DNS安全管理与DNSSEC防御策略

Securit

需积分: 0 52 浏览量更新于2024-07-17 收藏 5.82MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"DNS Security Management" 是一本由Michael Dooley和Timothy Rooney编写的关于网络和服务管理的IEEE系列书籍，专注于DNS安全。该书通过ISBN-10：1119328276和ISBN-13：9781119328278进行标识，于2017年8月14日出版，共324页。 DNS（域名系统）是互联网的关键组成部分，用于将人类可读的域名转换为IP地址。本书深入探讨了DNS的运作机制、其潜在的安全漏洞以及基本的安全策略和缓解措施。作者以角色为基础的方法来阐述DNS安全，分别讨论了递归和权威DNS部署的各种安全策略。书中涵盖了以下关键知识点： 1. **DNS基础与威胁**：介绍DNS的作用，并详细讨论了针对DNS的各种威胁，如DNS劫持、缓存投毒和DDoS攻击等。 2. **DNSSEC（域名系统安全扩展）**：全面讲解如何利用DNSSEC增强DNS解析的安全性，防止数据被篡改或伪造，提供数据完整性保护。 3. **DNS解析器与安全配置**：讨论了DNS解析器的设置，包括主机访问保护、DHCP配置以及DNS递归服务器IP的管理，确保安全的DNS查询过程。 4. **DNS数据收集与分析**：介绍如何收集和分析DNS数据，以便检测潜在的攻击行为，通过数据驱动的方式提升网络安全。 5. **应用安全**：讨论了DNS在网络安全中的应用，如反垃圾邮件技术（如SPF）、DANE（DNS认证的TLS）和CERT/SSHFP记录，这些工具可以帮助验证服务身份，防止中间人攻击。 6. **检测策略**：提供了一套全面的检测策略，帮助网络工程师及时发现并应对DNS相关的安全事件。 7. **风险评估与防御策略**：面对日益增长的网络攻击，书中指导读者理解网络威胁，评估风险，并制定防御策略。 8. **法规遵从性**：提及版权法律和获取复制、存储或传输内容许可的相关信息，强调遵守法律法规的重要性。对于网络工程师和其他IT专业人士来说，"DNS Security Management"是一本至关重要的资源，它提供了对DNS安全威胁的清晰认识，有助于他们在网络防御中采取有效措施。通过阅读此书，读者可以提升其在DNS安全管理方面的知识和技能，从而更好地保护组织的网络基础设施。

资源详情

资源推荐

INTRODUCTION

WHY ATTACK DNS?

The Domain Name System (DNS) is fundamental to the proper operation of virtually

all Internet Protocol (IP) network applications, from web browsing to email, multi-

media applications, and more. Every time you type a web address, send an email or

access an IP application, you use DNS. DNS provides the lookup service to translate

the website name you entered, for example, to its corresponding IP address that your

computer needs to communicate via the Internet.

This lookup service is more commonly referred to as a name resolution process,

whereby a worldwide web “www” address is resolved to its IP address. And a given

web page may require several DNS lookups. If you view the source of a random web

page, for example, count the number of link, hypertext reference (href), and source

(src) tags that contain a unique domain name. Each of these stimulate your browser

to perform a DNS lookup to fetch the referenced image, le or script, and perhaps

pre-fetch links. And each time you click a link to navigate to a new page, the process

repeats with successive DNS lookups required to fully render the destination page.

Email too relies on DNS for email delivery, enabling you to send email using the

familiar user@destination syntax, where DNS identies the destination’s IP address

for transmission of the email. And DNS goes well beyond web or email address res-

olution. Virtually every application on your computer, tablet, smartphone, security

DNS Security Management, First Edition. Michael Dooley and Timothy Rooney.

2 INTRODUCTION

cameras, thermostats, and other “things” that access the Internet require DNS for

proper operation. Without DNS, navigating and accessing Internet applications would

be all but impossible.

Network Disruption

An outage or an attack that renders the DNS service unavailable or which manipulates

the integrity of the data contained within DNS can effectively bring a network down

from an end user perspective. Even if network connectivity exists, unless you already

know the IP address of the site to which you’d like to connect and enter it into the

browser address eld, you’ll be unable to connect, and you won’t see any linked

images or content.

