Skip to content

Commit 9eab600

Browse files
drbruced12drbruced12
committed
DNSSEC overview
1 parent d51cd8f commit 9eab600

File tree

2 files changed

+54
-16
lines changed

2 files changed

+54
-16
lines changed

figures/SecurityFigs.odp

-15 Bytes
Binary file not shown.

infra.rst

Lines changed: 54 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -638,10 +638,10 @@ it turns out to be relatively easy to send false reponses to DNS
638638
requests that can fool the recipients. Because of the way DNS caches
639639
responses, the impact of such false information can be widespread.
640640

641-
"Cache poisoning"—also known as DNS spoofing—is a common from of
642-
attack on DNS. An attacker can send a DNS query to a DNS resolver for
643-
a certain domain name and then, assuming that the resolver will have
644-
to make a recursive query to an authoritative name server, the
641+
"Cache poisoning"—also sometimes referred to as DNS spoofing—is a common from of
642+
attack on DNS. If an attacker can either force a resolver
643+
to make a recursive query to an authoritative name server, or predict
644+
roughly when such a query is to be made, the
645645
attacker can try to send a fake response to *that* query. If the
646646
attacker's fake response arrives before the real one, there is a
647647
chance that it will be inserted into the name server cache of the
@@ -663,10 +663,11 @@ When everything works as intended, a client machine makes a query to
663663
the local DNS resolver, which, finding nothing in its cache, sends a
664664
query to an authoritative name server. This is one of the simplest
665665
scenarios for name resolution when the answer is not already cached
666-
locally. The answer is returned by the authoritative server and then
667-
cached and returned to the client. Subsequent requests for the same
668-
query from any client server by the local resolver can now be served
669-
from the resolver's cache without steps 2 and 3 taking place.
666+
locally. (There will often be multiple queries required at step 2.)
667+
The answer is returned by the authoritative server and then cached and
668+
returned to the client. Subsequent requests for the same query from
669+
any client served by the local resolver can now be served from the
670+
resolver's cache without steps 2 and 3 taking place.
670671

671672

672673
.. _fig-poison:
@@ -696,14 +697,51 @@ Even with no visibility of the client traffic, the attacker can force
696697
the resolver to make queries to example.com by issuing queries of its
697698
own, and then send the flood of responses to impersonate the
698699
authoritative server. If successful, this leaves the fake data in the
699-
cache until its TTL expires.
700-
701-
There are many variations of this attack, broadly cataloged in
702-
RFC 3833. The use of packet inspection to identify DNS queries passing
703-
through a network and then to inject fake responses is part of the suite
704-
of techniques used to control Internet access by national
705-
governments. See the Further Reading section for a thorough study on
706-
this phenomenon and its widespread effects in and beyond China.
700+
cache until its TTL expires. There are many variations of this type of
701+
attack, broadly cataloged in RFC 3833, which analyzes the threats
702+
faced by DNS.
703+
704+
When the goal is to limit access to certain sites, rather than to
705+
redirect a client to a fake site, simply disrupting the process of DNS
706+
resolution is sufficent to make access to the target sites difficult
707+
for end users. The use of packet inspection to intercept DNS queries
708+
passing through a network and then to inject fake responses, or simply
709+
drop the query, is part of the suite of techniques used to control
710+
Internet access by national governments. See the Further Reading
711+
section for a thorough study on this phenomenon and its widespread
712+
effects in and beyond China.
713+
714+
DNS Security Extensions (DNSSEC)
715+
---------------------------------
716+
717+
Since DNS queries are, by default, unauthenticated, cleartext UDP datagrams, a
718+
natural approach to preventing attacks on DNS would be to use some of
719+
the techniques outlined in Chapter 5 to authenticate DNS
720+
responses. That is precisely what the first big effort to improve DNS
721+
security, the DNS Security Extensions (DNSSEC) does.
722+
723+
The first step for DNSSEC is, as we have seen in other scenarios, to
724+
establish chains of trusted public keys using a
725+
hierarachy of certificates. Of course, in DNS we have an existing
726+
hierarchical relationship between zones that sits below the root zone,
727+
so it is natural to establish a certificate
728+
hierarchy following the zone hierarchy. As a reminder, see the
729+
example hierarchy from the section on DNS in our main textbook,
730+
reproduced below.
731+
732+
.. _fig-dns-hier:
733+
.. figure:: figures/f09-17-9780123850591.png
734+
:width: 500px
735+
:align: center
736+
737+
Hierarchy of DNS name servers
738+
739+
740+
741+
742+
743+
DNS over HTTPS (DoH)
744+
--------------------
707745

708746

709747

0 commit comments

Comments
 (0)