1 00:00:00,410 --> 00:00:03,490 [Music] 2 00:00:06,080 --> 00:00:08,240 morning everybody uh thanks for coming 3 00:00:08,240 --> 00:00:11,240 here uh I am going to give a 4 00:00:11,240 --> 00:00:13,120 presentation on using DNS as a security 5 00:00:13,120 --> 00:00:15,440 tool I know we we love to blame it for 6 00:00:15,440 --> 00:00:16,960 all of our problems but sometimes you 7 00:00:16,960 --> 00:00:18,439 can actually fix some of 8 00:00:18,439 --> 00:00:21,039 them uh so just to give you a little 9 00:00:21,039 --> 00:00:24,240 introduction of who I am yes that's me 10 00:00:24,240 --> 00:00:26,599 uh the stute in the crowd will notice 11 00:00:26,599 --> 00:00:28,519 that's a Commodore 64 it's about 12 00:00:28,519 --> 00:00:31,359 1985 uh so I've been I've been doing 13 00:00:31,359 --> 00:00:33,399 computer stuff for a pretty long time uh 14 00:00:33,399 --> 00:00:35,879 family got a first uh home computer in 15 00:00:35,879 --> 00:00:38,320 like ' 89 it was a wonderful Packard 16 00:00:38,320 --> 00:00:40,719 Bell I'm sure you remember some of that 17 00:00:40,719 --> 00:00:42,160 and I got a hand me down about two years 18 00:00:42,160 --> 00:00:44,000 later from my grandfather he's the one 19 00:00:44,000 --> 00:00:46,640 who got me started in this uh My First 20 00:00:46,640 --> 00:00:49,760 Security incident was in 1999 we busted 21 00:00:49,760 --> 00:00:54,440 a credit card Security fraud ring um and 22 00:00:54,440 --> 00:00:56,719 that was on an e-commerce site that was 23 00:00:56,719 --> 00:00:57,920 that was some good times that was a lot 24 00:00:57,920 --> 00:01:00,519 of fun uh my boss at the time he 25 00:01:00,519 --> 00:01:03,000 he really enjoyed finding those people 26 00:01:03,000 --> 00:01:04,199 and he would ask them what they would 27 00:01:04,199 --> 00:01:05,400 want on their pizza and then send a 28 00:01:05,400 --> 00:01:07,880 pizza to their house because he he 29 00:01:07,880 --> 00:01:09,280 really like to jerk their chain a little 30 00:01:09,280 --> 00:01:13,240 bit it was fun uh I've had a long 31 00:01:13,240 --> 00:01:15,320 history and Technical Support uh I've 32 00:01:15,320 --> 00:01:18,920 worked at pgp and RSA uh spent time at 33 00:01:18,920 --> 00:01:20,439 microfocus which I'm guessing probably a 34 00:01:20,439 --> 00:01:23,159 quarter of this room has at some point 35 00:01:23,159 --> 00:01:24,640 uh it's kind of a write a passage in 36 00:01:24,640 --> 00:01:26,920 this state uh right now I'm a senior 37 00:01:26,920 --> 00:01:29,040 infosec engineer at Dental intelligence 38 00:01:29,040 --> 00:01:30,840 their ass sass off company based out of 39 00:01:30,840 --> 00:01:33,439 Pleasant Grove uh I wear a lot of hats 40 00:01:33,439 --> 00:01:35,479 there uh mostly doing vulnerability 41 00:01:35,479 --> 00:01:37,000 management and security architecture 42 00:01:37,000 --> 00:01:38,479 right 43 00:01:38,479 --> 00:01:40,759 now so I'll tell you what this talk 44 00:01:40,759 --> 00:01:43,240 isn't just to get that out of the way 45 00:01:43,240 --> 00:01:44,840 I'm not going to do real deep dive on 46 00:01:44,840 --> 00:01:46,560 technical details and there's a reason 47 00:01:46,560 --> 00:01:48,759 for that one it'll be super dry and 48 00:01:48,759 --> 00:01:51,159 boring and two there's probably like two 49 00:01:51,159 --> 00:01:52,479 of you who would actually write down all 50 00:01:52,479 --> 00:01:53,640 the notes to do that you're going to go 51 00:01:53,640 --> 00:01:56,479 Google this anyway so I want you to 52 00:01:56,479 --> 00:01:57,920 understand the concepts and that some of 53 00:01:57,920 --> 00:02:00,640 this stuff exists so that you'll go back 54 00:02:00,640 --> 00:02:02,799 to day job and say all right I remember 55 00:02:02,799 --> 00:02:04,200 that thing that guy talked about I'm 56 00:02:04,200 --> 00:02:06,119 going to go search for it and go and do 57 00:02:06,119 --> 00:02:08,399 it this is also so that you always have 58 00:02:08,399 --> 00:02:09,878 the most up-to-date information on how 59 00:02:09,878 --> 00:02:12,720 to do it because stuff changes real 60 00:02:12,720 --> 00:02:15,879 fast so I just want to make sure that 61 00:02:15,879 --> 00:02:17,400 your expectations are set here what 62 00:02:17,400 --> 00:02:18,560 we're doing 63 00:02:18,560 --> 00:02:20,640 here so there are a lot of different 64 00:02:20,640 --> 00:02:23,120 kinds of DNS records out there there's 65 00:02:23,120 --> 00:02:25,720 actually no less than 48 different types 66 00:02:25,720 --> 00:02:27,879 of them uh odds are quite good you're 67 00:02:27,879 --> 00:02:29,080 not going to use more than about a 68 00:02:29,080 --> 00:02:30,879 handful of them so you don't need to be 69 00:02:30,879 --> 00:02:33,680 staring down cthulu and rolling your 70 00:02:33,680 --> 00:02:37,519 sanity uh the most important root one 71 00:02:37,519 --> 00:02:39,640 there is the SOA or start of