Such an event of the unavailability of DNS will likely spur a urry of old fash-

ioned phone calls to your support desk or call center to politely report the problem. IP

network administrators generally desire to minimize such calls to the support center,

polite or otherwise, given that it forces those supporting the network to drop what

they’re doing and resolve the issue with the added pressure of visibility across the

wider IT or Operations organization.

DNS as a Backdoor

Just as DNS is the rst step in allowing users to connect to websites, it is likewise

usable by bad actors to connect to internal targets within your enterprise and external

command and control centers for updates and directives to perform nefarious tasks.

Given the necessity of DNS, DNS trafc is generally permitted to ow freely through

networks, exposing networks to attacks that leverage this freedom of communications

for lookups or for tunneling of data out of the organization.

Thus, attacking DNS could not only effectively bring down a network from users’

perspectives, leveraging DNS could enable attackers to communicate to malware-

infected devices within the network to initiate internal attacks, to exltrate sensitive

information, or to perform other malicious activity. Malware-infected devices may be

enlisted to serve as remote robots or bots under the control of an attacker. A collection

of such bots is referred to as a botnet. A botnet enables an attacker to enlist an army

of devices potentially installed around the world to perform software programmable

actions.

By its very nature, the global Internet DNS system serves as a distributed

data repository containing domain names (e.g., for websites) and corresponding IP

address information. The distributed nature of DNS applies not only to the global

geographic distribution of DNS servers, but to the distribution of administration of

the information published within respective domains of this repository. DNS has

proven extremely effective and scalable in practice and most people take DNS for

granted given this and its historical reliability. However, its essential function and

DNS BASIC OPERATION 3

decentralized architecture serve to attract attackers seeking to exploit the architecture

and rich data store for sinister activities.

While DNS is the rst step in IP communications, many enterprise security

strategies trivialize or startlingly even ignore its role in communications and therefore

its susceptibility to attacks on this vital network service or on the network itself. Most

security strategies and solutions focus on ltering “in-band” communication ow in

order to detect and mitigate cyber attacks. However, as we shall see, ltering DNS

trafc can support a broader network security plan in providing additional informa-

tion for use in identifying and troubleshooting attack incidents. This book is intended

to provide details regarding the criticality of DNS, its vulnerabilities, and strategies

you can implement to better secure your DNS infrastructure, which will in turn better

secure your overall network.

DNS BASIC OPERATION

Figure 1.1 illustrates the basic ow of a DNS query. Upon entry of the desired desti-

nation by name, www.example.com in this case, software called a resolver is invoked

by the application, for example, web browser. This resolver software is typically

included with the device operating system. If a connection had recently been made to

this website, its IP address may already be stored in the resolver cache. The resolver

cache helps improve resolution performance by temporarily keeping track of recently

resolved name-to-IP address mappings. In such a case, the resolver may return the

IP address immediately to the application to establish a connection without having to

query a DNS server.

If no relevant information exists in the resolver cache the device will query its

recursive DNS server. The role of the recursive server is to locate the answer to the

Where is

www.example.com?

www.example.com

is on 192.0.2.54

Resolver

Cache

Initiate connection to

192.0.2.54

Recursive

DNS server

example.com

DNS server

.com TLD

DNS server

Internet root

DNS server

Iterative query

192.0.2.54

Referral

Figure 1.1. Basic DNS Resolution Flow

4 INTRODUCTION

device’s query. The recursive server is itself a resolver of the DNS query; we refer

to the resolver on the originating device as a stub resolver as it initiates a query to

its recursive server, and it relies solely on the recursive server to locate and return

the answer. The stub resolver is congured with DNS server IP addresses to query as

part of the IP network initialization process. For example, when a device boots up, it

typically requests an IP address from a dynamic host conguration protocol (DHCP)

server. The DHCP server can be congured to not only provide an IP address but the

IP addresses of recursive DNS servers to which DNS queries should be directed. Use

of DHCP in this manner facilitates mobility and efciency as addresses can be shared

and can be assigned based on the relevant point of connection to the IP network.

