Professional Documents
Culture Documents
Topic
Securing Internet naming
DNS security extensions (DNSSEC)
www.uw.edu? Network
128.94.155.135
Computer Networks
Computer Networks
Network
Computer Networks 4
DNS Spoofing
Hang on how can a network attacker corrupt the DNS? Trudy can trick a nameserver into caching the wrong binding
By using the DNS protocol itself This is called DNS spoofing
Computer Networks 5
Client
Nameserver
Trudy
6
Computer Networks
Computer Networks
DS
Public keys for delegated domain
NSEC/NSEC3
Computer Networks
Client validates answer: 1. KROOT is a trust anchor 2. Use KROOT to check KEDU 3. Use KEDU to check KUW.EDU 4. Use KUW.EDU to check IP
Computer Networks
uw.edu
DNSSEC (5)
Other features too:
Authoritative answers a domain record doesnt exist (NSEC/NSEC3) Optional anti-spoofing to bind query and reply Flags related to deployment
Computer Networks
16
Takeaways
DNS spoofing is possible without added security measures
Large problem in practice!
END
2013 D. Wetherall
Slide material from: TANENBAUM, ANDREW S.; WETHERALL, DAVID J., COMPUTER NETWORKS, 5th Edition, 2011. Electronically reproduced by permission of Pearson Education, Inc., Upper Saddle River, New Jersey
Computer Networks 18