網(wǎng)絡(luò)DNS信任體系介紹

1、網(wǎng)絡(luò)DNS信任體系介紹網(wǎng)絡(luò)空間的信任模型：現(xiàn)狀與挑戰(zhàn)提綱網(wǎng)絡(luò)空間和信任根DNS信任體系的攻擊面ICANN和DNSSEC總結(jié)網(wǎng)絡(luò)空間（Cyberspace）通過互聯(lián)網(wǎng)和計(jì)算機(jī)進(jìn)行通信、控制和信 息共享的虛擬空間網(wǎng)絡(luò)空間里沒有明確的、固定的邊界，也 沒有集中的控制權(quán)威-網(wǎng)絡(luò)空間安全一級學(xué)科 論證報(bào)告，2015年5月信任（Trust）相信某人（組織）或某物：真實(shí)（Truth）可靠（Reliability）有能力（Ability）或 有強(qiáng)度（Strength）Firm belief in the reliability, truth, ability, or strength of someone o

2、r something- oxford dictionaryTrust Fall信任舉例：網(wǎng)上購物軟件硬件購物網(wǎng)站、支付平臺告訴我服務(wù)在哪里？證明這真的是淘寶信任根（Trust Anchors）域名服務(wù)系統(tǒng)（DNS）IP地址：你在哪里？真實(shí)：不能給出假的、錯誤的地址可靠：運(yùn)營者必須誠實(shí)，不能故意造假強(qiáng)壯：在受攻擊的情況下仍可以工作公鑰證書權(quán)威（CerAcate Authority, CA）身份認(rèn)證：怎么證明你的身份？互聯(lián)網(wǎng)保密、完整性通信的前提條件對CA的真實(shí)、可靠、強(qiáng)壯要求更高DNS和CA的信任模型DNS : 樹形結(jié)構(gòu)CA：森林結(jié)構(gòu)你的瀏覽器信任多少個(gè) CA?提綱網(wǎng)絡(luò)空間和信任根DNS信任體

3、系的攻擊面ICANN和DNSSEC總結(jié)DNS工作過程客戶端：遞歸/緩存Cache, Recursive權(quán)威服務(wù)器（AuthoritaAve），Root, TLD, Stub resolverRecursive (Cache)CNNET.hNp:/gTLDccTLDUDPDNS信任的攻擊面（aNack surface）Stub resolverRecursive (Cache)cn.gTLDRoot不可信的 管理者不可信的 管理者攻擊者3. 劫持鏈路1. 入侵/DoS2. 入侵/污染5. 控制解 析服務(wù)器4. 控制劫持 權(quán)威服務(wù)器DNS信任體系的攻擊面之一：控制/劫持/權(quán)威服務(wù)器（Server）

4、, 比如Root控制/劫持權(quán)威服務(wù)器，如RootUS GOV - NSF - Network SoluAons Inc.(NSI)從政府補(bǔ)貼、到收費(fèi)、到被告ccTLD = Jon Postel, RFC 1591(1994)先來先得的政策IAB Review CommiNee 沒有成立.IQ（伊拉克）被授予美國的恐怖分子Hijacking of Root by Jon Postel, 1998郵件通知8個(gè)root管理員同步IANA而非NSI政府命令Jon 停止，同時(shí)堅(jiān)強(qiáng)了對Root控制權(quán)段海新，伊拉克域名IQ被美國刪除的背后以及早期的根域名管理hNp:/duanhx/archives/1850

5、Root Servers (anycast instances)14山寨一個(gè)Root ，自己控制ISP1ISP3ISP2Stub resolverStub resolvera.root-. ()a.root-. ()ASASa.root-. ()AnyCast到Root的延遲： CERNET & Europe, 2012Root DNS delay inRoot Delay in Europe CERNET歐洲大多數(shù)根的延遲100-200ms除M(300ms)以外，Root延 30msJ. Liang, J. Jiang, H. Duan, K. Li, and J. Wu, “Measuri

6、ng query latency of top level DNS servers,” presented at the PAM13: Proceedings of the 14th internaAonal conference on Passive and AcAve Measurement, 2013.DNS信任體系的攻擊面之二：控制解析服務(wù)器如果你可以控制解析服務(wù)器Paul Vixie Author of BIND Chair of SAC of ICANNORSN (2002-2008, 2013-)(Open Root Server Network)As a long Ame su

7、pporter of the universal namespace operated by IANA, it may come as a surprise that I have joined the Open Root Server Network project (ORSN). Ill try to explain whats going on and what it all means.From:Paul A VixieSMTP:paul Sent:Thursday, October 31, 1996 12:56 PM To:newdom Subject:requirements fo

8、r parAcipaAonI have told the IANA and I have told InterNIC - now Ill tell you kind folks.If IANAs proposal stagnates past January 15, 1997, without obvious progressand actual registries being licensed or in the process of being licensed, I will declare the cause lost. At that point it will be up to

9、a consorAum of Internet providers, probably through CIX if I can convince them to take up this cause, to tell me what I ought to put into the root.cache le that I ship with BIND.hNps://mail-archive/text/iet/ 1996-11香港某酒店，DNS查詢都被重定向有些ISP利用解析服務(wù)NXDOMAIN賺錢N. Weaver, V. Paxson, and C. Kreibich

