A Security Evaluation of DNSSEC with NSEC3

Domain Name System Security Extensions (DNSSEC) and Hashed Authenticated Denial of Existence (NSEC3) are slated for adoption by important parts of the DNS hierarchy, including the root zone, as a solution to vulnerabilities such as ”cache-poisoning” attacks. We study the security goals and operation of DNSSEC/NSEC3 using Murphi, a finite-state enumeration tool, to analyze security properties that may be relevant to various deployment scenarios. Our systematic study reveals several subtleties and potential pitfalls that can be avoided by proper configuration choices, including resource records that may remain valid after the expiration of relevant signatures and potential insertion of forged names into a DNSSEC-enabled domain via the opt-out option. We demonstrate the exploitability of DNSSEC opt-out options in an enterprise setting by constructing a browser cookie-stealing attack on a laboratory domain. Under recommended configuration settings, further Murphi model checking finds no vulnerabilities within our threat model, suggesting that DNSSEC with NSEC3 provides significant security benefits

Estudo e realização de uma instalação piloto de DNSSEC para o DNS de .PT

Trabalho de projecto de mestrado em Engenharia Informática, apresentado à Universidade de Lisboa, através da Faculdade de Ciências, 2007O DNS (Domain Name System - Sistema de Nomes de Domínios) é uma das ferramentas fundamentais para o funcionamento da Internet que permite localizar e resolver nomes de domínio em endereços IP e vice-versa. Com o crescimento da Internet e do número de utilizadores os perigos e a necessidade para a consciencialização da segurança aumentaram, revelando-se de extrema importância a procura de soluções que garantam um ambiente mais seguro no serviço e na rede. Nesse sentido desenvolveu-se internacionalmente o DNSSEC, um conjunto de extensões realizadas ao protocolo DNS que permitem a verificação da autenticidade e integridade dos dados e com o qual se pretende proteger a Internet e os seus utilizadores de determinado tipo de ataques. Este projecto aborda o processo de análise e integração das extensões de segurança ao protocolo DNS no serviço de registo de domínios sob a designação .PT, prestado pela FCCN, com vista a alcançar melhorias de segurança a nível da rede nacional e contribuindo para tornar a Internet mais segura a nível global.In order to access Internet resources using the user-friendly domain names rather than IP addresses, users need a system to translate domain names into IP addresses. This translation is the primary task of the Domain Name System (DNS). The Internet is the world's largest computing network, with hundreds of million of users. As this community grows there is a need to be aware of threats and dangers and to find solutions for secure service and network environments. In that sense, a community of Internet developers designed DNSSEC, a set of extensions to the DNS system to prevent some types of attacks against it, performing source authentication of domain name information and maintaining data integrity. This project focus on the process of analysis and integration of the DNSSEC extensions in the .PT domain name service, handled by FCCN, in order to reach some security improvements in the national network and to give some contribution to a more secure world wide Internet

Library and Tools for Server-Side DNSSEC Implementation

Tato práce se zabývá analýzou současných open source řešení pro zabezpečení DNS zón pomocí technologie DNSSEC. Na základě provedené rešerše je navržena a implementována nová knihovna pro použití na autoritativních DNS serverech. Cílem knihovny je zachovat výhody stávajících řešení a vyřešit jejich nedostatky. Součástí návrhu je i sada nástrojů pro správu politiky a klíčů. Funkčnost vytvořené knihovny je ukázána na jejím použití v serveru Knot DNS.This thesis deals with currently available open-source solutions for securing DNS zones using the DNSSEC mechanism. Based on the findings, a new DNSSEC library for an authoritative name server is designed and implemented. The aim of the library is to keep the benefits of existing solutions and to eliminate their drawbacks. Also a set of utilities to manage keys and signing policy is proposed. The functionality of the library is demonstrated by it's use in the Knot DNS server.

On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications

As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an In- ternet connection. In this dissertation, we present our studies on different aspects of the naming infrastructure in today’s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs). We first characterize the evolution and features of the DNS resolution in web ser- vices under the emergence of third-party hosting services and cloud platforms. at the bottom level of the DNS hierarchy, the authoritative DNS servers (ADNSes) maintain the actual mapping records and answer the DNS queries. The increasing use of upstream ADNS services (i.e., third-party ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) clouds facilitates the deployment of web services, and has been fostering the evo- lution of the deployment of ADNS servers. to shed light on this trend, we conduct a large-scale measurement to investigate the ADNS deployment patterns of modern web services and examine the characteristics of different deployment styles, such as perfor- mance, life-cycle of servers, and availability. Furthermore, we specifically focus on the DNS deployment for subdomains hosted in IaaS clouds. Then, we examine a pervasive misuse of DNS names and explore a straightforward solution to mitigate the performance penalty in DNS cache. DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level- domain nameservers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domain names of “one-time-use” pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. By leveraging the domain name based features that are explicitly available from a domain name itself, we propose simple policies for improving DNS cache performance and validate their efficacy using real traces. Finally, we investigate the security implications of a fundamental vulnerability in DNS- based CDNs. The success of CDNs relies on the mapping system that leverages the dynamically generated DNS records to distribute a client’s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records in CDNs. We illustrate that an adversary can deliberately tamper with the resolvers to hijack CDN’s redirection by injecting crafted but legitimate mappings between end-users and edge servers, while remaining undetectable by exist- ing security practices, which can cause serious threats that nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection. We further demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing for dynamically generated DNS records. We then discuss countermeasures against this redirection hijacking

Solução Segura para Utilização de VPN Baseada em IP´s Dinâmicos

Nessa pesquisa, estudamos a anatomia cerebral, os padrões oscilatórios dos circuitos neurais do sistema tálamo-cortical e sugerimos um modelo para as fontes cerebrais baseado em dipolos elétricos, então, calculamos atenuação do campo elétrico e formamos um sistema de equações lineares para separar os sinais de EEG linearmente misturados no Encéfalo. Esse método foi testado em classificadores baseados em regras, classificadores estatísticos (Análise por Discriminante Quadrático, Análise por Discriminante Linear e Análise por Discriminante Regularizado) e redes neurais artificiais durante a classificação de 3 tarefas mentais, relacionadas à imaginação de movimento das mãos direita/esquerda e a geração de palavras começando com uma mesma letra qualquer