BI BE BU VA Computer Science Secure DNS for DMZ Clients IT Security / Hansjürg Wenger / Daniel Walther, T-Systems Schweiz AG Expert: Dipl. Ing. ETH Andreas Dürsteler, Swisscom AG Internet without DNS is like shopping on a low budget - you will not go very far! DNS stands for Domain Name System and functions like a phone directory: It converts names into numbers, or more precisely domain names into IP-addresses. But what if you get a manipulated phone book? You would probably discover very soon that you are not talking with the right person. On the internet, however, you would not realise that you are on a wrong site! There are several dangerous scenarios that could happen if you get wrong DNS data. And that’s the reason why DNSSEC is becoming more and more necessary. Marc Bettler David Schärer Problem statement In mid-2008 Dan Kaminsky published a proof of concept demonstrating that cache poisoning is possible 1. This came as a terrible shock to the IT world. T-Systems Schweiz AG realized that this serious problem could be solved by using secure DNS Servers and wants to provide secure DNS services to their customers. They offer safe environments (Demilitarized Zones or DMZ) to allow companies to have their internet services outsourced. Therefore a need for secure DNS arose. Our challange was to ensure that the integrity and the authentication of DNS data were guaranteed. Furthermore, the communication between DNS servers has to be protected against eavesdropping. Method For our research we create a virtual environment similar to the T-Systems’ situation, inside of which the two Sun Solaris 10 servers run DNS Security Extensions (DNSSEC) and allow us to examine how DNSSEC works. This knowledge is then used for creating a concept containing recommendations on how to deploy DNSSEC as easily as possible. Apart from this, we test how to achieve secure communication between master and slave DNS servers. Resolve a DNS query with DNSSEC 1 94 www.ti.bfh.ch http://www.doxpara.com/?p=1162 Perspecitves Although experts are saying that there is no reason to not deploy DNSSEC, certain critics disagree. Some of them do not rely on foreign «islands of trust», others worry that DNSSEC will drastically reduce the performance and speed of servers. The fact is that the root zone has to be signed as early as possible, afterwhich DNSSEC will finally become more popular. Network administrators will reconfigure their servers, and this will lead to the annihilation of cache poisoning!