Professional Documents
Culture Documents
Đồ án DNSSEC Hà Hồng Ngọc v5 2016
Đồ án DNSSEC Hà Hồng Ngọc v5 2016
Đồ án DNSSEC Hà Hồng Ngọc v5 2016
N
TT NGHIP I HC
TI
H NI - 2016
HC VIN CNG NGH BU CHNH VIN THNG
KHOA VIN THNG I
-------***-------
N
TT NGHIP I HC
TI
H NI 2016
LI CM N
H Hng Ngc
BN GIAO TI
NHN XT CA NGI HNG DN
.................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
im:........................................................................................................................
Bng ch:.................................................................................................................
Ngy.......thng......nm.........
NHN XT CA NGI PHN BIN
.................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
...........................................................................................................................................
im:........................................................................................................................
Bng ch:.................................................................................................................
Ngy.......thng......nm........
MC LC
THUT NG VIT TT..............................................................................................i
DANH MC BNG BIU..........................................................................................ii
DANH MC HNH V..............................................................................................iii
M U....................................................................................................................... 1
CHNG 1: GII THIU CHUNG V DNSSEC..................................................2
1.1. H thng tn min (DNS Domain name system).....................................2
1.1.1. nh ngha tn min......................................................................................2
1.1.2. Cc thnh phn chnh ca DNS...................................................................2
1.2. Tng quan v DNSSEC................................................................................5
1.2.1. DNSSEC l g?...............................................................................................5
1.2.2. Gii thiu v DNSSEC...................................................................................6
1.3. Tnh hnh trin khai v tiu chun ha trn th gii v ti Vit Nam......7
1.3.1. Tnh hnh trin khai DNSSEC trn th gii....................................................7
1.3.2. Tnh hnh tiu chun ha DNSSEC trn th gii..........................................10
1.3.2.1. T chc tiu chun IETF..............................................................................10
1.3.2.2. Quyt nh trin khai v p dng cc tiu chun ICT ca y ban Chu u
(EC) 11
1.4. Tnh hnh trin khai v tiu chun ha DNSSEC ti Vit Nam..............12
1.4.1. Tnh hnh trin khai DNSSEC ti Vit Nam.................................................12
1.4.2. L trnh trin khai DNSSEC ti Vit Nam....................................................14
1.4.3. Tnh hnh tiu chun ha DNSSEC ti Vit Nam.........................................15
1.5. Kt lun.......................................................................................................16
CHNG II: NGHIN CU V DNSSEC............................................................17
2.1. M hnh trin khai DNSSEC.....................................................................17
2.2. Cc bn ghi ti nguyn DNSSEC...............................................................18
2.2.1. Cc bn ghi DNSKEY trong mt Zone.........................................................18
2.2.2. Cc bn ghi RRSIG trong mt Zone.............................................................19
2.2.3. Bn ghi k chuyn giao (DS) trong mt Zone..............................................20
2.2.4. Cc bn ghi NSEC trong mt Zone..............................................................20
2.2.5. Bn ghi NSEC3............................................................................................21
2.3. Cc phn m rng trong DNSSEC............................................................23
2.3.1. Cc my ch tn min c thm quyn..........................................................24
