One of the biggest problems with DNS, has always been the lack of security.
Any response from a DNS server, could be forged or hijacked. And we have no real means to identify the sender of the data.
DNSSEC ( DNS Security Extensions ) and DNSCurve are two unique means for securing DNS traffic. The former DOES NOT encrypt the response from the server, it only applies "Authentication", where as the latter ensure "Privacy".
DNScruve ( DNS elliptci Cruve cryptology ) provides both authentication, and encryption, & for both ; " DNS request and it's response"
Now some would ask why on earth would you care about security within DNS services ?
That's very easy, security within DNS would accomplish the following;
1: ensure the response are from a legit DNS server
2: reduce or eliminate a DNS reflection attack
3: eliminated DNS poisoning
4: eliminate any DNS replays attacks
Okay so with the above plus, why are we not seeing more use within DNS security ?
1: Lack of enforcement within our exterior security policy
2: A lack for mass supported DNS servers and clients
3: A major gap in the lack of knowledge within IT sector, and more specifically us IT security folks
4: And with DNSSEC ; the complexity with setup and crafting DS , KEY & DNSKEY resource records.
5: A finally "Major issues with standardization & adoption between DNS providers"
A OpenDNS has supported DNScurve for a while using their DNSCrypt. And support has dribble towards the MAC/linux/Windows OS clients over the last 3years or so.
So what happens within DNS curve?
For DNScruve to be effective, we need to encrypt the DNS queries and the server must understands this query? Take this unsecured dns traffic for example;
The above are DNS traffic captured off the wire. Any hacker in the middle could intercept and or mangle the request or response.
Now with ECC cryptology, we can quick encode the request and response and any hacker in the middle would only see;
( DNS traffic using DNScurve against OpenDNS servers are port 443/udp )
Since the ECC public keys are 255bit in length, this provides us with protection that exceeds the RSA typical 1024bit key sizes, which are commonly used with DNSSEC.
reference
http://www.nsa.gov/business/programs/elliptic_curve.shtml
We also have the means to enable DNScurve on our recursive DNS servers to forward request between non DNSCurve parties
reference
http://curvedns.on2it.net/
Now to install DNSCrypt I will show you the typical layout under MACOSX & Lion.
1: grab the dmg file http://www.opendns.com/technology/dnscrypt/
2: install the DNScrypt into > Application folder
3: enable DNSCrypt & OpenDNS as you primary resolver
And now your done. You can enable or disable it as required.
DNScurve has some negatives and that mainly due to the fact our end-2-end encryption, is going to break the firewalls abilities to inspect your dns traffic. You could force inspection via a proxy or a web-proxy and nail all of your clients behind the proxies. This would now require you to trust your proxies.
And 2nd any web content filtering that based around DNS lookup requests, would fail. So keep this in mind as you decide on on deploying DNSCurve.
btw: this is a non-issues with DNSSEC
And lastly, OpendDNS uses udp/443 for it's services which may be filter at a WiFi hotspot, but it will fallback to port 53
More information can be found here about DNScrypt
http://dnscrypt.org/
Ken Felix
Freelance Network/Security Engineer
kfelix ---at--- socpuppets-----d-o-t---com
^ ^
=( * * )=
@
/ \
No comments:
Post a Comment