authority 72 00:02:39,640 --> 00:02:41,280 record that's kind of your root record 73 00:02:41,280 --> 00:02:44,319 that says hey this is this is where my 74 00:02:44,319 --> 00:02:47,120 DNS uh servers are located this is 75 00:02:47,120 --> 00:02:49,360 telling me um you know all the 76 00:02:49,360 --> 00:02:54,280 information to Stage it um it and DNS is 77 00:02:54,280 --> 00:02:57,120 organized in what they call zones so if 78 00:02:57,120 --> 00:02:59,840 you think about example.com example.com 79 00:02:59,840 --> 00:03:02,480 is a Zone but Comm is also a Zone it 80 00:03:02,480 --> 00:03:03,959 happens to be a root 81 00:03:03,959 --> 00:03:06,040 Zone this is really 82 00:03:06,040 --> 00:03:09,040 important um to establish the authority 83 00:03:09,040 --> 00:03:10,319 you know you can establish what DNS 84 00:03:10,319 --> 00:03:13,040 servers are responsible for each Zone 85 00:03:13,040 --> 00:03:14,440 there's a lot of other stuff going on 86 00:03:14,440 --> 00:03:15,720 there but that's the important security 87 00:03:15,720 --> 00:03:17,040 part you're saying these are the servers 88 00:03:17,040 --> 00:03:18,360 that'll actually have information you 89 00:03:18,360 --> 00:03:21,239 need you'll also have NS or name server 90 00:03:21,239 --> 00:03:24,040 records that reiterate the primary DNS 91 00:03:24,040 --> 00:03:25,560 server that are responsible as any 92 00:03:25,560 --> 00:03:28,080 secondary servers this is important 93 00:03:28,080 --> 00:03:29,280 because you can use this to control 94 00:03:29,280 --> 00:03:31,080 who's allowed to get a copy of all your 95 00:03:31,080 --> 00:03:33,000 DNS records uh that's that is an 96 00:03:33,000 --> 00:03:35,159 important security function 97 00:03:35,159 --> 00:03:38,200 there so these are kind of your your 98 00:03:38,200 --> 00:03:39,959 core of DNS security is making sure you 99 00:03:39,959 --> 00:03:41,640 have a good start of authority you have 100 00:03:41,640 --> 00:03:43,560 good name server records you want to 101 00:03:43,560 --> 00:03:44,760 make sure you're clamping down of who 102 00:03:44,760 --> 00:03:46,439 can do a Zone transfer who can say hey 103 00:03:46,439 --> 00:03:47,560 give me all your records because you 104 00:03:47,560 --> 00:03:50,040 don't want to necessarily disclose those 105 00:03:50,040 --> 00:03:51,959 um DNS set can sometimes help there 106 00:03:51,959 --> 00:03:53,920 we'll we'll cover that a little later 107 00:03:53,920 --> 00:03:55,120 the main records you're probably going 108 00:03:55,120 --> 00:03:57,439 to be using on a day-to-day basis are A 109 00:03:57,439 --> 00:03:59,920 and C Name Records the a pretty pretty 110 00:03:59,920 --> 00:04:01,720 straightforward here's the name and 111 00:04:01,720 --> 00:04:04,799 here's the IP address it goes to and if 112 00:04:04,799 --> 00:04:07,480 you're fancy and you're using IPv6 you 113 00:04:07,480 --> 00:04:09,239 might have some quad records in there 114 00:04:09,239 --> 00:04:11,000 that are telling you where the IPv6 115 00:04:11,000 --> 00:04:12,799 address is for 116 00:04:12,799 --> 00:04:14,879 this 117 00:04:14,879 --> 00:04:17,279 um important to not C names is that they 118 00:04:17,279 --> 00:04:19,399 are great aliases like to say hey when 119 00:04:19,399 --> 00:04:21,560 you want to talk to this fully qualified 120 00:04:21,560 --> 00:04:23,199 domain name you should actually go talk 121 00:04:23,199 --> 00:04:25,880 to that one over there uh they're used a 122 00:04:25,880 --> 00:04:28,280 whole lot so for example you could have 123 00:04:28,280 --> 00:04:29,800 www.example.com 124 00:04:29,800 --> 00:04:32,360 to webserver one. example.com or it 125 00:04:32,360 --> 00:04:34,400 could be even more complicated like 126 00:04:34,400 --> 00:04:36,759 having user portal. example.com pointing 127 00:04:36,759 --> 00:04:39,360 to a domain on Azure and text Bas 128 00:04:39,360 --> 00:04:41,400 records are ones that you're going to 129 00:04:41,400 --> 00:04:44,919 use a lot for security purposes uh these 130 00:04:44,919 --> 00:04:47,680 are pretty free form uh people will 131 00:04:47,680 --> 00:04:49,759 Define if I see something with this 132 00:04:49,759 --> 00:04:51,280 format then I know how I'm going to 133 00:04:51,280 --> 00:04:54,000 parse it uh 134 00:04:54,000 --> 00:04:56,400 there's uh there's a lot of rfc's out 135 00:04:56,400 --> 00:04:59,720 there um and the text records have 136 00:04:59,720 --> 00:05:01,320 proven to be a quick way to scaffold up 137 00:05:01,320 --> 00:05:02,880 a solution without having to necessarily 138 00:05:02,880 --> 00:05:05,120 go create yet another DNS record and 139 00:05:05,120 --> 00:05:06,960 since we've already got 48 of them I 140 00:05:06,960 --> 00:05:10,360 imagine we're not super eager to have 141 00:05:10,360 --> 00:05:13,320 more so one of the foundational failures 142 00:05:13,320 --> 00:05:15,080 of email is I've never