DNSSEC and Bind

DNSSEC and Bind

Basics of DNS and DNSSEC. Setting up Bind locally.

Bb5482b3806c6fe891e6270b99597a71?s=128

Chinmay Pendharkar

May 21, 2014
Tweet

Transcript

  1. DNSSEC + Bind Chinmay Pendharkar

  2. Disclaimer - Crypto Noob! - Developer ==> Please correct me

    if I’m wrong!
  3. What shall we talk about? - DNS - DNSSEC

  4. What is DNS? - Domain Name System - Translate URLs

    to IP Addresses (and more) www.google.com => 74.125.135.147
  5. Why? Humans like letter addresses (URLs) - www.google.com Computers prefers

    numbers - 74.125.135.147
  6. How does it work?

  7. No really... - UDP - User Datagram Protocol (mostly) -

    Me - Q: “What’s the IP for www.google.com” - DNS - A: “74.125.135.147”
  8. In Action

  9. Actual Response

  10. Who is this DNS you speak of?

  11. Nameservers!

  12. Iterative query + Caching

  13. Everything is AWESOME! NOT SO FAST!!!

  14. DNS has issues. - No guarantee that you’re talking to

    a authentic name server - Me - Q: “What’s the IP for www.google.com” - Evil ISP Server - A: 1.0.0.1
  15. How? Send a request generally in the direction of the

    assigned DNS name server. Anyone in between can respond to that query!!
  16. DNS has more issues DNS Responses can be tampered with

    in flight. - Me - Q: “What’s the IP for www.google.com” - DNS Nameserver - A: “74.125.135.147” - Evil ISP Server - A: “74.125.135.148”
  17. DNSSEC to the Rescue Domain Name System Security Extensions “provide

    origin authentication, authenticated denial of existence, and data integrity”
  18. But how?? “digitally signing records for DNS lookup using public-key

    cryptography” “authenticated via a chain of trust” “you trust the root, then use the root to verify the rest of the chain”
  19. None
  20. Example Requesting IP of bursar.university.edu

  21. Setup for Domain owners. - generate own public/private key pair.

    - upload public key to registrar, - registrar pushes the keys via secDNS to the zone operator (e.g.: Verisign for .com) - zone operator signs and publishes them in DNS.
  22. What if my registrar/root doesn’t DNSSEC? - DNSSEC Lookaside Validation

    - Internet Systems Consortium DLV Registry. - an additional entry point (besides the root zone) to obtain DNSSEC validation information
  23. How can I use this stuff? We need. 1. A

    Name server that speaks DNSSEC 2. All clients speak DNSSEC
  24. #2

  25. What can we do? Run our own Name server!

  26. But but but... HTTP Stack -> Local Name server (DNS)

    Local Name server Server -> DNS (DNSSEC)
  27. Introducing... BIND - Berkeley Internet Name Domain - Default Name

    server software used by many
  28. Get bound? http://www.bind9.net/ Your favourite package manager should have it

    apt-get bind9; pacman -S bind9 port install bind9
  29. Configure bind - Linux : http://haller.ws/projects/bind/dnssec/ - OSX: https://gist.github. com/notthetup/5381693

    - Win: http://alex.charrett.com/bind-on-windows
  30. What are we doing? - Generate and verify DNSSEC root

    key - Generate and verify DLV key - Add the keys into bind configuration - Enable DNSSEC in bind configuration dnssec-enable yes; dnssec-validation yes; dnssec-lookaside "." trust-anchor dlv.isc.org.;
  31. Setup Bind Make sure it only listens to YOU! listen-on

    { 127.0.0.1; }; Run Bind as a Daemon. sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
  32. Use Bind Use Bind as your default DNS Server instead.

  33. Now you can haz DNSSEC

  34. Has it worked out? - No noticeable delay in queries.

    - No noticeable increase in CPU usage. - Rare domains don’t work (yimg/yahoo WTH??)
  35. Go get your DNS SEC today!