[cs615asa] Black Team - Week 7
Robert Herley IV
rherley at stevens.edu
Mon Mar 11 15:28:55 EDT 2019
This week, the Black Team did research on DNS Security Extensions (DNSSEC),
an extension to DNS. DNSSEC allows a user, application, or recursive
resolver to trust that the answer to their DNS query is what the domain
owner intends it to be. Therefore, DNSSEC proves authenticity and integrity
of a response from an authoritative nameserver.
Without DNSSEC, malicious parties have the ability to inject malicious DNS
records through BGP leaks and cache poisoning. For instance, research has
shown DNS responses can be spoofed for domain validation (1) and other
methods of widespread DNS hijacking (2).
DNSSEC solves the problem by extending DNS with a layer of trust that will
provide authentication. Simply put, cryptographic signatures will be added
to existing DNS records (similar to A, CNAME, etc). The signature will then
be able to verify that a requested DNS record comes from its authoritative
name server and wasn’t altered en-route. See CloudFlare's "How DNSSEC
Works" article (0) for a list and explanation of the new record types.
Also, ICANN recently called for Full DNSSEC Deployment (3), as they believe
there is an "ongoing and significant risk to key parts of the DNS
infrastructure." ICANN is planning an open session to address DNS
protection during the upcoming ICANN64 public meeting, in order to persuade
all members of the domain name system ecosystem to work together and
produce better tools and policies to secure the DNS.
References:
[0] https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
[1] https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/
<https://blog.powerdns.com/2018/09/10/spoofing-dns-with-fragments/>
[2]
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
[3] https://www.icann.org/news/announcement-2019-02-22-en
Regards,
Black Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20190311/ead7bc1b/attachment.html>
More information about the cs615asa
mailing list