bothered to 143 00:05:15,080 --> 00:05:16,800 validate who's actually sending a 144 00:05:16,800 --> 00:05:19,680 message out um and that wasn't a big 145 00:05:19,680 --> 00:05:21,400 deal back in the days of the arpanet 146 00:05:21,400 --> 00:05:23,080 where everybody knew every single node 147 00:05:23,080 --> 00:05:26,160 on the system and you know spam wasn't 148 00:05:26,160 --> 00:05:29,240 an issue uh quickly Came Crashing Down 149 00:05:29,240 --> 00:05:32,479 to to Earth um your spam folder will 150 00:05:32,479 --> 00:05:34,840 certainly attest to that being a problem 151 00:05:34,840 --> 00:05:36,440 so there were early anti-spam efforts 152 00:05:36,440 --> 00:05:37,919 like spam house that said well we'll 153 00:05:37,919 --> 00:05:39,360 just find the bad servers and we'll just 154 00:05:39,360 --> 00:05:41,880 start blocking them uh has anyone gotten 155 00:05:41,880 --> 00:05:44,520 on a Spam house block list before you 156 00:05:44,520 --> 00:05:46,759 you know exactly how painful that is you 157 00:05:46,759 --> 00:05:49,639 can't get off of it to save your life um 158 00:05:49,639 --> 00:05:51,960 and so it was a great idea but a lot of 159 00:05:51,960 --> 00:05:53,039 people end up getting caught in the 160 00:05:53,039 --> 00:05:55,080 crossfire a lot of legitimate email just 161 00:05:55,080 --> 00:05:58,639 gets thrown in the bin um and it was 162 00:05:58,639 --> 00:06:00,319 mainly because there was wasn't any good 163 00:06:00,319 --> 00:06:01,639 system back when they started doing it 164 00:06:01,639 --> 00:06:04,400 in like the late '90s early 165 00:06:04,400 --> 00:06:06,400 2000s now of course one of the problems 166 00:06:06,400 --> 00:06:07,560 with the Internet is you can never 167 00:06:07,560 --> 00:06:10,120 introduce any sort of breaking change 168 00:06:10,120 --> 00:06:12,520 you know when IPv6 was proposed right 169 00:06:12,520 --> 00:06:14,759 like over two decades ago is anyone here 170 00:06:14,759 --> 00:06:17,479 using IPv6 on a regular 171 00:06:17,479 --> 00:06:21,240 basis no no we're not because it changes 172 00:06:21,240 --> 00:06:24,919 so much stuff and so we had to figure 173 00:06:24,919 --> 00:06:27,400 out a way to stop spam without going and 174 00:06:27,400 --> 00:06:30,880 changing everything in smt PP so of 175 00:06:30,880 --> 00:06:31,880 course naturally we're going to start 176 00:06:31,880 --> 00:06:34,720 using DNS to do this so SPF was the 177 00:06:34,720 --> 00:06:36,440 first thing that came to the rescue and 178 00:06:36,440 --> 00:06:39,800 the idea is hey let's have a formatted 179 00:06:39,800 --> 00:06:43,880 DNS text record that says here is who is 180 00:06:43,880 --> 00:06:46,680 allowed to send email on behalf of this 181 00:06:46,680 --> 00:06:49,680 domain uh the record kind of looks 182 00:06:49,680 --> 00:06:51,160 cryptic when you first look at it but 183 00:06:51,160 --> 00:06:52,560 it's fairly 184 00:06:52,560 --> 00:06:55,479 straightforward uh structure the text 185 00:06:55,479 --> 00:06:58,039 record says V equals spf1 saying this is 186 00:06:58,039 --> 00:07:01,440 version spf1 there is no verion two they 187 00:07:01,440 --> 00:07:02,759 just wanted to be Forward Thinking in 188 00:07:02,759 --> 00:07:04,400 case they had to made make one and they 189 00:07:04,400 --> 00:07:07,360 have not done so yet so it's fairly 190 00:07:07,360 --> 00:07:08,919 simple to break down what's happening 191 00:07:08,919 --> 00:07:12,039 here you will have plus to say this is 192 00:07:12,039 --> 00:07:14,240 who's allowed to send you will have 193 00:07:14,240 --> 00:07:16,560 negative to say here's who's explicitly 194 00:07:16,560 --> 00:07:18,680 disallowed to send you'll notice there's 195 00:07:18,680 --> 00:07:20,160 a record up there with a Tilda in front 196 00:07:20,160 --> 00:07:22,000 of it and that's to say I want you to 197 00:07:22,000 --> 00:07:25,080 soft fail this which and in this record 198 00:07:25,080 --> 00:07:27,520 we have soft fail anything I haven't 199 00:07:27,520 --> 00:07:30,240 mentioned yet now you ask yourself why 200 00:07:30,240 --> 00:07:31,800 would I want a soft fail instead of hard 201 00:07:31,800 --> 00:07:34,680 fail anything that's not my mail server 202 00:07:34,680 --> 00:07:37,120 well the problem is is remailer Services 203 00:07:37,120 --> 00:07:39,960 um you will find sometimes that you will 204 00:07:39,960 --> 00:07:42,160 go and fill out a support form and it 205 00:07:42,160 --> 00:07:45,520 says oh well I'm going to send email you 206 00:07:45,520 --> 00:07:47,520 it looks like it's coming from you and 207 00:07:47,520 --> 00:07:48,800 then it goes to your junk folder and you 208 00:07:48,800 --> 00:07:50,599 don't ever get it it's a horrible 209 00:07:50,599 --> 00:07:52,599 practice I hate that people do it but 210 00:07:52,599 --> 00:07:54,879 soft fail is kind of a good safety step 211 00:07:54,879 --> 