Improving DNS Security with KINDNS Best Practices

Slide Note
Embed
Share

Best practices for improving DNS resilience and security are crucial for protecting billions of Internet users. Initiatives like KINDNS aim to establish global norms to enhance DNS security by codifying these practices. The KINDNS group focuses on practices for authoritative and recursive nameservers, as well as general infrastructure hardening. Independent verification of conformance presents a challenge, but efforts are underway to analyze and identify measurable practices. The goal is to encourage operators to adopt these practices voluntarily, similar to the successful MANRS program for routing security.

ceis
ceis Follow

Uploaded on Sep 27, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Observable KINDNS: Validating DNS Hygiene Raffaele Sommese , Mattijs Jonker , KC Claffy University of Twente, CAIDA/UC San Diego OARC 39, 22 23 Oct 2022, Belgrade, Serbia

  2. Several best practices to improve DNS resilience have appeared in RFCs, but operators must make their own decisions that tradeoff security, cost, and complexity. These decisions impact the security of billions of Internet users. ICANN has proposed an initiative to codify best practices into a set of global norms to improve security: the Knowledge-Sharing and Instantiating Norms for DNS and Naming Security (KINDNS). Introduction

  3. Inspired by similar effort for improving routing security: Mutually Agreed Norms for Routing Security (MANRS). The MANRS program encourages operators to voluntarily commit to a set of practices that will improve collective routing security. Many operators have joined the MANRS community. KINDNS: a MANRS for DNS

  4. One challenge for both initiatives: independent verification of conformance with the practices To address this challenge for KINDNS, we analyzed possible best practices in terms of measurability by third party. We leveraged previous academic research and currently publicly available datasets. Our Contribution

  5. The KINDNS group has proposed practices (P) specific to authoritative (A) and recursive (R) nameservers, and those for general hardening (H) of the infrastructure. We focus our analysis on public-facing DNS infrastructure: open resolvers and authoritative nameservers. We identify practices that are measurable (vs. not) and suggest additional practices based on previous scientific studies. Categorizing KINDNS Practices

  6. Authoritative Best Practices

  7. Measurable Practice Summary Goal DNS Response Integrity Practice DNSSEC Enabled Authoritative Measurability Yes Dataset Active DNS Scan (e.g OpenINTEL) Tools Dnzviz, Zonemaster, hardenize.com Increase Resilience Avoid SPoF Geographically, Topologically, NS Diversity Yes Active DNS Scan, Prefix2AS, Geolocation Zonemaster, Dig, Geolocation Prevent Leak of Zone Files Zone Transfer Restricted Maybe AFRX of Active DNS Scan dig Ethics Concerns Prevent Hijacking 2FA customer access Yes Manual Manual

  8. Recursive Best Practices

  9. Measurable Practice Summary Goal Practice Measurability Dataset Tools DNS Response Integrity DNSSEC Enabled Recursive Yes OpenResolvers Scan Dig Not Measured currently Improve User Privacy QNAME minimization Not Fully DITL Traces N/A

  10. Common Best Practices

  11. Measurable Practice Summary Goal Practice Measurability Dataset Tools Mitigate DoS attack risks Authoritative and Recursive DNS software not on the same server Limited Coverage Active DNS Scan OpenResolvers Scan Dig DNS Software resilience Software Diversity Limited Not currently measured Fingerprint DNS Servers Nmap, dig Reduce Attack Surface ACLs Maybe Port scan census nmap Ethics Concerns Prevent Spoofing/ Hijacking MANRS/BCP38 Yes Spoofer MANRS Data N/A

  12. Some proposedpractices are not measurable without an internal vantage point: Monitoring Internal ACL SSH Authentication requirements Server hardening, integrity and versioning Others, like Zone Integrity (Authoritative, require sharing of rapid zone updates. Non- Measurable Practices

  13. Anycast deployments for critical zones. Caching Best Practice (e.g., Long TTL values for DNS infrastructure records increase resilience against DDoS attacks). Missing Practices? Prevent inconsistent and lame delegations by checking parent and children's zones.

