SEC602 – Implementing DNSSEC

The purpose of DNS is to translate human readable names of sites into IP addresses. DNS is insecure as when a device requests a response from a DNS server that device has no way of knowing if the response it receives is from the DNS server it wished to contact. DNSSEC is an extension on normal DNS functionality, adding the ability for the DNS server to authenticate it’s self using a Pre-shared key. During this lab we configure DNS servers to function with DNSSEC.

For this lab we created our own primary look up zone to configure as to not interfere with the labs system this zone is what were configured to work with DNSSEC. The zone was configured with a default key. Once the zone was configured it was possible to share the dns information like another file in the network. This allowed as to create a second server which didn’t sort any of it’s own DNS records but instead gain them from the original server.

On top of the read only server and the master server we also created a second DNS server for redundence. By creating multiple server which all share the same authentication information it is possible to create trust within the server.

Once DNSSEC was set up we were able to replicate the information about the DNS servers to the devices in the network. This can be done manually but is more efficient to do with policies.

Once set up computers on the network were able to gain DNS records from the appropriate server. However as part of this activity we explored ways to prevent the server from working such as clearing caches from the a server or removing/changing the PSK. Were also briefly touch uppon creating customer keys in which we created a key which was as large as the system allowed us to create.

Further thoughts:

DNS is a common service which is needed for most internet functionality, it is therefore important for it to be secure. Without authentication it would be easy for a bad actor device on the network to redirect traffic to malisices sites by creating false DNS records. Therefore I believe it is important to be able to properly configure DNSSEC. I think that this lab did a good job of demonstrating the chains of trust which are used when setting up DNSSEC.