00:07:55,800 there to make sure that you aren't 212 00:07:55,800 --> 00:07:58,319 throwing all sorts of stuff in your junk 213 00:07:58,319 --> 00:07:59,720 folder that you don't NE necessarily 214 00:07:59,720 --> 00:08:02,560 want to have there so this record is 215 00:08:02,560 --> 00:08:05,080 saying we say plus MX like you see an MX 216 00:08:05,080 --> 00:08:06,680 record that's saying this is a mail 217 00:08:06,680 --> 00:08:09,120 server for this domain yeah obviously I 218 00:08:09,120 --> 00:08:11,240 want to send mail from that plus a if 219 00:08:11,240 --> 00:08:14,440 you see an a record for this domain yes 220 00:08:14,440 --> 00:08:15,960 obviously any a record should probably 221 00:08:15,960 --> 00:08:17,759 be allowed to send mail on behalf of 222 00:08:17,759 --> 00:08:21,080 this if and then we have explicitly an 223 00:08:21,080 --> 00:08:24,479 ipv4 address that's allowed to send so 224 00:08:24,479 --> 00:08:26,280 the way it parses is you'll put your 225 00:08:26,280 --> 00:08:28,319 allows and your disallows and then at 226 00:08:28,319 --> 00:08:30,240 the end you'll have the all record 227 00:08:30,240 --> 00:08:32,320 either and you'll probably always have a 228 00:08:32,320 --> 00:08:33,799 soft fail or fail if you don't have an 229 00:08:33,799 --> 00:08:36,559 allow for all then You' you've lost the 230 00:08:36,559 --> 00:08:38,080 plot you are not knowing what you're 231 00:08:38,080 --> 00:08:39,719 doing with SPF records please don't do 232 00:08:39,719 --> 00:08:43,679 that it will be a problem um if you're 233 00:08:43,679 --> 00:08:46,800 looking for a good reference on SPF 234 00:08:46,800 --> 00:08:49,399 record creation uh Dem Maran is a 235 00:08:49,399 --> 00:08:52,640 service out there that uh has really 236 00:08:52,640 --> 00:08:54,399 good references they also have been 237 00:08:54,399 --> 00:08:57,240 offer a nice free tier to be able to see 238 00:08:57,240 --> 00:09:01,560 issues with your SPF and uh dmark and 239 00:09:01,560 --> 00:09:03,480 dkm 240 00:09:03,480 --> 00:09:06,760 Records now SPF solves one problem which 241 00:09:06,760 --> 00:09:08,240 is we know which mail servers are 242 00:09:08,240 --> 00:09:10,640 supposed to send mail what it doesn't 243 00:09:10,640 --> 00:09:12,720 solve is the problem of is anyone 244 00:09:12,720 --> 00:09:14,680 messing with the message when it goes 245 00:09:14,680 --> 00:09:16,839 out if you know anything about how email 246 00:09:16,839 --> 00:09:19,560 works it's not a straight my mail server 247 00:09:19,560 --> 00:09:21,079 talks to the recipient mail server and 248 00:09:21,079 --> 00:09:23,920 we're done it bounces around through 249 00:09:23,920 --> 00:09:26,519 other mail servers now of course the 250 00:09:26,519 --> 00:09:29,279 problem there is email is all plain text 251 00:09:29,279 --> 00:09:31,240 and now you could be using pgp to 252 00:09:31,240 --> 00:09:33,200 encrypt the contents but the headers 253 00:09:33,200 --> 00:09:34,959 could still be messed with 254 00:09:34,959 --> 00:09:38,079 right and so that creates a fundamental 255 00:09:38,079 --> 00:09:40,000 problem of we want to ensure message 256 00:09:40,000 --> 00:09:42,320 integrity and so we have dkam that's 257 00:09:42,320 --> 00:09:44,360 thrown in the mix here and in this case 258 00:09:44,360 --> 00:09:45,680 we're using the mail server to 259 00:09:45,680 --> 00:09:48,200 cryptographically sign yes I am the male 260 00:09:48,200 --> 00:09:49,720 server that actually sent this message 261 00:09:49,720 --> 00:09:51,959 so no one can tamper with it tamper with 262 00:09:51,959 --> 00:09:54,440 the headers in in process so that one is 263 00:09:54,440 --> 00:09:57,040 pretty important um in conjunction with 264 00:09:57,040 --> 00:09:59,360 that you want to have a DeMark policy a 265 00:09:59,360 --> 00:10:02,160 DeMark policy is saying if for some 266 00:10:02,160 --> 00:10:05,800 reason there's a message that fails dkam 267 00:10:05,800 --> 00:10:08,600 or fails SPF tell this email address 268 00:10:08,600 --> 00:10:11,399 about it tell it what's going on these 269 00:10:11,399 --> 00:10:13,480 have become requirements Google recently 270 00:10:13,480 --> 00:10:15,920 announced that if you do not have SPF 271 00:10:15,920 --> 00:10:17,800 dkm and dmart records and you're sending 272 00:10:17,800 --> 00:10:20,040 more than 5,000 messages a month they're 273 00:10:20,040 --> 00:10:21,200 going to throw you right in the trash 274 00:10:21,200 --> 00:10:22,720 bin so it's very important to have this 275 00:10:22,720 --> 00:10:26,320 set up now de one thing to note about 276 00:10:26,320 --> 00:10:28,200 the DeMark reports is that they're XML 277 00:10:28,200 --> 00:10:30,480 files does anyone here actually read XML 278 00:10:30,480 --> 00:10:31,519 files by 279 00:10:31,519 --> 00:10:34,480 hand no no we do not we want to send 280 00:10:34,480 --> 00:10:36,279 them to a machine readable format there 281 00:10:36,279 --> 00:10:38,200 are Services out there I mentioned Dem 282 00:10:38,200 --> 00:10:39,639 Maran before they have a free tier for 283 00:10:39,639 --> 00:10:41,760 up to two domains you can send them 284 00:10:41,760 --> 00:10:43,279 there it's great to do on a personal 285 00:10:43,279 --> 00:10:45,440 domain just to see hey here's what's 286 00:10:45,440 --> 00:10:47,079 happening I actually found there were 287 00:10:47,079 --> 00:10:48,680 people who are trying to send junk 288 00:10:48,680 --> 00:10:51,600 messages on some of my domains um they 289 00:10:51,600 --> 00:10:53,800 learn very quickly that's not going to 290 00:10:53,800 --> 00:10:56,279 fly uh so these screenshots kind give 291 00:10:56,279 --> 00:10:57,440 you an idea of some of the reporting 292 00:10:57,440 --> 00:11:00,079 that does uh you can see the DeMark 293 00:11:00,079 --> 00:11:02,760 record on the top again V equals D Mark 294 00:11:02,760 --> 00:11:04,320 1 there's only one version but they 295 00:11:04,320 --> 00:11:07,440 still wanted to make sure and so in this 296 00:11:07,440 --> 00:11:08,920 case we're saying a policy in this case 297 00:11:08,920 --> 00:11:11,320 the reject policy and where we are going 298 00:11:11,320 --> 00:11:14,040 to send those 299 00:11:14,920 --> 00:11:18,079 reports so let's be honest here when 300 00:11:18,079 --> 00:11:20,680 you're surfing around internal resources 301 00:11:20,680 --> 00:11:23,279 on your corporate Network how many times 302 00:11:23,279 --> 00:11:24,959 are you seeing this not secure warning 303 00:11:24,959 --> 00:11:27,959 because you have self- sign certificates 304 00:11:27,959 --> 00:11:29,959 everywhere 305 00:11:29,959 --> 00:11:31,200 every single one of you should be 306 00:11:31,200 --> 00:11:36,720 cringing at that um and I get it because 307 00:11:36,720 --> 00:11:39,279 the process of issuing installing and 308 00:11:39,279 --> 00:11:41,000 maintaining a fleet asserts kind of 309 00:11:41,000 --> 00:11:43,880 sucks uh there's it's something that is 310 00:11:43,880 --> 00:11:47,320 not a lot of fun um DNS though does play 311 00:11:47,320 --> 00:11:48,839 an integral part in making sure that you 312 00:11:48,839 --> 00:11:50,560 can get this done uh the first thing 313 00:11:50,560 --> 00:11:53,279 being that you need to have a valid 314 00:11:53,279 --> 00:11:54,880 domain name that's pointing to the 315 00:11:54,880 --> 00:11:57,040 resource because the certificate is 316 00:11:57,040 --> 00:11:59,240 issued against the domain name you can 317 00:11:59,240 --> 00:12:00,880 issue against an IP as a subject 318 00:12:00,880 --> 00:12:02,360 alternative name but you can't issue it 319 00:12:02,360 --> 00:12:06,079 as a subject that that doesn't apply um 320 00:12:06,079 --> 00:12:07,399 and I'm sure most of you have heard of 321 00:12:07,399 --> 00:12:10,200 let's encrypt let's encrypt uses can use 322 00:12:10,200 --> 00:12:12,720 DNS for verification it has two main 323 00:12:12,720 --> 00:12:15,639 verification types HTTP where it reaches 324 00:12:15,639 --> 00:12:17,959 out over HTTP and says hey can you 325 00:12:17,959 --> 00:12:20,000 validate you control the system and the 326 00:12:20,000 --> 00:12:22,160 other one is using DNS uh with DNS it 327 00:12:22,160 --> 00:12:24,560 creates a temporary text record it 328 00:12:24,560 --> 00:12:26,920 validates that you have in fact control 329 00:12:26,920 --> 00:12:28,920 of the DNS records for that domain and 330 00:12:28,920 --> 00:12:32,399 send you upon your Merry way um and so 331 00:12:32,399 --> 00:12:34,560 DNS is extremely important to make sure 332 00:12:34,560 --> 00:12:36,680 that that works properly uh a great 333 00:12:36,680 --> 00:12:38,360 thing is that you can use let's encrypt 334 00:12:38,360 --> 00:12:40,839 to issue Sears on your internal network 335 00:12:40,839 --> 00:12:43,959 using DNS challenges and nothing has to 336 00:12:43,959 --> 00:12:45,320 be able to reach into your network to do 337 00:12:45,320 --> 00:12:46,959 it it's 338 00:12:46,959 --> 00:12:49,560 fantastic um so I I highly recommend 339 00:12:49,560 --> 00:12:51,639 thinking about doing something like that 340 00:12:51,639 --> 00:12:55,760 uh it and so uh you know that'll that'll 341 00:12:55,760 --> 00:12:58,000 help because the fewer of These Warnings 342 00:12:58,000 --> 00:12:59,880 you have on your local Network the more 343 00:12:59,880 --> 00:13:01,720 These Warnings will stand out as hey 344 00:13:01,720 --> 00:13:04,560 something's not right 345 00:13:04,560 --> 00:13:06,920 here now does anyone here remember that 346 00:13:06,920 --> 00:13:09,040 sanch had a business doing 347 00:13:09,040 --> 00:13:11,959 certificates emphasis is on the word 348 00:13:11,959 --> 00:13:17,000 had so uh they had issued over 30,000 349 00:13:17,000 --> 00:13:18,519 certificates to people who did not own 350 00:13:18,519 --> 00:13:20,600 the respective domains and that's why it 351 00:13:20,600 --> 00:13:23,399 is a past tense uh if you're a 352 00:13:23,399 --> 00:13:25,440 certificate Authority that's that's 353 00:13:25,440 --> 00:13:27,000 pretty much a death nail right there 354 00:13:27,000 --> 00:13:28,399 pretty much all of the browser vendor 355 00:13:28,399 --> 00:13:29,399 said 356 00:13:29,399 --> 00:13:31,959 okay semantic we are not going to trust 357 00:13:31,959 --> 00:13:33,720 you in our browsers anymore you're dead 358 00:13:33,720 --> 00:13:36,079 to us everyone's going to distrust you 359 00:13:36,079 --> 00:13:37,480 uh so they ended up selling the business 360 00:13:37,480 --> 00:13:41,600 it was a huge Fiasco for them so DNS can 361 00:13:41,600 --> 00:13:44,519 solve some of this miss m Mis issuance 362 00:13:44,519 --> 00:13:46,959 problem there's a special type of record 363 00:13:46,959 --> 00:13:50,199 called a CAA record and this allows you 364 00:13:50,199 --> 00:13:52,519 to list which certificate issuers are 365 00:13:52,519 --> 00:13:54,959 allowed for any given domain so this is 366 00:13:54,959 --> 00:13:56,800 really handy so if you're using diger 367 00:13:56,800 --> 00:13:58,160 you know that every single certificate 368 00:13:58,160 --> 00:13:59,440 you're issuing is is coming from ditch 369 00:13:59,440 --> 00:14:02,000 assert you can create a CA record for 370 00:14:02,000 --> 00:14:03,800 that and if if someone tries to issue un 371 00:14:03,800 --> 00:14:07,160 let en Crypt it goes whoa no no we're 372 00:14:07,160 --> 00:14:10,320 not doing that it also gives you a nice 373 00:14:10,320 --> 00:14:12,120 security control so that a browser can 374 00:14:12,120 --> 00:14:14,199 check a CA record and say hold on a 375 00:14:14,199 --> 00:14:17,040 minute you're this example.com shouldn't 376 00:14:17,040 --> 00:14:18,240 be using let en Crypt we're going to 377 00:14:18,240 --> 00:14:19,440 throw that right 378 00:14:19,440 --> 00:14:22,720 out uh it also allows you to sorry hit 379 00:14:22,720 --> 00:14:24,360 the wrong button there it allows you to 380 00:14:24,360 --> 00:14:28,880 specify that you uh allow certain domain 381 00:14:28,880 --> 00:14:30,680 certain issuers to issue wild cards and 382 00:14:30,680 --> 00:14:33,680 certain issuers to not so you can really 383 00:14:33,680 --> 00:14:37,880 cramp down on whether or not you want a 384 00:14:37,880 --> 00:14:39,320 on who you want to be able to allow to 385 00:14:39,320 --> 00:14:41,279 issue certificates and you can tell it 386 00:14:41,279 --> 00:14:43,680 borrows a lot of Concepts from SPF and 387 00:14:43,680 --> 00:14:46,720 dkim to be able to say yes we're doing 388 00:14:46,720 --> 00:14:48,199 this is who's allowed and this is who 389 00:14:48,199 --> 00:14:50,680 not now obviously you can see a problem 390 00:14:50,680 --> 00:14:52,600 here that if you are using let's encrypt 391 00:14:52,600 --> 00:14:54,800 and you make that your ca record well 392 00:14:54,800 --> 00:14:56,920 now any Yahoo using let encrypt can do 393 00:14:56,920 --> 00:14:59,920 that so that's not a really good 394 00:14:59,920 --> 00:15:01,639 solution if you're do using one of those 395 00:15:01,639 --> 00:15:03,800 free services but if you're using a a 396 00:15:03,800 --> 00:15:05,240 different CA that can help you really 397 00:15:05,240 --> 00:15:06,440 clamp 398 00:15:06,440 --> 00:15:09,000 down so you can dodge a lot of bullets 399 00:15:09,000 --> 00:15:11,079 too with DNS filtering uh this is 400 00:15:11,079 --> 00:15:13,040 another great security tool of DNS I'm 401 00:15:13,040 --> 00:15:15,639 sure most of you have heard of py 402 00:15:15,639 --> 00:15:19,639 hole Yeah Yeah running that at home it's 403 00:15:19,639 --> 00:15:21,399 it's a lifesaver yeah usually you're 404 00:15:21,399 --> 00:15:22,800 thinking of it of oh I'm blocking all 405 00:15:22,800 --> 00:15:24,839 those obnoxious ads that that pop up all 406 00:15:24,839 --> 00:15:27,639 over the place um but ad networks are 407 00:15:27,639 --> 00:15:29,639 threat vectors aren't they 408 00:15:29,639 --> 00:15:31,800 like Google just recently had a problem 409 00:15:31,800 --> 00:15:33,120 where they were Distributing mware in 410 00:15:33,120 --> 00:15:34,680 their ad Network again as they're trying 411 00:15:34,680 --> 00:15:36,839 to get you to watch their ads on YouTube 412 00:15:36,839 --> 00:15:37,920 a little bit of a mixed message there 413 00:15:37,920 --> 00:15:38,959 isn't 414 00:15:38,959 --> 00:15:42,759 it so it's great for ad filtering but 415 00:15:42,759 --> 00:15:44,360 it's also great for blocking security 416 00:15:44,360 --> 00:15:46,120 threats you can block things such as 417 00:15:46,120 --> 00:15:48,519 known fishing domains uh a favorite of 418 00:15:48,519 --> 00:15:50,360 mine is to block newly created domains 419 00:15:50,360 --> 00:15:53,000 anything less than 30 days old