Wenger / Daniel Walther, T-Systems Schweiz AG
Expert: Dipl. Ing. ETH Andreas Dürsteler, Swisscom AG
Internet without DNS is like shopping on a low budget - you will not go very far! DNS stands for Domain
Name System and functions like a phone directory: It converts names into numbers, or more precisely
domain names into IP-addresses. But what if you get a manipulated phone book? You would probably
discover very soon that you are not talking with the right person. On the internet, however, you would not
realise that you are on a wrong site! There are several dangerous scenarios that could happen if you get
wrong DNS data. And that’s the reason why DNSSEC is becoming more and more necessary.
Marc Bettler
David Schärer
Problem statement
In mid-2008 Dan Kaminsky published a proof of concept demonstrating that cache poisoning is
possible 1. This came as a terrible
shock to the IT world. T-Systems
Schweiz AG realized that this serious problem could be solved by
using secure DNS Servers and
wants to provide secure DNS
services to their customers. They
offer safe environments (Demilitarized Zones or DMZ) to allow
companies to have their internet
services outsourced. Therefore a
need for secure DNS arose. Our
challange was to ensure that the
integrity and the authentication
of DNS data were guaranteed.
Furthermore, the communication
between DNS servers has to be
protected against eavesdropping.
Method
For our research we create a virtual environment similar to the
T-Systems’ situation, inside of
which the two Sun Solaris 10
servers run DNS Security Extensions (DNSSEC) and allow us to
examine how DNSSEC works.
This knowledge is then used for
creating a concept containing
recommendations on how to deploy DNSSEC as easily as possible. Apart from this, we test how
to achieve secure communication
between master and slave DNS
servers.
Resolve a DNS query with DNSSEC
1
94
www.ti.bfh.ch
http://www.doxpara.com/?p=1162
Perspecitves
Although experts are saying that
there is no reason to not deploy
DNSSEC, certain critics disagree.
Some of them do not rely on foreign «islands of trust», others worry that DNSSEC will drastically reduce the performance and speed
of servers. The fact is that the root
zone has to be signed as early as
possible, afterwhich DNSSEC will
finally become more popular. Network administrators will reconfigure their servers, and this will
lead to the annihilation of cache
poisoning!
Related documents
Domain Name System | DNSSEC
Domain Name System | DNSSEC
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Matching game to review for Exam II
Matching game to review for Exam II
Intrusion Detection and Prevention System for DNS DNSSEC
Intrusion Detection and Prevention System for DNS DNSSEC
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
IoT and Internet Identifier Security
IoT and Internet Identifier Security
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Al-Dubaisi.Yaser.Test2Part1
Al-Dubaisi.Yaser.Test2Part1
Final Exam Part 1
Final Exam Part 1
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
Name Services
Name Services
Network Software - t4 - Technology Subjects Support Service
Network Software - t4 - Technology Subjects Support Service
Slides
Slides
Application-Level Assurances Using DNSSEC
Application-Level Assurances Using DNSSEC
DNSSec and Fast Flux Hosting Attacks – a Primer
DNSSec and Fast Flux Hosting Attacks – a Primer
What_DNS_is_Not
What_DNS_is_Not
Windows 7 Name Resolution
Windows 7 Name Resolution
Comments of the Internet Governance Project on
Comments of the Internet Governance Project on
Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC
Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC
Availability Problems in the DNSSEC Deployment Eric Osterweil Dan Massey
Availability Problems in the DNSSEC Deployment Eric Osterweil Dan Massey
An Analysis of Domain Name System Security
An Analysis of Domain Name System Security
SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan
SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan
Download
advertisement