Presentations - Designing DNS Flows for Security

  • Location: Security Dome
  • Speaker: Marc Lampo
  • Date and time: 10. October 2014. 10:10 - 10:55

A chair is part of the furniture - nobody expects furniture to be dangerous for the house. So is DNS : part of the furniture in a network.

Yet, some design issues open huge security holes for the network.
This presentation explains and illustrates two ways of abusing DNS, along with possible mitigation.

This is a back to the basics subject !
Not showing fancy end results of a successful attack, but rather illustrating how DNS can be abused and how to design its data flow to prevent that from happening.

The first part focuses on the potential danger of forwarding DNS queries to an external resolver (your ISP, Google, OpenDNS, ...).
I will illustrate how the attack window for a cache poisoning attempt is much larger (when compared to Dan Kaminsky's finding).
But I will also provide some easy, not even expensive, ways to prevent this kind of abuse.

The second part could be subtitled : DNS as peer-to-peer protocol.
People should realize that as soon as public resolving is possible on one’s computer,
there is a data channel available (to hackers) by which anything can enter or leave the computer.
Once the principle is explained, I'll illustrate this by downloading the eicar demo virus, via DNS;
with help from the audience I'll create a file, upload it via DNS, and show the uploaded file on the remote server.
As before, this part terminates in a suggestion for protection;
but protection has a heavy impact on network design, a choice of how to proxy webtraffic !