2.3.2. My ch tn min quy (Recursive Name Server)....................................32
2.3.3. B phn gii..................................................................................................33
2.3.4. H tr xc thc DNS....................................................................................38
2.3.4.1. Qu trnh xc nhn tnh hp l trong DNSSEC............................................39
2.3.4.2. C ch xc thc t chi s tn ti trong DNSSEC.......................................41
2.4. Kt lun.......................................................................................................47
CHNG 3: NG DNG DNSSEC TRONG M BO AN TON H
THNG TN MIN (DNS)......................................................................................49
3.1. Cc phng thc tn cng mng ph bin...............................................49
3.1.1. DNS spoofing (DNS cache poisoning).........................................................49
3.1.2. Tn cng khuch i d liu DNS (Amplification attack)............................50
3.1.3. Gi mo my ch DNS (Main in the middle)...............................................50
3.2. Kch bn tn cng DNS..............................................................................51
3.3. Gii php DNSSEC i vi kch bn tn cng DNS................................69
3.4. Kt lun.......................................................................................................75
KT LUN................................................................................................................76
TI LIU THAM KHO...........................................................................................77
n tt nghip i hc Thut ng vit tt
THUT NG VIT TT
A
AD Authentic Data D liu chng thc
AXFR Full Zone Transfer/ ng b ton phn
Authoritative Transfer
C
CD Checking Disabled Kim tra v hiu ha
CNAME Canonical Name Tn min chnh tc
D
DNAME Delegation Name Tn min chuyn giao
DNS Domain Name System H thng tn min
DNSKEY DNS Public KEY Kha cng khai DNS
DNSSEC DNS Security Extensions Phn m rng bo mt DNS
DO DNSSEC OK
DS Delegation Signer K chuyn giao
E
EDNS Extension Mechanisms for Cc c ch m rng cho DNS
DNS
I
IANA Internet Assigned Numbers T chc cp pht s hiu Internet
Authority
IXFR Incremental Zone Transfer ng b mt phn
N
NS Name Server My ch tn min
NSEC Next Secure Bo mt k tip
O
OPT Option Ty chn
R
RR Resource Record Bn ghi ti nguyn
RRSIG Resource Record Signature Ch k bn ghi ti nguyn
S
SOA Start of (a zone of) Authority (Bn ghi ti nguyn) xut pht
DANH MC HNH V
M U
H thng my ch tn min DNS (Domain Name System) ng vai tr dn
ng trn Internet, c coi l mt h tng li trng yu ca h thng Internet ton
cu. Do tnh cht quan trng ca h thng DNS, c nhiu cuc tn cng, khai thc
l hng ca h thng ny vi quy m ln v tinh vi vi mc ch lm t lit h thng
ny hoc chuyn hng mt tn min no n mt a ch IP khc.
Trc tnh hnh pht trin Internet, thng mi in t, chnh ph in t mnh
m nh hin nay v an ninh mng c nhiu bin ng phc tp, tim n nhiu nguy c
v an ton, an ninh v l trnh, xu th trin khai DNSSEC trn th gii th vic trin
khai DNSSEC cho h thng my ch tn min (DNS) .VN ti Vit Nam l rt cn
thit. V vy, VNNIC xy dng v trnh B trng B TT&TT ban hnh n
Trin khai tiu chun DNSSEC cho h thng my ch tn min (DNS) .VN. Theo
, tiu chun DNSSEC c trin khai p dng thng nht trn h thng DNS quc
gia .VN, h thng DNS ca cc doanh nghip cung cp dch v Internet (ISP), cc
nh ng k tn min .VN, cc n v cung cp dch v DNS Hosting v h thng
DNS ca cc c quan ng, Nh nc.
DNSSEC l phn bo mt m rng trong DNS, c ng dng h tr cho
DNS bo v chng li cc nguy c gi mo lm sai lch ngun gc d liu, DNSSEC
cung cp mt c ch xc thc gia cc my ch DNS vi nhau thit lp vic xc
thc ton vn d liu. Nhn thy s cn thit cng vi nim yu thch nn em
la chn nghin cu ti: Nghin cu an ton m rng cho h thng tn min
(DNSSEC) bao gm 3 ni dung chnh:
- Chng 1: Gii thiu chung v DNSSEC.
- Chng 2: Nghin cu v DNSSEC.
- Chng 3: ng dng DNSSEC trong m bo an ton h thng tn min
(DNS).
Tuy nhin, do thi gian c hn v s hiu bit ca em cn nhiu hn ch, nn
khng th trnh c nhng sai st. Em rt mong s nhn c s ch bo ca cc
thy c v cc bn em c th hon thin tt hn ti ca mnh.
H Hng Ngc
- RFC 4035: Protocol Modifications for the DNS Security Extensions pht
hnh nm 2005 v Sa i giao thc cho DNSSEC.
- Nhm cc tiu chun DNSSEC lin quan:
- RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line
Signing pht hnh nm 2006 v Cc bn ghi an ton tip theo bao ph ti thiu v k
trc tuyn DNSSEC.
- RFC 4641: DNSSEC Operational Practices.
- RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of
Existence.
- RFC 6014: Cryptographic Algorithm Identifier Allocation for DNSSEC pht
hnh nm 2010 v nh dng cc thut ton m ha dng cho DNSSEC DNSSEC.
- RFC 6840: Clarifications and Implementation Notes for DNS Security
(DNSSEC) pht hnh nm 2013 v Ghi ch lm r v thc hin cho DNSSEC.
Ngoi ra trung tm d liu, phng my trin khai h thng qun l kho, k s
d liu tn min DNSSEC cng cn c bo v an ton vt l theo tiu chun mc
cao.
1.3.2.2. Quyt nh trin khai v p dng cc tiu chun ICT ca y ban Chu u
Ngy 3/8/2014, y ban Chu u ban hnh quyt nh trong vic trin khai v p
dng cc tiu chun k thut ICT ti Chu u Commission Implementing Decision of
3 April 2014 on the identification of ICT Technical specifications eligible for
referencing in public procurement (2014/188/EU) OJ L 102/18, 5.4.2014. Cc tiu
chun c xut v khuyn ngh p dng c phn thnh 6 nhm chnh gm:
- Internet Protocol version 6 (IPv6).
- Lightweight Directory Access Protocol version 3 (LDAPv3).
- Domain Name System Security Extensions (DNSSEC).
- Domain Keys Identified Mail Signatures (DKIM).
- ECMAScript-402 Internationalisation Specification (ECMA-402).
- Extensible Markup Language version 1.0 (W3C XML).
Trong , nhm cc tiu chun v IPv6, LDAPv3, DNSSEC v DKIM tun th
theo cc tiu chun do IETF xy dng v ban hnh. i vi nhm tiu chun k thut
DNSSEC, mt bn bo co nh gi la chn tiu chun ph hp i km
Identification of ICT Technical Specifications - Domain Name System Security
Extensions (DNSSEC) from Internet Engineering Task Force (IETF) - Evaluation
report vi cc thnh vin tham gia nh gi bao gm: EC, IETF, DIGITALEUROPE,
v Trung tm thng tin mng Chu Thi Bnh Dng (APNIC). Kha o to din
ra t ngy 19/07 n ngy 21/07/2016, vi s c mt ca gn 40 hc vin n t cc
c quan qun l nh nc, ISP, Nh ng k tn min.
1.4.2. L trnh trin khai DNSSEC ti Vit Nam
Theo 1524/Q-BTTTT vo ngy 23/10/2014 do B trng B Thng tin v
Truyn thng k ph duyt n trin khai tiu chun DNSSEC cho h thng my
ch tn min (DNS) ".vn", theo xc nh mc tiu, phm vi, ni dung, l trnh v
vic t chc thc hin vi 03 giai on trin khai:
- Giai on chun b (2015): Xy dng k hoch, chun b cc iu kin cn
thit v truyn thng, nhn lc, k thut, ti chnh trin khai tiu chun DNSSEC
i vi h thng DNS ti cc c quan, t chc, doanh nghip.
- Giai on khi ng (2016): Chnh thc trin khai tiu chun DNSSEC trn
h thng DNS quc gia, ng thi xy dng nng cp h thng DNS ti cc doanh
nghip cung cp dch v Internet, cc nh ng k tn min ".vn", cc c quan ng,
Nh nc kt ni th nghim vi h thng DNS quc gia theo tiu chun DNSSEC.
- Giai on trin khai (2017): Hon thin v nng cp h thng DNS quc gia,
h thng qun l tn min quc gia hot ng an ton, tin cy theo tiu chun
DNSSEC p ng nhu cu pht trin ca Internet Vit Nam trong cc giai on tip
theo. Cc doanh nghip cung cp dch v Internet, cc nh ng k tn min ".vn", cc
c quan ng, Nh nc chnh thc trin khai h thng DNS theo tiu chun
DNSSEC v cung cp dch v s dng, truy vn tn min ".vn" theo tiu chun
DNSSEC cho ngi s dng Internet ti Vit Nam.
