Automatic Tracking of DNSSEC Configuration on DNS Servers

Tato práce se zabývá návrhem a implementací nástroje pro kontrolu nastavení bezpečnostního rozšíření DNSSEC na DNS serverech. Cílem je provádět automatickou kontrolu podpisů, sledování používaných šifrovacích algoritmů a informovat o potencionálních nebo nalezených chybách. Práce vznikla ve spolupráci se sdružení CZ.NIC.This bachelor thesis describes design and implementation of a tool for tracking of configuration of DNSSEC security extension on DNS servers. The goal is to perform automatic signature verification, tracking of cryptographic algorithms being used and inform about potential or found problems. Bachelor thesis has been developed in cooperation with CZ.NIC.

IPv6-kotiverkon liittäminen Internetin nimipalveluun

Current home networks are very simple containing only a few devices. As the number of devices connected to the home network increases, there is no reasonable way for a user to access devices using only IP addresses. Due to the exponential growth of devices connected to the Internet, the addresses of the current IP version are however soon to be depleted. A new IP version has already been implemented in the Internet, containing a very large amount of addresses compared to the current IP version. Addresses in the new IP address version are also much longer and more complicated. Therefore it is not reasonable to try to use IP addresses alone to access devices anymore. The previous facts force to implement a name service to the home network. Name service is quite similar to that used in the Internet, although the home network version should be much more automatic and user friendly. This means that users do not have to type IP addresses anymore to be able to access services, but they can use meaningful names like in the Internet. The first objective of the thesis is to examine methods to implement as automated name service as possible to the home network. Second objective is to examine connecting the home network name service to the Internet name service. Accomplishing this allows users to access services at home from the Internet. This has to be made in a secure manner to protect the integrity and authenticity of the user information. A live experiment of the thesis concentrates to the second objective of the thesis by establishing the connection and transferring the name service information between home network and the Internet name service. The study and the live experiments indicate that there is still work to be done before the two objectives can be fully accomplished. At the moment there is no convenient way to automatically name devices at home. Connecting to the Internet name service involves also quite a lot of effort, thus requiring more than basic computing skills from the user

Framework for DNS Server Testing

Tato práce se zabývá úpravami frameworku určeného pro testování DNS serverů. Framework je vyvíjen sdružením NIC.CZ a slouží především pro testování jejich DNS serveru Knot DNS. Cílem této práce jsou úpravy frameworku, které umožní jednodušší testování za pomoci tohoto frameworku, jako například: podpora více implementací DNS serverů, paralelizace testování, prvky dummy server a box-in-the-middle, rozdělení na více komponent a celková úprava stávajícího frameworku. Úvod práce je věnován autoritativním DNS serverům a základům testování. Zbývající část práce se zabývá stavem dosavadního frameworku a stavem a testováním upraveného frameworku.This thesis deals with the modifications of the framework designed for DNS servers testing. Framework is developed by NIC.CZ association and is used primarily for testing the DNS server Knot DNS. The aim of this work are modifications of the framework that will allow simpler testing with this framework, such as: support for multiple implementations of DNS servers, parallel testing, components dummy server and box-in-the-middle, division into multiple components and overall modification of the existing framework. Introduction of thesis is dedicated to the authoritative DNS servers and to the foundations of testing. The remaining part of the thesis deals with the state of the existing framework and the state and testing of modified framework.

Addressing the challenges of modern DNS:a comprehensive tutorial

The Domain Name System (DNS) plays a crucial role in connecting services and users on the Internet. Since its first specification, DNS has been extended in numerous documents to keep it fit for today’s challenges and demands. And these challenges are many. Revelations of snooping on DNS traffic led to changes to guarantee confidentiality of DNS queries. Attacks to forge DNS traffic led to changes to shore up the integrity of the DNS. Finally, denial-of-service attack on DNS operations have led to new DNS operations architectures. All of these developments make DNS a highly interesting, but also highly challenging research topic. This tutorial – aimed at graduate students and early-career researchers – provides a overview of the modern DNS, its ongoing development and its open challenges. This tutorial has four major contributions. We first provide a comprehensive overview of the DNS protocol. Then, we explain how DNS is deployed in practice. This lays the foundation for the third contribution: a review of the biggest challenges the modern DNS faces today and how they can be addressed. These challenges are (i) protecting the confidentiality and (ii) guaranteeing the integrity of the information provided in the DNS, (iii) ensuring the availability of the DNS infrastructure, and (iv) detecting and preventing attacks that make use of the DNS. Last, we discuss which challenges remain open, pointing the reader towards new research areas

