 Hello everyone and welcome back to the internet security attack and defense course. This lecture will be about the DNS security extensions or DNSSEC for short and details attacks. So let's start by providing a very brief introduction on what DNSSEC is. As you have learned in the lecture on DNS cache poisoning, DNS is a protocol that was not designed with security in mind. An attacker can easily falsify information in the DNS, thus potentially misleading large numbers of users that depend on the DNS to find, for instance, the IP address of their bank's website. The solution to these problems is to introduce DNSSEC, the DNS security extensions. The goal of DNSSEC is to make the DNS more secure by adding authenticity and integrity to the DNS. DNSSEC does this by introducing digital signatures over the data contained in DNS messages. These signatures can be validated by recipients of DNS messages to verify that they originate from legitimate sender and have not been modified in transit. This effectively makes attacks like cache poisoning impossible. If you want to learn more about DNSSEC, we recommend that you also follow our course on internet security protocols. This is an example of the use of DNSSEC. On the slide, you see DNS information for the CPSC.gov domain. The slide shows you the question, in this case we are asking for the IPv4 address of CPSC.gov. It shows you the answer to that question, in this case the IPv4 address we asked for, and it shows you the digital signature over the answer. We have removed most of the signature from the example, as the signature is very large and would fill up a significant proportion of the slide. In this particular case, the signature is an RSA 20v48 bit signature that requires 256 bytes of space in the DNS message. Unfortunately, DNSSEC does not just add security to the DNS, it also introduces a new security problem. As you know from previous lectures, reflection and amplification attacks form a serious problem. The DNS protocol can be abused for these types of attacks. And because DNSSEC responses are much larger than traditional DNS responses, DNSSEC signed domains are attractive for abuse in amplification attacks. Many critics of DNSSEC, in fact, cite this as one of the main reasons not to deploy the protocol, as this quote from well-known DNSSEC critic Dan Bernstein illustrates. In 2014, we performed a study to estimate how much worse DNSSEC makes amplification. We studied 2.5 million DNSSEC signed domains and compared the amplification with 2.5 million unsigned domains. The graph on this slide shows the result of this study for so-called any queries. This query type is most frequently abused in amplification attacks, and we will explain a little bit more about it in the next slide. This line in the graph shows the maximum amplification that can be achieved with classic DNS. This is around a factor of 23. We take this amplification factor as the maximum acceptable upper limit in DNS amplification, since this amplification can be achieved with the DNS protocol, as it has been in operation since 1983. The gray area on the left-hand side of the figure shows the amplification that can be achieved with our control group of 2.5 million unsigned domains. The colored lines show the amplification that can be achieved with DNSSEC signed domains. It is clear from the figure that DNSSEC signed domains almost all achieve amplification factors well above our maximum acceptable limit. In fact, we have seen outliers with amplification factors up to 179 times. This means that attackers can easily achieve large attack volumes of multiple gigabits per second by sending only a small amount of traffic themselves. As we discussed on the previous slide, DNS amplification attacks are often done using any queries. But arguably, the any query type was originally introduced in the DNS for debugging purposes. Only very seldomly are any queries used legitimately, which raises the question if any queries should not be blocked. In fact, a draft currently circulates in the IETF that proposes measures to stop abuse of any queries. By only allowing them in very specific cases and with very limited answers. This would make DNS amplification and abuse of DNSSEC for amplification much harder. But while we can safely block any queries, DNSSEC has a query type that is integral to the protocol that may also have fairly large responses that can be abused in amplification attacks. As the graph shows, DNS key responses also achieve respectable amplification factors. In fact, as many as 40% of DNS key responses we observed in our study exceed our maximum acceptable upper limit. Luckily, there is another approach to mitigating the amplification potential in DNSSEC. We argued in a study from 2015 that the root cause of the amplification in DNSSEC is the choice of RSA as default and only mandatory signing algorithm. Luckily, there is an attractive alternative, the use of elliptic curve cryptography. ECC algorithms can yield much smaller signatures, yet from a cryptographic strength point of view, these are much more secure than RSA signatures. So what would it mean for DNSSEC if we switched from using the RSA signature algorithm to an elliptic curve algorithm? This graph shows the effect for DNS key responses which as you may remember are the hardest problem in DNSSEC since they are integral to the protocol and cannot easily be blocked. The thick black line on the right shows the current situation where RSA is used for signing. The graph shows the response packet size and what you can see is that up to 10% of responses are so large that they might be fragmented over multiple packets. If we then look at what would likely be the most common implementation using elliptic curve cryptography, we see that the response size is dramatically reduced to less than half of that for RSA. And by the way, the x-axis of the graph has a logarithmic scale. And we can further improve this, because elliptic curve cryptography provides stronger security, we can simplify the signing model for DNSSEC and use a single key instead of the current practice of using two keys. This reduces the size of DNS key responses to such an extent that they might even fit in classic DNS packets of 512 bytes or less. To summarize, in this lecture you have learned that DNSSEC improves the security of DNS, but it also has an unintended side effect. It makes DNS amplification attacks a lot easier. This illustrates that it is very hard to consider all security aspects when designing or updating internet protocols. Fortunately, there is a way forward for DNSSEC by switching to newer cryptographic algorithms based on elliptic curve cryptography, which is something we strongly recommend for new DNSSEC implementations.