DNS security

1

DNS Security Module

Quick DNS Refresher

2

What is DNS?

The Domain Name System (DNS) associates various information with domain names; most importantly, it serves as the "phone book" for the Internet by translating human-readable computer hostnames, e.g. www.example.com, into IP addresses, e.g. 208.77.188.166, which networking equipment needs to deliver information.

A DNS also stores other information such as the list of mail servers that accept email for a given domain. By providing a worldwide keyword-based redirection service, the Domain Name System is an essential component of contemporary Internet use. Source Wikipedia

3

Hierarchical Name Space

root

edu net org uk com ca

wisc ucb stanford cmu mit

cs ee

www

www.cs.stanford.edu

= 192.168.20.1

4

Zone = apricot.net

DNS Server Functions/Roles

Zone (Domain): A DNS zone is a portion of the global Domain Name System (DNS) namespace for which administrative responsibility has been delegated.

Zone Administrator

Zone Files Master DNS Server

Slave DNS Server (s)

Dynamic Updates (DHCP & AAA)

Recursive DNS Server

Client

5


Zone Master (Primary): The authoritative server for a zone (domain). The Zone Master contains one or more zone files for which the DNS is authoritative. Other DNS Servers can automatically transfer zone files.

Zone Administrator





Client

6


Zone Slave (Secondary): A Zone Slave (also called a stub name server or secondary DNS), gets zone data from the Zone Master. When Zone Slave server starts up, it contacts its Zone Master, requesting a zone transfer. The goal of the Zone Slave is scaling (load) and zone resiliency (in case the Zone Master is down). You can have multiple Zone Slaves geographically distributed to increase resiliency.

Zone Administrator





Client

7


Resolvers: A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

Zone Administrator





Client (Customer)

8


Stub Resolvers (customers): Stub Resolvers move the resolution function out of the local machine and into a name server which supports recursive queries. Little to no local caching happens.

Zone Administrator





Stub Resolvers

9

DNS Server Functions/Roles (Options)

External Resolvers: External Resolvers are designed to proxy all queries from inside a large organization. It becomes one of the publicly visible addresses of the large network allowing the internal DNS servers to be hidden (core hiding) and protected from outside attack.

Internal Resolvers: Internal resolvers are slaves configured in split horizon mode to allow for external zone transfers and authoritative responses. It becomes one of the publicly visible addresses of the large network allowing the internal DNS servers to be hidden (core hiding) and protected from outside attack.

10

DNS Information Flow

1. Zone Administrator (i.e. apricot.net) updates information in the Zone files. These files are moved to the DNS Master.

Zone Administrator 1!

2!

4!

5!





Client

3!

11


2. Dynamic Updates are sent by the DHCP or AAA server. The DNS Master updates its records.


2!

4!

5!





Resolvers

3!

12


3. Zone transfer is use to push copies of the Masters Records to Slave DNS Servers. This allows for scaling and resilancy.


2!

4!

5!





Client

3!

13


4. Caching Forwarders, Proxies, and Resolvers all query the Master/Slave DNS server to get authoritative information about the DNS Zone.


2!

4!

5!





Client

3!

14


5. Resolvers query Recursive Caching Forwarders to have them get DNS records on their behalf. These are your local DNS servers set in most end devices.


2!

4!

5!





Client

3!

15

DNS Query Recursive Resolution

Question: www.apricot.net A

www.apricot.net A ?

www.apricot.net A ?

go ask net server @ X.gtld-servers.net (+ glue)

www.apricot.net A ?

go ask APNIC server @ ns.apnic.net (+ glue)

www.apricot.net A ?

192.168.5.10

192.168.5.10

1! 2!

3!

4!

5!

6!

7!

Add to cache 9!

8!

10! TTL

Client Recursive Server

ROOT Server

GTLD Server

APNIC Server

16

What is the DNS Problem?

17

Industry Wide Vulnerability

DNS has a highly exploitable architectural flaw. This is an industry wide vulnerability which

impact ever DNS Server on the planet. The risk is a general breach of confidence and a

feasible ability to break chains of commercial trust.