Country-Code Top-Level Domain Best Current Practices Info

11 pagesThis document describes the issues and best current practices for the technical organization, operation, and management of country-code top-level domains (ccTLDs)

A Flexible Laboratory Environment Supporting Honeypot Deployment for Teaching Real-World Cybersecurity Skills

In the practical study of cybersecurity, students benefit greatly from having full control of physical equipment and services. However, this presents far too great a risk to security to be permitted on university campus networks. This paper describes an approach, used successfully at Northumbria University, in which students have control of an off-campus network laboratory, with a dedicated connection to the Internet. The laboratory is flexible enough to allow the teaching of general purpose networking and operating systems courses, while also supporting the teaching of cybersecurity through the safe integration of honeypot devices. In addition, the paper gives an analysis of honeypot architectures and presents two in detail. One of these offers students the opportunity to study cybersecurity attacks and defences at very low cost. It has been developed as a stand-alone device that also can be integrated safely into the laboratory environment for the study of more complex scenarios. The main contributions of this paper are the design and implementation of: an off-campus, physical network laboratory; a small, low-cost, configurable platform for use as a “lightweight” honeypot; and a laboratory-based, multi-user honeypot for large-scale, concurrent, cybersecurity experiments. The paper outlines how the laboratory environment has been successfully deployed within a university setting to support the teaching and learning of cybersecurity. It highlights the type of experiments and projects that have been supported and can be supported in the future

Library and Tools for Server-Side DNSSEC Implementation

Tato práce se zabývá analýzou současných open source řešení pro zabezpečení DNS zón pomocí technologie DNSSEC. Na základě provedené rešerše je navržena a implementována nová knihovna pro použití na autoritativních DNS serverech. Cílem knihovny je zachovat výhody stávajících řešení a vyřešit jejich nedostatky. Součástí návrhu je i sada nástrojů pro správu politiky a klíčů. Funkčnost vytvořené knihovny je ukázána na jejím použití v serveru Knot DNS.This thesis deals with currently available open-source solutions for securing DNS zones using the DNSSEC mechanism. Based on the findings, a new DNSSEC library for an authoritative name server is designed and implemented. The aim of the library is to keep the benefits of existing solutions and to eliminate their drawbacks. Also a set of utilities to manage keys and signing policy is proposed. The functionality of the library is demonstrated by it's use in the Knot DNS server.

On-Line Monitoring of Expiration of DNSSEC Signatures

V bakalářské práci je popsáno vytvoření programu, který kontroluje podpisy záznamů DNS (Domain Name System) a upozorňuje na jejich neplatnost nebo blížící se vypršení platnosti aby bylo možné včas zabránit vypršení platnosti. V práci je popsána technologie DNSSEC (Domain Name System Security), nové záznamy DNS pro DNSSEC a detaily podepisování záznamů DNS. Dále je zde popsán návrh programu, možnosti nastavení programu, způsoby čtení dat a způsoby výstupu upozornění. Práce vzniká z důvodu potřeby rychlé kontroly podpisů a upozornění na blížící se konec platnosti podpisů, protože žádný podobný program neexistuje.In the bachelor thesis we have described computer software (programme) which is supposed to check the signatures of DNS (Domain Name System) records (resource records) and warn in due time about the expiry date or the approaching expiry date of the signatures in order to prevent from expiring. In the paper we have specified the DNSSEC (Domain Name System Security) technology, new resource records for the DNSSEC and details of signing the resource records. Moreover, we have introduced the programme itself, the possibilities of setting the programme, the ways of data reading and warning output. Since no such programme exists, and because there is a need to check the signatures quickly and warn about their expiry date, we have decided for this work.

A Look Back at "Security Problems in the TCP/IP Protocol Suite"

About fifteen years ago, I wrote a paper on security problems in the TCP/IP protocol suite. In particular, I focused on protocol-level issues, rather than implementation flaws. It is instructive to look back at that paper, to see where my focus and my predictions were accurate, where I was wrong, and where dangers have yet to happen. This is a reprint of the original paper, with added commentary