10、, “RedirecAng DNS for Ads and Prot,” presented at the Proceedings of the 20th USENIX Security Symposium“s Workshop on Free and Open CommunicaAons on the Internet (FOCI ”11), 2011.DNS信任體系的攻擊面之三：控制解析路徑鏈路dns-operaAons Odd behaviour on one node in I root-server(facebook, youtube & twiNer)Hi there! A loc

11、al ISP has told us that theres some strange behavior with at least one node in (traceroute shows mostly China) It seems that when you ask A records for facebook, youtube or twitter, you get an IP and not the referral for .comIt doesnt happen every time, but we have confirmed this on 4 different conn

12、ectivity places (3 in Chile, one in California)This problem has been reported to Autonomica/Netnod but I dont know if anyone else is seeing this issue.This is an example of what are we seeing:$ dig A ;.ANSWER SECTION: . 86400 IN A 5Mauricio Vergara Ereche Santiago CHILEhNps:/lists.dns-/pipermail/dns

13、-operaAons/2010-March/005260.html智利用戶訪問的域名解析 可能經(jīng)過中國Root Servers in China2013: 4(BJ) + 5(HK) + 3(TW) = 122013: 4(BJ) + 5(HK) + 3(TW) = 12. . . net. hk. .hk. de. nic.de. . cuhk.hk. .hk. dfn.de. win-ip.dfn.de.tu-berlin.de. cn. . . hkdnr.hk. denic.de. .hk. $ dig ns a.gtld-; AUTHORITY SECTION:.NS. .NS.$

14、dig ns ; ANSWER SECTION:NSS6.NSNS2.CUHK.EDU.HK. . .NSDENEB.DFN.DE.域名解析可能經(jīng)過哪些鏈路？J. Jiang, L. Jinjin, D., Haixin, Analysis and Measurement of Zone Dependency in the Domain Name System, 2013$ digns; QUESTION SECTION:;.INNS; ANSWER SECTION:.86400INNS .86400INNS .86400INNS .86400INNS .86400INNS .86400INN

15、S .CN 的域名解析會如何？域名空間中，國家的邊界在哪里？..nic.it.domain-.nstl.ezdns.sx.nic.gs.fr.ch.gtld-.ms.fccn.pt.la.dnsno.pt.yyz1.afilias-ns

16、.mia1.afilias-r.it.解析一個(gè)域名，可能需要解 析其他117個(gè)所依賴的域名提綱網(wǎng)絡(luò)空間和信任根DNS信任體系的攻擊面ICANN和DNSSEC總結(jié)ICANN: DNS新的Trust Anchor美國政府控制著ICANN嗎？hNp:/new.items/og00033r.pdfDepartment of Commerce: RelaAonship with ICANN, 2000XXX域名美Gov反對，ICANN最后批準(zhǔn)2000, ICANN 啟動新TLD的POC2000, 美國公司ICM Registry 申請 .kids和 .xxx2003, ICM 根據(jù)ICANN

17、意見修訂，申請sTLD2005, ICANN考慮多方的反對，拒絕了XXX2010, ICANN 批準(zhǔn)了ICM的XXX申請.xxx域名在icann討論被美國一票否決的case: hNp:/duanhx/ archives/1881DelegaAon of the .XXX top-level domain ， hNp:/reports/2011/xxx- report-20110407.pdfAccountability and Transparency at ICANN An Independent Review. Appendix D:The .xxx Domain Case and ICA

18、NN Decision-Making Processes hNp:/ pubrelease/icann/pdfs/AppendixD_xxx.pdfICANN與GAC（政府咨詢委員會）ICANN目前是Root DNS的Trust Anchor政府咨詢委員會（GAC）的角色GAC只能提意見，它可以派人參加ICANN理事會 的會議、參與討論或辯論，但是沒有投票權(quán)。理事會對于可能影響公共政策的決策，必須聽 取GAC的意見，但可以不按GAC的意見做決定， 但必須給出解釋ICANN的章程： hNps:/resources/pages/ bylaws-2012-02-25-zh#XIDNSSEC : DN

19、S 安全就安全了事實(shí)是這樣的嗎？DNSSEC：防止鏈路劫持、緩存污染Servers sign all the DNS records with their private KeysStub resolverRecursive CacheDNSSEC enabledNET. NS a.iana-. RRSIG bFhV.0Y3NIClients(resolvers) validate the signature with their public keysUser Trust Root servers, the only trust anchorPaul Vixie, June 1995:Thi

20、s sounds simple but it has deep reaching consequences in both the protocol and the implementation which is why its taken more than a year to choose a security model and design a solution. We expect it to be another year before DNSSEC is in wide use on the leading edge, and at least a year after that

21、 before its use is commonplace on the Internet.BIND 8.2 blurb, March 1999:Top feature: Preliminary DNSSEC.BIND 9 blurb, September 2000:Top feature: DNSSEC.Paul Vixie, November 2002:We are still doing basic research on what kind of data model will work forDNSsecurity.Afterthreeor fourtimesofsaying“NO

22、Wweve got it, THIS TIME for sure” theres finally some humility in the picture “Wonder if THISll work?”Its impossible to know how many more flag days well have before its safe to burn ROMs It sure isnt plain old SIG+KEY, and it sure isnt DS as currently specified. When will it be? We dont know.2535 is already dead and buried. There is no installed base. Were starting from scratch.DNSSEC Trusted Community RepresentaAvesRecovery Key Share Ho