Improving DNS Security with KINDNS Best Practices
Best practices for improving DNS resilience and security are crucial for protecting billions of Internet users. Initiatives like KINDNS aim to establish global norms to enhance DNS security by codifying these practices. The KINDNS group focuses on practices for authoritative and recursive nameservers, as well as general infrastructure hardening. Independent verification of conformance presents a challenge, but efforts are underway to analyze and identify measurable practices. The goal is to encourage operators to adopt these practices voluntarily, similar to the successful MANRS program for routing security.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Observable KINDNS: Validating DNS Hygiene Raffaele Sommese , Mattijs Jonker , KC Claffy University of Twente, CAIDA/UC San Diego OARC 39, 22 23 Oct 2022, Belgrade, Serbia
Several best practices to improve DNS resilience have appeared in RFCs, but operators must make their own decisions that tradeoff security, cost, and complexity. These decisions impact the security of billions of Internet users. ICANN has proposed an initiative to codify best practices into a set of global norms to improve security: the Knowledge-Sharing and Instantiating Norms for DNS and Naming Security (KINDNS). Introduction
Inspired by similar effort for improving routing security: Mutually Agreed Norms for Routing Security (MANRS). The MANRS program encourages operators to voluntarily commit to a set of practices that will improve collective routing security. Many operators have joined the MANRS community. KINDNS: a MANRS for DNS
One challenge for both initiatives: independent verification of conformance with the practices To address this challenge for KINDNS, we analyzed possible best practices in terms of measurability by third party. We leveraged previous academic research and currently publicly available datasets. Our Contribution
The KINDNS group has proposed practices (P) specific to authoritative (A) and recursive (R) nameservers, and those for general hardening (H) of the infrastructure. We focus our analysis on public-facing DNS infrastructure: open resolvers and authoritative nameservers. We identify practices that are measurable (vs. not) and suggest additional practices based on previous scientific studies. Categorizing KINDNS Practices
Authoritative Best Practices
Measurable Practice Summary Goal DNS Response Integrity Practice DNSSEC Enabled Authoritative Measurability Yes Dataset Active DNS Scan (e.g OpenINTEL) Tools Dnzviz, Zonemaster, hardenize.com Increase Resilience Avoid SPoF Geographically, Topologically, NS Diversity Yes Active DNS Scan, Prefix2AS, Geolocation Zonemaster, Dig, Geolocation Prevent Leak of Zone Files Zone Transfer Restricted Maybe AFRX of Active DNS Scan dig Ethics Concerns Prevent Hijacking 2FA customer access Yes Manual Manual
Recursive Best Practices
Measurable Practice Summary Goal Practice Measurability Dataset Tools DNS Response Integrity DNSSEC Enabled Recursive Yes OpenResolvers Scan Dig Not Measured currently Improve User Privacy QNAME minimization Not Fully DITL Traces N/A
Common Best Practices
Measurable Practice Summary Goal Practice Measurability Dataset Tools Mitigate DoS attack risks Authoritative and Recursive DNS software not on the same server Limited Coverage Active DNS Scan OpenResolvers Scan Dig DNS Software resilience Software Diversity Limited Not currently measured Fingerprint DNS Servers Nmap, dig Reduce Attack Surface ACLs Maybe Port scan census nmap Ethics Concerns Prevent Spoofing/ Hijacking MANRS/BCP38 Yes Spoofer MANRS Data N/A
Some proposedpractices are not measurable without an internal vantage point: Monitoring Internal ACL SSH Authentication requirements Server hardening, integrity and versioning Others, like Zone Integrity (Authoritative, require sharing of rapid zone updates. Non- Measurable Practices
Anycast deployments for critical zones. Caching Best Practice (e.g., Long TTL values for DNS infrastructure records increase resilience against DDoS attacks). Missing Practices? Prevent inconsistent and lame delegations by checking parent and children's zones.
Adopting best operational practices represents a fundamental pillar in improving DNS ecosystem resilience and security. If there is interest in third-party independent validation of conformance to best practices, it likely changes which practices to include. Our goal is to understand the measurability of these and other proposed practices. Discussion
Conclusion Assessing KINDNS best-practice requires a strong collaboration between different stakeholders. Independent researchers, ICANN and operators can work in synergy and share knowledge and data to improve DNS ecosystem security. Data and Knowledge sharing represent the key to achieving this goal. Some practices are already amenable to independent assessment.
Discussion Questions How can researchers help to assess conformance with DNS best practices? What do you think is missing? Are there ways to overcome concerns with data sharing?
Thanks for the attention