Demonstrated ability for the exploit to be commercially capitalized by the cyber-criminal economy (miscreant economy) See http://www.getit.org/Mediawiki/index.php?

title=Miscreant_economy Suspected but not confirmed - active exploit today in

China.

18

DNS: Where is the Problem?

DNS Poison Entries in 4. Threat Botable and Criminally Executable Threat

to the confident of the Internet.


2!

4!

5!




Recursive Server

Client

3!

Computer with Hijacking Malware

19

DNS Threat Vectors

20

DNS is a Critical Dependency

Services depend on DNS to be there. Applications depend on DNS to be there. People depend on DNS to be there.

The Internet could be passing plenty of packets at line rate speeds, but if DNS is not working, the customer see the Internet as not working.

21

DNS Security Protect the resolution path!

DNS Security is all about protecting the information that flows from one functional node to another.

Zone Administrator




Resolving DNS Server

Client

22

DNS Attack Vectors

Zone Administrator





Client

Corrupt Zone Data

DOS Servers

Poison Recursive Caching

Impersonating Master

Unauthorized Updates

Cache Impersonation

Redirection

23

Server Protection Data Protection

Divide the Problem in Half!

Policy, Tools, Protocols and Technique can be easily derived by dividing the problem in half:

Zone Administrator





Client

24

Zone Files

Are the Zone files protected? Are they edited on the Master or off on another

machine. Is the path between the Zone Administrator and

Master DNS Server protected?

Zone Administrator





Client

25

Master & Slave DNS Servers

Basic 101 of Server Security. The Master is a critical resource.

What happens if its gets DOSed? Who do you allow zone transfers to and from?

Zone Administrator





Client

26

Zone Transfer to Slave Servers

Data path between the Master and Slave needs protection.

File corruption of the zone transfer, hijacking the zone transfer, and DOS (low level) all could happen.

Zone Administrator





Client

27

Dynamic Updates

DHCP and other dynamic update tools need protection.

It could be a back door into the DNS System.

Zone Administrator




Caching Forwarders

Resolvers

28

DNS Cache Poising

DNS Cache poising is one of the most common attack vectors.

Anti-Spoofing and the new Source Port Randomization helps.

Zone Administrator





Client

29

172.13.1.66

DNS Poison Basic

DNS Poisoning is a by product of DNS using UDP. When a query goes out, the resolver will take the

first UDP packet back which seems to be authoritative.

It is a race to see who gets the UDP packet back first.

Once the Caching Forwarder is poisoned, all queries from all other resolvers will get the poisoned data.

www.apricot.net A ? www.apricot.net A ?

Client Recursive DNS Server

APNIC DNS Server

UDP UDP 192.168.5.10

ME

ME

ME ME

ME ME ME ME

30

+---------------------------+---------------------------+ | ID | flags | +---------------------------+---------------------------+ | numbers of questions | numbers of answer | +---------------------------+---------------------------+ | number of RR authority |number of supplementary RR | +---------------------------+---------------------------+ | | \ QUESTION \ | | +-------------------------------------------------------+ | | \ ANSWER \ | | +-------------------------------------------------------+ | | \ Stuff etc.. No matter \ | | +-------------------------------------------------------+

172.13.1.66

DNS Poison The Catch

You must match the transaction ID (query ID) of the DNS query which means you need to sniff the wire



APNIC DNS Server

UDP UDP 192.168.5.10

ME

ME

ME ME

ME ME ME ME

31

DNS Poison Miscreant Workaround

If I cannot sniff the packets, but I can query the caching resolver, then I can brute force my way into a DNS Poison.

Instead of waiting for someone else to query, you send your own queries into the caching forwarder.

I can then brute force the query ID.



APNIC DNS Server

UDP 192.168.5.10

ME

ME

ME ME

ME ME ME ME

32

DNS Poison Better Yet DOS the Server

DOSing the authoritative DNS Server(s) is one way to give the Miscreant Breathing room.

The DOS attack does not need to be big, just enough to clog up the DNSs servers.

It might now be a flood. It could be a computational overload attack.



APNIC DNS Server

ME

ME

ME ME

ME ME ME ME

Low Level DOS

33

DNS Poison Computational Overload

A computational overload attack makes the core functions of the application work really hard.

Send queries to the DNS server where each sub-domain = a name in a password cracking database.

Consequence: DNS Server is waiting for each domain to resolve really nasty if you are forcing this to do recursive lookups.



APRICOT DNS Server

ME

ME

ME ME

ME ME ME ME

a.apricot.net A Aapple.apricot.net A Aadvark.apricot.net A alvin.apricot.net A ake.juniper.net A A$#@.juniper.net A affrroo.juniper.net A (password crakcing file).juniper.net A

34

DNS Architecture Idea: Modularization & Compartmentalization

34 34 34

35

Most DNS Today

Zone Slaves

Caching Resolvers Zone Master

Internally DNS

Infrastructure Only Only Slave Servers

External Resolution

The Soft Underbelly of the Internet

36

Protecting DNS like HTTP does not work

Zone Slaves

Caching Resolvers Zone Master

Internally DNS

Infrastructure Only Only Slave Servers

External Resolution

Protective Anti-DDOS Box New Failure Point

37

DNS Resiliency Requires Engineering

DNS Resiliency requires engineers to execute engineering. The technology must be understood. DNSs Interdependency with all parts of the other

services must be mapped out. Architectural Plans must be drawn and tested.

Some of the worlds biggest companys have had complete DNS failures . where the root cause was based on throwing DNS into a network, putting a router/load balancer/anti-DOS device in front of it, and thinking it is going to just work.

Architectural Principles are the key to DNS Resiliency

38

Options There are key options a provider has to re-

architect their DNS. Two key requirements are: Investing in your own people to turn them into DNS

Gurus. Join DNS-OARC (https://www.dns-oarc.net/) Active Participation in your network operations

communities (RIPE and MENOG) The kick start options to change fast include:

Contracting with Internet Systems Consortium (http://www.isc.org/)

Outsourcing to a DNS provider (i.e. ISC) Work with one of the two big DNS product Vendors (ISC,

Nominum, or Infoblox).

39

DNS Backscatter Knowing when you are being Poisoned

39 39 39

40

Backscatter ICMP Port Unreachable

Controller Proxy

Victim of Crime

DNS Recursive Server

Poison Engine

Miscreant Driving

the BOTNET

Wert543.example.com

Oihwoeif.example.com

Fdvakjnfvkjndaf.example.com

Send DNS Query to Controlled Domain

Poison Attempt w/RR Hint

My DNS Server

ns.example.com DNS Authority

www.example.com

ICMP Port Unreachable

Spoof ns.example.com

41

ICMP Unreachable & DNS

} ICMP Unreachable specific port unreachable are not normal packets which arrive at: } DNS Masters } DNS Slaves } DNS Split-Horizon Authoritative Servers

} Live Observation } Launching the attack results packets arriving on

closed ports of the recursive DNS Server. } This send ICMP Port Unreachable to the source

packet which is the DNS Authority being spoofed.

42


} This will tell you that someone somewhere is poising somewhere so that they can be a man in the middle between you and your customer!

} How to monitor: } Classification ACLs (match ingress on ICMP port

unreachable) } Netflow } IDP/IPS } Firewalls } DPI Boxes

43

ACLs How?

Controller Proxy

Victim of Crime


Poison Engine

Miscreant Driving

the BOTNET

Wert543.example.com





My DNS Server


www.example.com ACL on Router with SNMP trap


44

Netflow

Controller Proxy

Victim of Crime


Poison Engine

Miscreant Driving

the BOTNET

Wert543.example.com





My DNS Server


www.example.com Netflow Export


45

IDP/IPS

Controller Proxy

Victim of Crime


Poison Engine

Miscreant Driving

the BOTNET

Wert543.example.com





My DNS Server


www.example.com IDP/IPS


DNS Security (DRAFT)

Barry Raveendran Greene [email protected]

Version 0.7

47

Attack Vector #1

Big Money Companys DNS Server get poisoned.

www.example.com is victimized Everyone going to the bad guys server is

victimized.

Home Users

Company Users

www.example.com

Bad Guys Server

DNS Poison

Big Money Company

SPs DNS

48

Attack Vector #2

DNS Server get poisoned. Big Money Company is victimized Everyone going to the bad guys server is

victimized.

Home Users

Company Users

www.example.com

Bad Guys Server

SPs DNS

DNS Poison

Big Money Company

49

Focus of the Industry

Chain of Victimization

Users Operator Domain Owner

www.example.com

Bad Guys Server

Target Target Means to a Target

Recursive DNS Resolver

50

Threat to any domain on the Internet!

Users Operator Domain Owner

www.example.com

Bad Guys Server

Target Target Means to a Target

Recursive DNS Resolver

51

These two attack vectors are just the start

Now that DNS Poison is easier, more attack vectors will be discovered.

This is a threat to the trust model(s) of the Internet.

52

Solution? DNSSEC!

DNSSEC = DNS SECurity Extensions Adds a cryptographic signature to a DNS

response. This signature can be validated from the root

downward by a validating resolver. Be warned, the responses WILL be bigger.

Update firewalls to accept larger then 512 byte DNS responses and UDP fragments.

Most open source (BIND/Unbound/NSD) and commercial products (Nominum, Infoblox) support DNSSEC (records and validation)

53

Hierarchical Name Space

root

edu net org uk com ca

wisc ucb stanford cmu mit

cs ee

www

www.cs.stanford.edu

= 192.168.20.1

54

DNS Architecture Idea: Modularization & Compartmentalization

55

Most DNS Today

Zone Slaves Caching Resolvers Zone Master

Internally DNS Infrastructure Only

Only Slave Servers

External Resolution

The Soft Underbelly to IP NGN

56

Robust IPNGN DNS Topology

Resolvers

Caching Forwarders (CFs)

Aggregate Caching Forwarders (ACFs) (Optional)

Internal Resolvers (iRs)

External Resolvers (eRs)

Zone Slaves Zone Master

Internally Access Only

Internally DNS Infrastructure Only

Only Slave Servers Internet Accessible

57

Out Bound Recursion/Resolution

Resolvers

Caching Forwarders (CFs)

Aggregate Caching Forwarders (ACFs) Internal Resolvers (iRs)

External Resolvers (eRs)

Zone Slaves Zone Master

58

CERT/CC #800113 Multiple DNS Implementations Vulnerable to Cache Poisoning Detailed Analysis

59

CERT/CC Overview

The Domain Name System (DNS) is responsible for translating host name to IP addresses (and vice versa) and is critical for the normal operation of Internet-connected systems.

DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver.

The general concept has been known for some time, and a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning have previously been identified and described in public literature.

60

Issue #1 - Insufficient transaction ID space

The DNS protocol specification includes a transaction ID field of 16 bits. If correctly implemented and randomly selected with a strong random number generator, an attacker will require, on average, 32768 attempts to successfully predict the ID.

Some flawed implementations may be utilizing a smaller number of bits for this transaction ID, meaning that fewer attempts will suffice.

Furthermore, implementation errors in the randomness of transaction IDs generated by a number of implementations have been identified.

Amit Klein researched several such affected implementations in 2007.

These vulnerabilities were published as: VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning VU#252735 - ISC BIND generates cryptographically weak DNS query IDs VU#927905 - BIND version 8 generates cryptographically weak DNS query identifiers

61

Issue #2 'Birthday Attack

Multiple outstanding requests Some implementations of DNS services contain a vulnerability whereby multiple identical queries for the same resource record (RR) will generate multiple outstanding queries for that RR.

This condition leads to the feasibility of a 'Birthday Attack', significantly raising the chance of success for an attacker.

This problem was previously described in VU#457875. A number of vendors and implementations have already added mitigations to address this issue.

62

Issue #3 Fixed Source Port for Generating Queries

Some current implementations allocate an arbitrary port at startup (sometimes selected at random) and reuse this source port for all outgoing queries.

In some implementations, the source port for outgoing queries is fixed at the traditional assigned DNS server port number, 53/udp.

