Tutorial: Towards a Secure DNS

Haya Shulman  (Department of Computer Science; Bar Ilan University; Ramat Gan, Israel) will give a 3h tutorial on DNS and present her research (and related research of others) on Dec 13, 2pm
(@SBA).


 


 


--- ABSTRACT ---







Most caching DNS resolvers still rely for their security,
against poisoning, on validating that the DNS responses contain some ‘unpredictable’ values, copied from the request.
These values include the 16 bit identifier field, and other fields, randomised
and validated by different ‘patches’ to DNS. We investigate the prominent patches,
and show how off-path attackers can circumvent all of them, exposing the
resolvers to cache poisoning attacks.


We present countermeasures preventing our attacks;
however, we believe that our attacks provide additional motivation for adoption
of DNSSEC (or other MitM-secure defenses).


We then investigate vulnerabilities in DNSSEC
configuration among resolvers and zones, which reduce or even nullify the
protection offered by DNSSEC. Finally we provide our recommendations and countermeasures to prevent the vulnerabilities.