Lightboard Lessons: DNSSEC
DNS is absolutely critical to your life on the Internet. But, did you know that DNS was designed back in the 1980s and didn't really consider security as a key component? DNSSEC was developed to help with that problem. In this edition of Lightboard Lessons, I discuss the basics of DNSSEC and talk about how the BIG-IP can help protect your critical DNS infrastructure.
Related Resources:
Configuring DNSSEC on the BIG-IP
Published Nov 11, 2015
Version 1.0ltwagnon
Ret. Employee
Joined May 15, 2019
ltwagnon
Ret. Employee
Joined May 15, 2019
- KINGRAMD_232836NimbostratusI have paused video at 3:36 to make comment. I will pick up later. Forgive me if I am confused, but I am happy to getclarification. The point at which you introduce bad guy, seems like a situationwhere one hijacks a website because it can present a certificate to say I am example.com. DNS poisoning which is the main reason for the introduction of DNSSec is when an attacker responds to a DNS query to a resolver with an incorrect IP address for example.com faster than the real DNS server. So the resolver server will send the wrong address to the requesting client. Because the communication use UDP hence the insecurity. SO the DNSSec was meant to validate who is a valid server to accept the DNS response from. The example here seems to illustrate a problem between the client and the website. Who gave the client the fake website IP address? Not the bad guy, but the clients own DNS server which got it from bad guy when client DNS server went to look up the IP address. Am I completely confuse here?
- ltwagnonRet. EmployeeGreat questions...and thanks for asking! My intent during the "bad guy" discussion was to highlight the fact that an attacker could take control of a DNS server and change the IP address to something other than the real IP address. You are correct that this can be done by flooding a Local DNS server with incorrect responses faster than the correct response can arrive. Then, the Local DNS server will have the incorrect IP address for the duration of the Time to Live (TTL). The attacker could set up a website (potentially one that looks just like the real one) at that IP address and then the client would connect to the wrong site. This is all due to the fact that the DNS response wasn't validated as being correct. And, it's all because the attacker was able to exploit the DNS server by taking advantage of any number of potential open vulnerabilities on that server. Here's a little more info in case you want to dig a little further: http://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-poisoning/