because 420 00:15:53,000 --> 00:15:55,120 nine times out of 10 they're used for 421 00:15:55,120 --> 00:15:57,160 something malicious although one of my 422 00:15:57,160 --> 00:15:58,880 favorites is catching people who are 423 00:15:58,880 --> 00:16:00,279 going out and registering domains in 424 00:16:00,279 --> 00:16:01,759 your company without using the official 425 00:16:01,759 --> 00:16:03,639 registar and then they create a ticket 426 00:16:03,639 --> 00:16:05,160 and say hey why is my newly registered 427 00:16:05,160 --> 00:16:07,560 domain not working you're like oh okay 428 00:16:07,560 --> 00:16:09,040 you went over to GoDaddy and you're 429 00:16:09,040 --> 00:16:11,120 supposed to be using our you know 430 00:16:11,120 --> 00:16:12,040 official 431 00:16:12,040 --> 00:16:15,639 registar right to jail right away so you 432 00:16:15,639 --> 00:16:17,399 can filter out things like command and 433 00:16:17,399 --> 00:16:19,600 control domain smallware 434 00:16:19,600 --> 00:16:22,399 distribution uh now I will say that py 435 00:16:22,399 --> 00:16:24,839 hole isn't necessarily intended to be a 436 00:16:24,839 --> 00:16:26,959 commercial solution you can use it that 437 00:16:26,959 --> 00:16:28,519 way in a smaller office and it'll work 438 00:16:28,519 --> 00:16:30,759 build are perfectly fine um but there 439 00:16:30,759 --> 00:16:33,680 are a lot of um a lot of commercial 440 00:16:33,680 --> 00:16:36,639 options out there uh Cisco umbrella 441 00:16:36,639 --> 00:16:38,720 infolock blocks one threat defense Cloud 442 00:16:38,720 --> 00:16:40,959 flare zero trust open 443 00:16:40,959 --> 00:16:44,519 DNS tons of services out there uh and 444 00:16:44,519 --> 00:16:46,839 many of them are hosted services so that 445 00:16:46,839 --> 00:16:48,880 pretty much all you need to do is say 446 00:16:48,880 --> 00:16:50,360 here's where I'm going to forward from 447 00:16:50,360 --> 00:16:52,199 my internal DNS servers and you call it 448 00:16:52,199 --> 00:16:53,759 a day there's no infrastructure to set 449 00:16:53,759 --> 00:16:55,880 up from there uh your internal DNS 450 00:16:55,880 --> 00:16:59,079 servers can do filtering too um 451 00:16:59,079 --> 00:17:02,600 Unbound can can take a block list uh 452 00:17:02,600 --> 00:17:05,079 believe bind can also take block lists 453 00:17:05,079 --> 00:17:06,480 so if you want to roll your own you 454 00:17:06,480 --> 00:17:08,439 absolutely can do that uh but there's a 455 00:17:08,439 --> 00:17:11,160 lot of great Solutions out there and 456 00:17:11,160 --> 00:17:12,720 this is something where it is super 457 00:17:12,720 --> 00:17:15,039 lightweight like users don't even notice 458 00:17:15,039 --> 00:17:16,039 the impact because there's nothing 459 00:17:16,039 --> 00:17:19,280 running on their systems um great way to 460 00:17:19,280 --> 00:17:22,880 be able to use DNS as a security 461 00:17:22,880 --> 00:17:24,919 tool now I'm going to talk a little bit 462 00:17:24,919 --> 00:17:27,439 about DNS SEC has anyone here bothered 463 00:17:27,439 --> 00:17:30,160 to look into DNS sec or implement 464 00:17:30,160 --> 00:17:34,360 it you hate it right it's terrible it's 465 00:17:34,360 --> 00:17:37,919 awful the ideas were great um but kind 466 00:17:37,919 --> 00:17:39,520 of like IPv6 it came down to 467 00:17:39,520 --> 00:17:41,520 implementation time and I was like well 468 00:17:41,520 --> 00:17:44,120 this sucks because it was designed um to 469 00:17:44,120 --> 00:17:46,160 use spherical chickens in a 470 00:17:46,160 --> 00:17:50,200 vacuum so the idea behind dnsx is adding 471 00:17:50,200 --> 00:17:52,000 cryptographic signatures to your DNS 472 00:17:52,000 --> 00:17:54,640 records so that you know that the zone 473 00:17:54,640 --> 00:17:56,720 is signed and all DNS records are 474 00:17:56,720 --> 00:17:59,360 correct it's it's got full Integrity 475 00:17:59,360 --> 00:18:01,080 that sounds pretty cool right like 476 00:18:01,080 --> 00:18:02,600 you're saying yeah I've signed it all my 477 00:18:02,600 --> 00:18:04,240 records are cool there's no DNS spoofing 478 00:18:04,240 --> 00:18:06,520 there's no man in the middle I'm secure 479 00:18:06,520 --> 00:18:09,159 except the setup is really terrible and 480 00:18:09,159 --> 00:18:11,440 you're going to hate terms that come out 481 00:18:11,440 --> 00:18:13,200 of my mouth if you've ever heard 482 00:18:13,200 --> 00:18:16,159 something like key signing key that that 483 00:18:16,159 --> 00:18:17,760 should make that should make your gut 484 00:18:17,760 --> 00:18:18,880 twist 485 00:18:18,880 --> 00:18:21,880 up so first you need a key to sign your 486 00:18:21,880 --> 00:18:24,159 Zone and this is fairly straightforward 487 00:18:24,159 --> 00:18:25,440 you grab the set of records from your 488 00:18:25,440 --> 00:18:28,080 Zone you sign the entire Zone spit out a 489 00:18:28,080 --> 00:18:30,000 signal you publish