Who are you really calling? When we we use VoIP systems, how can we be sure we are talking to the correct people? Particularly as we increasingly move communications to IP? In this presentation at SIPNOC 2013, Dan York introduced the ideas around DNSSEC and DANE and asked questions around how these might potentially be used to add an additionally layer of security for VoIP.
For more info, see:
http://www.internetsociety.org/deploy360/dnssec/
3. www.internetsociety.org/deploy360/
When Alice Goes To Register Her SIP Client…
… how does her UA know the IP address of the registrar/
proxy server?
• DNS SRV record based on her account domain name
• Manual configuration of the domain name of her SIP proxy
DNS
• How does she know her UA is connecting to the correct server?
5. www.internetsociety.org/deploy360/
When Alice Calls Bob…
… how does her SIP proxy know the SIP proxy to send
the INVITE for Bob?
• DNS SRV record based on Bob's domain name
• ENUM lookup
DNS
• How does her SIP proxy know it is connecting to the correct SIP
proxy for Bob?
6. www.internetsociety.org/deploy360/
Maybe not a problem for an individual…
… but what if Alice is calling her bank and it uses an IVR
on the front end?
… and what if an attacker duplicated that IVR and
redirects Alice to that system instead?
"Please enter your 16 digit credit card number…"
As we think about the transition to IP, how do we ensure
people are connecting to the correct endpoints?
8. www.internetsociety.org/deploy360/
What Problem Is DNSSEC Trying To Solve?
DNSSEC = "DNS Security Extensions"
• Defined in RFCs 4033, 4034, 4035
• Operational Practices: RFC 6781
Ensures that the information entered into DNS by the
domain name holder is the SAME information
retrieved from DNS by an end user.
Let's walk through an example to explain…
9. www.internetsociety.org/deploy360/
A Normal DNS Interaction
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
example.com?
1
2
3
4
10.1.1.123
Resolver checks its local cache. If it has the
answer, it sends it back.
example.com 10.1.1.123
If not…
10. www.internetsociety.org/deploy360/
A Normal DNS Interaction
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
10.1.1.123
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
.com
NS
example.com?
11. www.internetsociety.org/deploy360/
• First result received by a DNS resolver is treated as
the correct answer.
• Opportunity is there for an attacker to be the first one
to get an answer to the DNS resolver, either by:
• Getting to the correct point in the network to provide faster responses;
• Blocking the responses from the legitimate servers (ex. executing a
Denial of Service attack against the legitimate servers to slow their
responses)
DNS Works On Speed
13. www.internetsociety.org/deploy360/
The Bigger Impact: A Poisoned Cache
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver1
2
3
4
192.168.2.2
Resolver cache now has wrong data:
example.com 192.168.2.2
This stays in the cache until the
Time-To-Live (TTL) expires!
example.com?
14. www.internetsociety.org/deploy360/
How Does DNSSEC Help?
• DNSSEC introduces new DNS records for a domain:
• RRSIG – a signature ("hash") of a set of DNS records
• DNSKEY – a public key that a resolver can use to validate RRSIG
• A DNSSEC-validating DNS resolver:
• Uses DNSKEY to perform a hash calculation on received DNS records
• Compares result with RRSIG records. If results match, records are the
same as those transmitted. If the results do NOT match, they were
potentially changed during the travel from the DNS server.
4/25/13
16. www.internetsociety.org/deploy360/
But Can DNSSEC Be Spoofed?
• But why can't an attacker simply insert DNSKEY and
RRSIG records? What prevents DNSSEC from being
spoofed?
• An additional was introduced, the "Delegation Signer
(DS)" record
• It is a fingerprint of the DNSKEY record that is sent to the
parent zone for each domain (and this happens for each
domain up to the root)
• Provides a global "chain of trust" from the root of DNS
down to the domain
• Attackers would have to compromise the registry
4/25/13
18. www.internetsociety.org/deploy360/
The Global Chain of Trust
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
example.com
NS
DS
.com
NS
DS
example.com?
19. www.internetsociety.org/deploy360/
Attempting to Spoof DNS
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
Attacking
DNS Svr
example.com
192.168.2.2
DNSKEY
RRSIGs
example.com
NS
DS
.com
NS
DS
example.com?
20. www.internetsociety.org/deploy360/
Attempting to Spoof DNS
Web
Server
Web
Browser
https://example.com/
web page
DNS
Resolver
10.1.1.123
DNSKEY
RRSIGs
1
25
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
SERVFAIL
4
Attacking
DNS Svr
example.com
192.168.2.2
DNSKEY
RRSIGs
example.com
NS
DS
.com
NS
DS
example.com?
21. www.internetsociety.org/deploy360/
What DNSSEC Proves:
• "These ARE the IP addresses you are looking for."
(or they are not)
• Ensures that information entered into DNS by the domain
name holder (or the operator of the DNS hosting service
for the domain) is the SAME information that is received
by the end user.
• Adds a "trust layer" to DNS
4/25/13
23. www.internetsociety.org/deploy360/
DNSSEC Validation
• Fairly simple – just enable DNSSEC validation in your DNS
caching resolver
• DNS resolver will return a SERVFAIL if there is a validation error. User will not
receive any results
• Question is more where does DNSSEC validation occur?