Vic trin khai DNSSEC ti Vit Nam c thc hin tng bc. Trc ht cn
trin khai DNSSEC trn h thng my ch tn min DNS quc gia ".vn", trn c s
s trin khai DNSSEC cc my ch tn min cp di nh tn min cp 2 dng
chung (.gov.vn, .net.vn,...); h thng DNS ca cc ISP, cc Nh ng k tn min,
doanh nghip cung cp dch v DNS Hosting, c quan ng, Nh nc, khch
hng/ch s hu tn min ".vn".
Vic trin khai p dng tiu chun DNSSEC cho h thng my ch tn min
(DNS) ".vn" gip m bo chnh xc, tin cy vic s dng, truy vn tn min ".vn"
trn Internet thng qua vic p dng thng nht tiu chun DNSSEC i vi cc h
thng DNS ".vn" ti Vit Nam. m bo kt ni lin thng theo tiu chun DNSSEC
gia h thng DNS quc gia ".vn" vi h thng my ch tn min gc (DNS ROOT)
v cc h thng DNS quc t. nh du bc chuyn bin quan trng trong vic pht
trin h tng Internet ti Vit Nam, sn sng y mnh pht trin cc dch v thng
mi in t, chnh ph in t ti Vit Nam mt cch an ton nht.
RFC 5155 ca IETF. Tiu chun cung cp ni dung v cch thc s dng bn ghi bo
mt k tip NSEC3 hot ng trong c ch xc thc t chi s tn ti s dng hm
bm trong DNSSEC. Mt bn ghi NSEC3 vi u im bo mt tt hn NSEC khi c
kh nng chng li cc tn cng kiu t in hay tn cng lit k d liu DNS.
1.5. Kt lun
Trong chng ny gii thiu tng quan v H thng tn min DNS. Bao gm
nh ngha v cc thnh phn chnh ca h thng tn min DNS. Cc l hng trong vn
bo mt ca DNS v s cn thit trong vic khc phc nhng vn . DNSSEC -
ng dng bo mt tn min c a ra gii quyt bi ton bo mt cho DNS. C
th v DNSSEC gii thiu v khi nim, mc ch chc nng. Tnh hnh trin khai
cng nh cc tiu chun chun ha ca DNSSEC trn th gii v ti Vit Nam. Nu ra
mt s t chc tiu chun trn Th Gii. V l trnh trin khai Vit Nam.
Vi tnh cht m bo an ninh mng cng nh u im v kh nng ng dng
thc t cao nn vic a DNSSEC p dng ti Vit Nam l ht sc cn thit.
ngha l, c hai cch thc khc nhau thc hin xc thc t chi s tn ti: NSEC v
NSEC3.
NSEC3 s dng m ha hm bm tt c tn min. Do , chui bn ghi NSEC3
c sp xp theo th t m bm, thay v th t chnh tc. C th thy, v d trn,
theo th t chnh tc, tn min k tip ca example.org l a.example.org. Tuy
nhin, v tt c tn min khi chuyn i sang NSEC3 u c m ha bm nn tn
min k tip ca example.org khng phi l a.example.org na m l
d.example.org. V vy, tn cng zone walking kh thc hin lit k thm d d
liu.
V cu trc bn ghi NSEC3, nh dng RDATA ca bn ghi ti nguyn NSEC3
c chia thnh cc trng c lp v cc trng tng ng vi cc trng ca tn
min.
nhiu thi gian hn gia cc my ch c thm quyn v cc thnh phn xc minh tnh
hp l.