63

Add them together

Recent additional research into these issues and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques.

Caching DNS resolvers are primarily at risk, both those that are open (a DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain) and those that are not.

These caching resolvers are the most common target for attackers, however stub resolvers are also at risk.

64

Per-query source port randomization

Because attacks against these vulnerabilities all revolve around the ability for the attacker to predictably spoof traffic, the implementation of per-query source port randomization in the server presents a practical mitigation against these attacks within the boundaries of the current protocol specification.

65

Added Resiliency Not the Final Solution

The use of randomized source ports can be used to gain an additional approximately 16 bits of randomness in the data that an attacker must guess. In practice, implementers will be restricted to less than 65535 in the actual number of source ports they can allocate (port numbers

66

Restrict Access to Recursion

Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability.

67

Filter Traffic at Network Perimeters

Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC 3704, and RFC 3013 describe best current practices (BCPs) for implementing this defense. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

68

Run a Local DNS Cache

In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.

69

Disable Recursion

Disable recursion on any nameserver responding to DNS requests made by untrusted systems. Securing an Internet Name Server contains instructions for disabling recursion in ISC BIND.

70

Two DNS Checkers available

Dan Kamiskis Tool: http://www.doxpara.com/

OARCs Tool (https://www.dns-oarc.net/)

Use a DNS query tool such as dig to ask for the TXT record of porttest.dns-oarc.net:

$ dig +short porttest.dns-oarc.net TXT

You should get back an answer that looks like this: z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.

"169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"

Your resolver's randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.

Note that you can tell dig to test a specific resolver with an @-argument: $ dig @4.2.2.3 +short porttest.dns-oarc.net TXT

71

How the Cyber-Criminal Might Use this Vulnerability DNS Poison The BOT Version

72

My Tool Kit

Drive-By Secondary Malware

SPAM BOTNET Controller Proxy

Packer

Malware

Victim of Crime


Poison Engine

BOT Herder

73

Prepare Drive-by



Packer

Malware

Send Malware

Load Malware

Victim of Crime


Poison Engine

BOT Herder

74

Send SPAM to get People To Click



Packer

Malware

Victim of Crime


Poison Engine

Send SPAM

Click on me now

BOT Herder

75

Drive By Violation



Packer

Malware

Victim of Crime


Poison Engine

Click on me now

BOT Herder

76

Poison Checker



Packer

Malware

Victim of Crime


Poison Engine

Redirect to new domain

Use Published DNS Check Tools to Test a Poison Candidate BOT

Herder

77

Prepare Violated Computer



Packer

Malware

Victim of Crime


Poison Engine

Call to Secondary Malware Site Load Secondary Package

Tell Malware Downloader to Push the Poison Tool BOT

Herder

78

Poison Test #2



Packer

Malware

Victim of Crime


Poison Engine



BOT Herder

79

Poison Test #2 - Validation



Packer

Malware

Victim of Crime


Poison Engine

Poison Tester NS

Malware Test to see if the Poison with new NS is working.

BOT Herder

80

Poison Victory!

The BOT Herder now has an asset which can be cultivated and sold.

The BOT Herder can sell BOT for some good money.

Why?

81

Using the Poison - WWW

Controller Proxy

Victim of Crime


Poison Engine

Miscreant Driving the BOTNET

Wert543.example.com Oihwoeif.example.com




My DNS Server


www.example.com

82

Using the Poison - WWW

Controller Proxy


Poison Engine


Where is www.example.com?

My DNS Server

www.example.com

www.example.com

Victims of Crime

Yea! Ive control their view!


83

Using the Poison WWW Proxy

Controller Proxy


Poison Engine


Where is www.example.com?

My DNS Server

www.example.com

www.example.com

Victims of Crime

Yea! Copy what I want like CREDIT CARDs and PASSWORD!


84

Using the Poison E-mail

Controller Proxy


Poison Engine


I need to E-mail smtp.example.com?

My DNS Server

smtp.example.com

smtp.example.com

Victim of Crime Yea! Ive got copies!


