$30 off During Our Annual Pro Sale. View Details »

DNSSEC and Bind

DNSSEC and Bind

Basics of DNS and DNSSEC. Setting up Bind locally.

Chinmay Pendharkar

May 21, 2014
Tweet

More Decks by Chinmay Pendharkar

Other Decks in Technology

Transcript

  1. DNSSEC + Bind
    Chinmay Pendharkar

    View Slide

  2. Disclaimer
    - Crypto Noob!
    - Developer
    ==> Please correct me if I’m wrong!

    View Slide

  3. What shall we talk about?
    - DNS
    - DNSSEC

    View Slide

  4. What is DNS?
    - Domain Name System
    - Translate URLs to IP Addresses (and more)
    www.google.com => 74.125.135.147

    View Slide

  5. Why?
    Humans like letter addresses (URLs)
    - www.google.com
    Computers prefers numbers
    - 74.125.135.147

    View Slide

  6. How does it work?

    View Slide

  7. No really...
    - UDP - User Datagram Protocol (mostly)
    - Me - Q: “What’s the IP for www.google.com”
    - DNS - A: “74.125.135.147”

    View Slide

  8. In Action

    View Slide

  9. Actual Response

    View Slide

  10. Who is this DNS you speak of?

    View Slide

  11. Nameservers!

    View Slide

  12. Iterative query + Caching

    View Slide

  13. Everything is AWESOME!
    NOT SO FAST!!!

    View Slide

  14. DNS has issues.
    - No guarantee that you’re talking to a authentic
    name server
    - Me - Q: “What’s the IP for www.google.com”
    - Evil ISP Server - A: 1.0.0.1

    View Slide

  15. How?
    Send a request generally in the direction of the
    assigned DNS name server.
    Anyone in between can respond to that query!!

    View Slide

  16. DNS has more issues
    DNS Responses can be tampered with in flight.
    - Me - Q: “What’s the IP for www.google.com”
    - DNS Nameserver - A: “74.125.135.147”
    - Evil ISP Server - A: “74.125.135.148”

    View Slide

  17. DNSSEC to the Rescue
    Domain Name System Security Extensions
    “provide origin authentication,
    authenticated denial of existence,
    and data integrity”

    View Slide

  18. But how??
    “digitally signing records for DNS lookup using
    public-key cryptography”
    “authenticated via a chain of trust”
    “you trust the root, then use the root to verify
    the rest of the chain”

    View Slide

  19. View Slide

  20. Example
    Requesting IP of
    bursar.university.edu

    View Slide

  21. Setup for Domain owners.
    - generate own public/private key pair.
    - upload public key to registrar,
    - registrar pushes the keys via secDNS to the
    zone operator (e.g.: Verisign for .com)
    - zone operator signs and publishes them in
    DNS.

    View Slide

  22. What if my registrar/root doesn’t DNSSEC?
    - DNSSEC Lookaside Validation
    - Internet Systems Consortium DLV Registry.
    - an additional entry point (besides the root
    zone) to obtain DNSSEC validation information

    View Slide

  23. How can I use this stuff?
    We need.
    1. A Name server that speaks DNSSEC
    2. All clients speak DNSSEC

    View Slide

  24. #2

    View Slide

  25. What can we do?
    Run our own Name server!

    View Slide

  26. But but but...
    HTTP Stack -> Local Name server (DNS)
    Local Name server Server -> DNS (DNSSEC)

    View Slide

  27. Introducing...
    BIND
    - Berkeley Internet Name Domain
    - Default Name server software used by many

    View Slide

  28. Get bound?
    http://www.bind9.net/
    Your favourite package manager should have it
    apt-get bind9;
    pacman -S bind9
    port install bind9

    View Slide

  29. Configure bind
    - Linux : http://haller.ws/projects/bind/dnssec/
    - OSX: https://gist.github.
    com/notthetup/5381693
    - Win: http://alex.charrett.com/bind-on-windows

    View Slide

  30. What are we doing?
    - Generate and verify DNSSEC root key
    - Generate and verify DLV key
    - Add the keys into bind configuration
    - Enable DNSSEC in bind configuration
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside "." trust-anchor dlv.isc.org.;

    View Slide

  31. Setup Bind
    Make sure it only listens to YOU!
    listen-on { 127.0.0.1; };
    Run Bind as a Daemon.
    sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist

    View Slide

  32. Use Bind
    Use Bind as your
    default DNS
    Server instead.

    View Slide

  33. Now you can haz DNSSEC

    View Slide

  34. Has it worked out?
    - No noticeable delay in queries.
    - No noticeable increase in CPU usage.
    - Rare domains don’t work (yimg/yahoo WTH??)

    View Slide

  35. Go get your DNS SEC today!

    View Slide