• ISP's DNS resolvers
• Local network DNS resolver
• Local computer (i.e. operating system)
• Application
(answer is that it could occur in any of the locations)
4/25/13
24. www.internetsociety.org/deploy360/
DNSSEC Signing - The Individual Steps
Registry
Registrar
DNS Hosting Provider
Domain Name
Registrant
• Signs TLD
• Accepts DS records
• Publishes/signs records
• Accepts DS records
• Sends DS to registry
• Provides UI for mgmt
• Signs zones
• Publishes all records
• Provides UI for mgmt
• Enables DNSSEC
(unless automatic)
27. www.internetsociety.org/deploy360/
So How Could We Use This With VoIP?
• Be able to trust SRV records?
• Ensure that we are connecting to the correct
addresses?
• Build DNSSEC validation into SIP user agents?
• Build DNSSEC validation into SIP servers?
32. www.internetsociety.org/deploy360/
Why Do I Need DNSSEC If I Have SSL?
• A common question: why do I need DNSSEC if I already
have a SSL certificate? (or an "EV-SSL" certificate?)
• SSL (more formerly known today as Transport Layer
Security (TLS)) solves a different issue – it provides
encryption and protection of the communication between
the browser and the web server
33. www.internetsociety.org/deploy360/
The Typical TLS (SSL) Web Interaction
Web
Server
Web
Browser
https://example.com/
TLS-encrypted
web page
DNS
Resolver
example.com?
10.1.1.1231
2
5
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
34. www.internetsociety.org/deploy360/
The Typical TLS (SSL) Web Interaction
Web
Server
Web
Browser
https://example.com/
TLS-encrypted
web page
DNS
Resolver
10.1.1.1231
2
5
6
DNS Svr
example.com
DNS Svr
.com
DNS Svr
root
3
10.1.1.123
4
Is this encrypted
with the
CORRECT
certificate?
example.com?
40. www.internetsociety.org/deploy360/
DNS-Based Authentication of Named Entities
(DANE)
• Q: How do you know if the TLS (SSL) certificate is the
correct one the site wants you to use?
• A: Store the certificate (or fingerprint) in DNS (new TLSA
record) and sign them with DNSSEC.
A browser that understand DNSSEC and DANE will then
know when the required certificate is NOT being used.
Certificate stored in DNS is controlled by the domain
name holder. It could be
• a certificate signed by a CA (including an EV cert)
• a self-signed certificate
42. www.internetsociety.org/deploy360/
DANE – Not Just For The Web
• DANE defines protocol for storing TLS certificates in DNS
• Securing Web transactions is the obvious use case
• Other uses also possible:
• Email via S/MIME
• VoIP
• Jabber/XMPP
• ?
4/25/13
44. www.internetsociety.org/deploy360/
How Do We Get DANE Deployed?
Developers:
• Add DANE support into applications (see list of libraries)
• Note: VoIP developers don't need to wait for browser vendors!
DNS Hosting Providers:
• Provide a way that customers can enter a “TLSA” record into DNS
as defined in RFC 6698 ( http://tools.ietf.org/html/rfc6698 )
• This will start getting TLS certificates into DNS so that when
browsers support DANE they will be able to do so.
Network Operators / Enterprises / Governments:
• Start talking about need for DANE
• Express desire for DANE to app vendors (especially browsers)
46. www.internetsociety.org/deploy360/
DNSSEC Deployment Status – Signing Side
• All major generic TLDs signed (.com, .org, .net … )
• 105 TLDs (of 317) signed as of April 25, 2013:
• http://stats.research.icann.org/dns/tld_report/
• DNSSEC is mandatory for the 1,930 proposed new
gTLDs
• Tools have become greatly automated
• Developer libraries now support DNSSEC
• Struggling a bit with registrar support:
• http://www.icann.org/en/news/in-focus/dnssec/deployment
4/25/13
48. www.internetsociety.org/deploy360/
DNSSEC Deployment Status – Validation Side
DNSSEC validation is easily enabled for major DNS
resolvers:
• BIND 9.x
• Unbound
• Microsoft Windows Server 2012
See SURFnet white paper:
• http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf
Large-scale deployments:
• Comcast deployed DNSSEC validation to their 18 million customers
• Most ISPs in Sweden, Czech Republic, Netherlands, Brazil
• Google's Public DNS (8.8.8.8, 8.8.4.4 and IPv6 versions) now support
DNSSEC if requested (and will move to full validation)
49. www.internetsociety.org/deploy360/
Three Requests For Network Operators (ISPs)
1. Deploy DNSSEC-validating DNS resolvers
2. Sign your own domains where possible
3. Help promote support of DANE protocol
• Allow usage of TLSA record. Let browser vendors and others know you
want to use DANE. Help raise awareness of how DANE and DNSSEC
can make the Internet more secure.
50. www.internetsociety.org/deploy360/
Three Requests For Website/Content Owners
1. Sign your domains
• Work with your registrar and/or DNS hosting provider to make this
happen.
2. Ask your IT team or network operator about DNSSEC
validation
3. Help promote support of DANE protocol
• Let browser vendors and others know you want to use DANE. If you use
SSL, deploy a TLSA record if you are able to do so. Help raise
awareness of how DANE and DNSSEC can make the Internet more
secure.
51. www.internetsociety.org/deploy360/
3 More Requests For SIP Network Operators
1. Think about how and where DNSSEC and DANE
could be potentially used
2. Experiment with the early implementations like Jitsi
and Kamailio
3. Share the ideas…
• Directly with me ( york@isoc.org ) or via email lists, online forums, etc.
• http://www.internetsociety.org/deploy360/dnssec/community/
(or let's make a new place for DNSSEC and VoIP)