85

Using the Poison Routers

Controller Proxy


Poison Engine


I need to telnet to my router ams-23-pos23.example.com

My DNS Server

NOC Team

Yea! Ive got router Passwords!


86

Using the Poison Routers

Controller Proxy


Poison Engine


I need to send a SNMP Trap to my Network Management Tool to my smtp-nocserver1.example.com

My DNS Server

Router Services

Yea! Ive got SNMP Details!


87

How the Cyber-Criminal Might Use this Vulnerability DNS Poison Drive By

88

DNS Poison The Drive-By Version

You do not need malware/BOTs to activate this attack vector.

All you need to do is to drive the resolver to a new domain and force a DNS query that you know.

You then trigger a poison. Can you say HTTP Redirect?

89

My Tool Kit

Drive-By SPAM BOTNET Proxy

Victim of Crime


Poison Engine

Miscreant Driving the Poison Attack

90

Send SPAM to get People To Click


Victim of Crime


Poison Engine

Send SPAM

Click on me now


91

Drive By Violation


Victim of Crime


Poison Engine

Click on me now


92

Poison Checker


Victim of Crime


Poison Engine

Redirect to domain you control

Use Published DNS Check Tools to Test a Poison Candidate


A potentially poisonable recursive server. Trigger the Poison Attack

93

Poison via Redirect

Drive-By Proxy

Victim of Crime


Poison Engine Poison

Attempt w/RR Hint


www.example.com

Redirect to erowij.example.com Test Redirect to 49u0vfv.example.com Test Redirect to 943ofvoiv.example.com Test


94

Poison via Redirect Testing

Drive-By Proxy

Victim of Crime


Poison Engine

Poison Tester NS

Testing after each redirect tells you when you have succeeded


www.example.com

Once Poisoned server goes to test NS, you can stop


95

Spotting when someone is trying to Poison Your DNS Identity

96

Backscatter ICMP Port Unreachable

Controller Proxy

Victim of Crime


Poison Engine


Wert543.example.com Oihwoeif.example.com




My DNS Server


www.example.com

ICMP Port Unreachable Spoof ns.example.com

97

ICMP Unreachable & DNS

ICMP Unreachable specific port unreachable are not normal packets which arrive at: DNS Masters DNS Slaves DNS Split-Horizon Authoritative Servers

Live Observation Lauching the attack results packets arriving on closed

ports of the recursive DNS Server. This send ICMP Port Unreachable to the source packet

which is the DNS Authority being spoofed.

98


This will tell you that someone somewhere is poising somewhere so that they can be a man in the middle between you and your customer!

How to monitor: Classification ACLs (match ingress on ICMP port

unreachable) Netflow IDP NetScreen (any matches on ICMP Unreachable

DNS Anycast and Security

100

DNS & Anycast

Problem #1 How to manage the load on those two DNS entries in customers TCP/IP Stack?

Problem #2 How to manage saturation attacks targeted at your DNS infrastructure?

Answer Anycast the DNS Caching Servers.

101

Anycast DNS Caches

Peer B

Peer A IXP-W

IXP-E

Upstream A

Upstream A

Upstream B Upstream B

POP

Customer

Primary DNS Servers

Sink Hole Network

171.68.19.0/24

171.68.19.1 DNS Caching Server Cluster

SAFE - Architecture

DNS Caching Server Cluster



DNS Secondary Server Cluster



102

Anycast DNS Caches

Peer B

Peer A IXP-W

IXP-E

Upstream A

Upstream A

Upstream B Upstream B

POP

Customer

Primary DNS Servers

Sink Hole Network

171.68.19.0/24

171.68.19.1 DNS Caching Server Cluster

SAFE - Architecture







DNS Forwarded to the closed Caching

Cluster

103

DNS Anycast What is needed?

Two IP Addresses to be used for the DNS Caching clusters.

Router to perform the load balancing and advertise the two IP addresses.

104

Agenda

DNS Server Roles DNS Server Communications DNS Architecture Layout Types of Attacks Protecting the DNS Monitoring and Forensics Summary

DNS security

Documents

Transcript of DNS security