As we mentioned, the recursive DNS server’s role is to resolve the query on

behalf of the stub resolver. It performs this role using its own cache of previously

resolved queries or by querying DNS servers on the Internet. The process of querying

Internet DNS servers seeks to rst locate a DNS server that is authoritative for the

domain for which the query relates (example.com in this case) and then to query an

authoritative server itself to obtain an answer that can be passed back to the client,

thereby completing the resolution process. The location of the authoritative server is

determined by querying Internet DNS servers that are responsible for the layers of

the domain tree “above” or “to the right” of the domain in question. We’ll discuss

this process in more detail in Chapter 2. The recursive server caches the resolution

information in order to respond more quickly to a similar query without having to

re-seek the answer on the Internet.

To access your website, people need to know your web address, or technically

your uniform resource locator or URL. And you need to publish this web address

in DNS in the form of a resource record so browsers can locate your DNS servers

and resolve your www address to your web server’s IP address. Multiple, at least

two, authoritative DNS servers must be deployed to provide services continuity in

the event of a server outage. Generally, an administrator congures a master server

that then replicates or transfers its domain information to one or more slave servers.

We will discuss more details on this process and server roles in Chapter 2.

Basic DNS Data Sources and Flows

Figure 1.2 illustrates a subset of the various data stores for DNS data and correspond-

ing data sources. The authoritative DNS servers must be congured to answer queries

for domain name-to-IP address mappings for this domain for which they are author-

itative. Depending on your DNS server vendor implementation, DNS conguration

information may be supplied by editing text les, using a vendor graphical user inter-

face (GUI) or deploying les from an IP address management (IPAM) system as

shown in Figure 1.2. Each server generally relies on a conguration le and author-

itative servers store DNS resolution information in zone les or a database. Some

implementations utilize dynamic journal les to temporarily store DNS information

DNS BASIC OPERATION 5

Recursive

DNS server

Authoritative

DNS server

(master)

Authoritative

DNS servers

(slaves)

Recursive query

Iterative query

Dynamic update

Notify/zone transfer

DNS configuration

DHCP server

IPAM system

Zone and

journal files

Zone and

journal files

Configuration

file

Configuration

file

Forwarder

(optional)

Resolver

cache

Server

cache

Server

cache

Figure 1.2. DNS Query Flow and Data Sources

updates prior to committing to zone les in an effort to improve performance. All ven-

dor implementations feature the ability to update DNS resolution information on a

given “master” server which will then replicate this information to other authoritative

servers to provide redundancy of this information.

Figure 1.2 also illustrates various DNS message types that are used to query for

and congure DNS information. The recursive and iterative query types enable the

resolution of DNS data, while dynamic updates and zone transfers enable the dynamic

updating and replication of resolution information, respectively. DNS conguration

information includes the parameters of operation for the DNS server daemon as well

as published resolution data within zone les. We’ll describe these in more detail in

Chapters 2 and 3, but for now, you may observe that there are several independent

data sources that may congure your DNS information as you permit.

DNS Trust Model

The DNS trust model refers to how DNS information ows among these components

of the DNS system. In general, information received by other components in the sys-

tem is trusted though various forms of validation and authentication can improve

trustworthiness as we shall discuss later.

From the client resolver perspective, the client trusts its resolver cache and

the recursive server to provide answers to DNS queries. Should either trusted

data source be corrupted, the resolver could inadvertently redirect the user appli-

cation to an inappropriate destination. For example, a user, thinking he or she

is connecting to his or her bank, may inadvertently be connected to an imposter

剩余308页未读，继续阅读

THESUMMERE

粉丝: 23
资源: 328

DNS安全管理与DNSSEC防御策略

DNS Security Management 无水印原版pdf

DNS_Security_Management.rar

DNS Security Management epub

DNS服务器配置与管理

filebeat DNS lookup failure "https://helm-logstash-security-logstash:5044

windows dns服务器

java.security.cert.certificateexception: no subject alternative dns name mat

ARP欺骗、DNS欺骗

权威dns是次dns吗

dns local&dns remote

cloudflare dns google dns open dns quad9dns comodo secure dns

linux首选dns和备用dns

全局dns优先还是客户端dns优先

TCPIP的DNS欺骗

配置DNS辅助服务器：DNS系列之四

dns代理线路dns

dns是什么 dns工作原理

DNS安全浅议、域名A记录(ANAME)，MX记录，CNAME记录

linux配置主DNS及备用DNS

最新资源