the public key so it 490 00:18:30,000 --> 00:18:32,960 can be validated but now you need to 491 00:18:32,960 --> 00:18:35,799 also sign the Zone key Zone signing key 492 00:18:35,799 --> 00:18:37,720 oh uh oh oh no we're getting into 493 00:18:37,720 --> 00:18:39,280 multiple keys aren't we in Key 494 00:18:39,280 --> 00:18:41,600 Management so we add another key the key 495 00:18:41,600 --> 00:18:43,520 signing key which signs the Zone signing 496 00:18:43,520 --> 00:18:44,960 key and you publish the public card of 497 00:18:44,960 --> 00:18:47,159 the key signing key don't worry it only 498 00:18:47,159 --> 00:18:48,559 gets worse from 499 00:18:48,559 --> 00:18:51,159 here so your domain like Bobs awesom 500 00:18:51,159 --> 00:18:52,960 widget.com doesn't exist in a vacuum 501 00:18:52,960 --> 00:18:54,840 does it you remember I talked about 502 00:18:54,840 --> 00:18:58,159 zones right it has a parent domain Comm 503 00:18:58,159 --> 00:18:59,600 next now you have to drag the parent 504 00:18:59,600 --> 00:19:01,919 into it to do additional signing and 505 00:19:01,919 --> 00:19:03,679 that parent is also signed by a special 506 00:19:03,679 --> 00:19:05,320 root signing key that's used in a key 507 00:19:05,320 --> 00:19:07,080 signing ceremony I swear I'm not making 508 00:19:07,080 --> 00:19:09,480 this up for seven people who each hold a 509 00:19:09,480 --> 00:19:12,360 piece of the key assemble to do the 510 00:19:12,360 --> 00:19:14,640 needful I know this sounds absolutely 511 00:19:14,640 --> 00:19:16,720 Bonkers but this is actually how it 512 00:19:16,720 --> 00:19:18,960 works if all this signing business 513 00:19:18,960 --> 00:19:20,640 wasn't enough to put you off DNS SEC 514 00:19:20,640 --> 00:19:22,039 also has a problem with subdomain 515 00:19:22,039 --> 00:19:24,400 enumeration now remember I said you sign 516 00:19:24,400 --> 00:19:27,559 the whole zone right now and if you 517 00:19:27,559 --> 00:19:29,720 don't have DNS SEC does anyone get a 518 00:19:29,720 --> 00:19:32,480 full copy of your DNS records no not 519 00:19:32,480 --> 00:19:34,039 unless you said they can do a Zone 520 00:19:34,039 --> 00:19:36,400 transfer but you have to sign the entire 521 00:19:36,400 --> 00:19:39,000 Zone in DNS SEC and publish the entire 522 00:19:39,000 --> 00:19:42,080 Zone and so all of a sudden all your DNS 523 00:19:42,080 --> 00:19:43,760 records are out there for the world to 524 00:19:43,760 --> 00:19:45,880 see that might be a little bit of a 525 00:19:45,880 --> 00:19:47,840 security risk for you if you don't want 526 00:19:47,840 --> 00:19:49,360 people to necessarily know that it's 527 00:19:49,360 --> 00:19:51,520 there I know security through oburity 528 00:19:51,520 --> 00:19:53,200 sucks and blah blah blah but it's still 529 00:19:53,200 --> 00:19:55,600 not a bad thing to 530 00:19:55,600 --> 00:19:58,400 have so that might give an attack attack 531 00:19:58,400 --> 00:20:00,200 or a Hit List uh now there's some 532 00:20:00,200 --> 00:20:02,080 mitigations for it but it is a 533 00:20:02,080 --> 00:20:03,880 workaround it requires very careful 534 00:20:03,880 --> 00:20:05,480 planning in your 535 00:20:05,480 --> 00:20:08,120 implementation and I know there's 536 00:20:08,120 --> 00:20:09,400 there's probably a lot of you out there 537 00:20:09,400 --> 00:20:10,760 who like me have had experience working 538 00:20:10,760 --> 00:20:11,520 with 539 00:20:11,520 --> 00:20:13,840 cryptography and you're you're starting 540 00:20:13,840 --> 00:20:15,320 to think wait a minute you've got keys 541 00:20:15,320 --> 00:20:19,080 here now how long are Keys good for not 542 00:20:19,080 --> 00:20:21,559 forever is the is the answer which means 543 00:20:21,559 --> 00:20:24,039 that you have to start rotating those 544 00:20:24,039 --> 00:20:27,159 keys and so that you will end up with 545 00:20:27,159 --> 00:20:29,200 having to use key man to rotate these 546 00:20:29,200 --> 00:20:31,880 keys out and now you're talking about an 547 00:20:31,880 --> 00:20:35,320 HSM which nobody wants to have to deal 548 00:20:35,320 --> 00:20:37,799 with so you also can issue have some 549 00:20:37,799 --> 00:20:39,919 problems with DNS amplification attacks 550 00:20:39,919 --> 00:20:43,280 which are way worse with DNS SEC so the 551 00:20:43,280 --> 00:20:45,679 short of DNS SEC is that yes you can get 552 00:20:45,679 --> 00:20:48,520 all sorts of additional Integrity but 553 00:20:48,520 --> 00:20:51,159 there are a lot of dragons here and it's 554 00:20:51,159 --> 00:20:55,480 usually that dragon on the 555 00:20:55,480 --> 00:20:58,240 right thanks for coming here I will 556 00:20:58,240 --> 00:20:59,520 certainly open up the floor to any 557 00:20:59,520 --> 00:21:00,960 questions comments or rude noises that 558 00:21:00,960 --> 00:21:03,010 you may 559 00:21:03,010 --> 00:21:09,109 [Applause] 560 00:21:09,480 --> 00:21:12,480 have