  14. Adopting best operational practices represents a fundamental pillar in improving DNS ecosystem resilience and security. If there is interest in third-party independent validation of conformance to best practices, it likely changes which practices to include. Our goal is to understand the measurability of these and other proposed practices. Discussion

  15. Conclusion Assessing KINDNS best-practice requires a strong collaboration between different stakeholders. Independent researchers, ICANN and operators can work in synergy and share knowledge and data to improve DNS ecosystem security. Data and Knowledge sharing represent the key to achieving this goal. Some practices are already amenable to independent assessment.

  16. Discussion Questions How can researchers help to assess conformance with DNS best practices? What do you think is missing? Are there ways to overcome concerns with data sharing?

  17. Thanks for the attention

Related


Understanding DNS Performance and Issues in Information-Centric Networks

Understanding DNS Performance and Issues in Information-Centric Networks

jennli
Understanding Domain Name System (DNS) and Content Distribution Networks (CDNs)

Understanding Domain Name System (DNS) and Content Distribution Networks (CDNs)

idecl
Understanding Domain Name Service (DNS) in Linux Network Administration

Understanding Domain Name Service (DNS) in Linux Network Administration

teey962
Understanding DNS Flag Day and EDNS: A Comprehensive Overview

Understanding DNS Flag Day and EDNS: A Comprehensive Overview

tri_m
DNS Forensics & Protection: Analyzing and Securing Network Traffic

DNS Forensics & Protection: Analyzing and Securing Network Traffic

hanish
DNS Testing and Signatures Rollover Analysis

DNS Testing and Signatures Rollover Analysis

naif959
Roadmap for DNS Load Balancing Service at CERN - HEPiX Autumn 2020 Workshop

Roadmap for DNS Load Balancing Service at CERN - HEPiX Autumn 2020 Workshop

norbert
Automating DNS Maintenance with Catalog Zones: A New Approach

Automating DNS Maintenance with Catalog Zones: A New Approach

kkai
Understanding BIND DNS Security Vulnerabilities and Configuration

Understanding BIND DNS Security Vulnerabilities and Configuration

taki_11
Understanding DNS Replication with BIND9

Understanding DNS Replication with BIND9

rtoa
Unveiling IBDNS: The Intentionally Broken DNS Server

Unveiling IBDNS: The Intentionally Broken DNS Server

nabi_611
Understanding DNS Firewall Architecture at Virginia Tech

Understanding DNS Firewall Architecture at Virginia Tech

lathyndi
Upgrade Requirements, Challenges, and Solutions for Same-Server DoT Implementation

Upgrade Requirements, Challenges, and Solutions for Same-Server DoT Implementation

mbout
Client Privacy Preservation through Secured DNS - Feisty Forwarders

Client Privacy Preservation through Secured DNS - Feisty Forwarders

alang
DNS Research Federation: Advancing Understanding of Cybersecurity Impact

DNS Research Federation: Advancing Understanding of Cybersecurity Impact

bri_k
Country Names in the Domain Name System (DNS)

Country Names in the Domain Name System (DNS)

tup_o
The Forgotten Side of DNS: Orphan and Abandoned Records

The Forgotten Side of DNS: Orphan and Abandoned Records

balzano_m
Exploring Query Name Minimization in DNS Resolution

Exploring Query Name Minimization in DNS Resolution

saa_chi
Managing Application Security in Large Organizations: Insights and Best Practices

Managing Application Security in Large Organizations: Insights and Best Practices

joli_38
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn
BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
Understanding Security in World Politics

Understanding Security in World Politics

eisenberg_k

More Related Content

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
UIC Security Division Overview and International Activities
UIC Security Division Overview and International Activities
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Principles of Cyber Security
Principles of Cyber Security
Challenges and Solutions in Office 365 Deployment
Challenges and Solutions in Office 365 Deployment
Understanding Wireless Security Audits and Best Practices
Understanding Wireless Security Audits and Best Practices
Data Storage, Backup, and Security Essentials
Data Storage, Backup, and Security Essentials
Enhancing Hardware and Software Security in Public Communications Networks
Enhancing Hardware and Software Security in Public Communications Networks
Understanding PeopleSoft Security: A Comprehensive Guide
Understanding PeopleSoft Security: A Comprehensive Guide
Enhancing Rail Security in the European Union
Enhancing Rail Security in the European Union
Enhancing Browser Security for Mobile Devices Using Smart CDNs
Enhancing Browser Security for Mobile Devices Using Smart CDNs
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
Certification and Training in Information Security
Certification and Training in Information Security
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke