Sat, 6 Feb 2010

12:00 AM - DNS and DNSSEC

About ten years ago, dnssec was invented to deal with a problem plaguing the Internet.  There is no trust in the DNS system.  

Background

Many people might have heard the term DNS, but never thought about what it is.  DNS, or the Domain Name System, is the process by which a domain name like midnightbsd.org is translated into an IP address 70.91.226.201.  Without this system, one would need to type in IP addresses to access websites, send email, or chat online. 

The system was invented at a simpler time when people trusted each other on the Internet.  This was before worms, massive spam, or websites.  

Today, many people try to impersonate others on the Internet or worse yet, their websites.  You could create a DNS poisoning attack so that a user accessing a DNS server to lookup google.com is redirected to a fake site.  This site could log information and pass requests to the real google.com through a proxy.  The user may never know the difference.  

Systems like DNSSEC validate DNS queries by a trust relationship.

Using DNSSEC

Individuals don't need to do much to use DNSSEC aside from purchasing updated software.  Windows 7 had DNSSEC on it's list of new features (not confirmed it was added in final builds).  The client (your computer) must be able to understand DNSSEC queries for it to be of any use.  Otherwise, it is simply ignored.  

System administrators must enable DNSSEC on their DNS servers (resolvers) as well as on zones to get the full benefit.  You can think of a zone as a domain name.  Things can be further divided into sub zones such as .com vs midnightbsd.org.  

Enabling DNSSEC on BIND 9.4+ resolvers

In options: 

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";

...
trusted-keys {
        dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2F
ZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9
IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
 
Further Reading
 
 
 
 
 


tags: named dns security bind dnssec

0 comments