DNSSEC has been around since Windows 2008 R2 and is still quite new in the big wide world of the internet, Microsoft are now pushing this as an essential part of securing your private cloud yet if you look at the material for the 70-412 course there is not much in the way of help in understanding this subject. Here are some of my notes on the topic to hopefully help you out a bit.
DNSSEC is designed to be able to provide validation of a DNS record by a client to prove that the record stored in the DNS server you are requesting the record from is valid and has not been spoofed or tampered with. A second objective is to mitigate threats to external people attempting to enumerate the DNS database by sending dictionary based attack queries into the DNS server and sorting the replies. It also attempts to mitigate threats to false records being added into a DNS zone.
To achieve this goal a number of new DNS records have been created.
|RRSIG||Resource Read Siginture|
|NSEC3||Next Secure 3|
|ZSK||Zone Signing Key|
Using these records allows us to achive the 2 main goals of DNSSEC.
Spoofing mitigation relies on a tree of trust (not a web of trust as you can do with PKI) and uses the RRSIG record in DNS. To simplify, when a user requests resolution of a normal (A) record in DNS DNSSEC will also pass them down an RRSIG record to go with it, the RRSIG is then passed to the next DNS server above the one you have requested for validation. For example, if you request computer1.contoso.com the RRSIG will be passed to the DNS server responsible for contoso.com this will then validate with the DNS server responible for computer1.contoso.com and return that it trusts the record based on hashing the RRSIG with information that it has on computer1.contoso.com. It will also provide another RRSIG for contoso.com to be passed higher up the chain to ‘.com’ and finaly to root at ‘.’ authenticating all the way up the chain.
Database enumeration mitigation and record insertion :
Using NSEC we can protect ourselves against these attacks by adding in ‘next secure’ records so that our DNS tables look a bit like this
|Next Secure Engineering.contoso.com|
|Next Secure hr.contoso.com|
|Next Secure law.contoso.com|
By inserting these records if a client attempted to access a record that alphabetically would sit between these records i.e. grants.contoso.com this record would not exist and even if it was spoofed as a record when it is requested from the DNSSEC server the ‘Next secure hr.contoso.com’ record will be returned giving the cient the ability to state that the record grants .contoso.com does not exist and may be spoofed.
To take this into detail Rob Keufus for his TechEd video on this subject and it is well worth a watch.