About Me

Long time MCT and technical trainer. Windows wonder and CompTIA capable. I freelance for clients big and small, Military and Civvy street. Consulting and teaching my way round the world, you can browse my CV / Resume here

Follow me

TwitterLinkedIn RSSFacebook Page

 

 

 

Contact me

 

mike@michaelwhitehouse.com

Tel: 07970012133

 

« Wikipedia Your Money! | Main | Windows 2012 Certification »
Wednesday
Oct312012

DNSSEC

DNSSEC has been around since Windows 2008 R2 and is still quite new in the big wide world of the internet, Microsoft are now pushing this as an essential part of securing your private cloud yet if you look at the material for the 70-412 course there is not much in the way of help in understanding this subject. Here are some of my notes on the topic to hopefully help you out a bit.


Objective:

DNSSEC is designed to be able to provide validation of a DNS record by a client to prove that the record stored in the DNS server you are requesting the record from is valid and has not been spoofed or tampered with. A second objective is to mitigate threats to external people attempting to enumerate the DNS database by sending dictionary based attack queries into the DNS server and sorting the replies. It also attempts to mitigate threats to false records being added into a DNS zone.

Solution:

To achieve this goal a number of new DNS records have been created.

RRSIG Resource Read Siginture
DNSKEY Public Key
DS Delegation Signer
NSEC Next Secure
NSEC3 Next Secure 3
ZSK Zone Signing Key




Using these records allows us to achive the 2 main goals of DNSSEC.

Spoofing Mitigation:

Spoofing mitigation relies on a tree of trust (not a web of trust as you can do with PKI) and uses the RRSIG record in DNS. To simplify, when a user requests resolution of a normal (A) record in DNS DNSSEC will also pass them down an RRSIG record to go with it, the RRSIG is then passed to the next DNS server above the one you have requested for validation. For example, if you request computer1.contoso.com the RRSIG will be passed to the DNS server responsible for contoso.com this will then validate with the DNS server responible for computer1.contoso.com and return that it trusts the record based on hashing the RRSIG with information that it has on computer1.contoso.com. It will also provide another RRSIG for contoso.com to be passed higher up the chain to ‘.com’ and finaly to root at ‘.’ authenticating all the way up the chain.

Database enumeration mitigation and record insertion :

Using NSEC we can protect ourselves against these attacks by adding in ‘next secure’ records so that our DNS tables look a bit like this

email.contoso.com IP
Next Secure Engineering.contoso.com
Engineering.contoso.com IP
Next Secure hr.contoso.com
hr.contoso.com IP
Next Secure law.contoso.com




By inserting these records if a client attempted to access a record that alphabetically would sit between these records i.e. grants.contoso.com this record would not exist and even if it was spoofed as a record when it is requested from the DNSSEC server the ‘Next secure hr.contoso.com’ record will be returned giving the cient the ability to state that the record grants .contoso.com does not exist and may be spoofed.

To take this into detail Rob Keufus for his TechEd video on this subject and it is well worth a watch.


Source : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/WSV325

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (30)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: nike free
    ? Ich möchte nur betonen, dass es einfach, aber das nike free ist nicht dasselbe wie sagen, dass jedes Get auto geschenkt Surf-Website ist sicher. Wenn es für sie funktioniert, sind sie nur Hausmeister. Zusätzlich.brDas beste Teil dieser Strategie ist, dass di
  • Response
    Response: web page
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: qualitative resume
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: resume look clean
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Article
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Full Write-up
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Joseph Chinnock
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Joseph Chinnock
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Joseph Chinnock
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Frank Dellaglio
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Joseph Chinnock
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Joseph Chinnock
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Joseph Chinnock
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Frank Dellaglio
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Nishan Kohli
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: groupwise inc
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: look at this site
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Testoril
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Vince Malfitano
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Nuvitaderm Review
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Nuvitaderm Review
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Hydroderm
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Garcinia Slim 500
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: Vita Garcinia
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    Response: kinder surprise
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer
  • Response
    DNSSEC - Home - Michael Whitehouse Freelance IT Trainer and Engineer

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>