2.3. Cc phn m rng trong DNSSEC
Security-Aware Name Server phi h tr EDNS0 phn m rng kch c bn tin
phi h tr kch c bn tin ti thiu 1220 octet v nn h tr kch c bn tin 4000
octet. V cc gi tin IPv6 ch c th c my tnh ch ngun phn on, Security-
Aware Name Server nn thc hin cc bc m bo rng cc gi thng tin UDP n
truyn qua IPv6 c phn on mc MTU IPv6 ti thiu nu cn tr phi bit MTU
ca tuyn.
Mt Security-Aware Name Server nhn mt truy vn DNS khng cha EDNS
OPT gi - bn ghi ti nguyn hoc c bit DO trng phi p ng cc bn ghi ti
nguyn RRSIG, DNSKEY v NSEC nh p ng bt k tp bn ghi ti nguyn khc
v khng c thc hin bt k hnh ng b sung c trnh by di y. V loi
bn ghi ti nguyn DS c thuc tnh khc thng l ch xut hin trong zone cha cc
im chuyn giao, cc bn ghi ti nguyn DS lun lun yu cu mt hnh ng c
bit no .
Cc Security-Aware Name Server nhn cc truy vn r rng v cc loi bn ghi
ti nguyn bo mt ph hp ni dung ca nhiu hn mt zone m n phc v (v d
cc bn ghi ti nguyn NSEC v RRSIG trn v di im chuyn giao ni my ch
ny c thm quyn i vi c hai zone) nn hnh x nht qun. My ch tn min ny
c th tr v mt trong cc ni dung sau min l tr li ny lun nht qun i vi mi
truy vn n my ch tn min ny:
Cc tp bn ghi ti nguyn trn im chuyn giao.
Cc tp bn ghi ti nguyn di im chuyn giao
C hai tp bn ghi ti nguyn trn v di im chuyn giao.
Phn tr li trng (khng c bn ghi ti nguyn).
Mt tr li khc no .
Mt li.
DNSSEC phn b hai bit mi trong phn mo u bn tin DNS: bit CD
(Checking Disabled) v bit AD (Authentic Data). Bit CD c cc Resolver iu
khin; mt Security-Aware Name Server phi sao chp bit CD t mt truy vn thnh
mt tr li tng ng. Bit AD c cc my ch tn min iu khin; Security-Aware
Name Server phi b qua vic thit lp bit AD trong cc truy vn. Security-Aware
Name Server ng b cc bn ghi ti nguyn CNAME t cc bn ghi ti nguyn
DNAME khng nn to cc ch k i vi cc bn ghi ti nguyn CNAME c ng
b ny.
b cc bn ghi ti nguyn ny trong truy vn. Do , bng cch thit lp bit CD,
Resolver gc ch ra rng n c trch nhim thc hin vic xc thc ca chnh n v
my ch tn min quy khng nn can thip.
Khi pha Resolver thc hin BAD cache v pha my ch tn min nhn mt truy
vn ph hp mt mc trong BAD cache ca pha Resolver, phn ng ca pha my ch
tn min ph thuc vo trng thi ca bit CD trong truy vn gc. Khi bit CD c thit
lp, pha my ch tn min nn tr v d liu t BAD cache. Khi bit CD khng c
thit lp, pha my ch tn min phi tr v RCODE 2 (li my ch).
Mc ch ca nguyn tc trn l cung cp d liu th n cc my khch c
kh nng thc hin cc kim tra ch k ca chnh chng ng thi bo v cc my
khch ph thuc pha Resolver ca Security-Aware Recursive Name Server thc hin
cc kim tra ny. Mt s l do c kh nng m vic xc thc ch k c th tht bi lin
quan cc iu kin c th khng c p dng ging nhau i vi my ch tn min
quy v my khch c lin quan. V d, xung nhp ca my ch tn min quy c
th c thit lp khng chnh xc hay my khch c th bit mt Island of Security
c lin quan m my ch tn min quy khng chia s. Trong nhng trng hp nh
vy, vic bo v my khch c kh nng thc hin xc thc ch k chnh n khi
vic thy d liu xu khng gip cho my khch.
Bit AD
Pha my ch tn min ca Security-Aware Recursive Name Server khng c
thit lp bit AD trong tr li tr khi my ch tn min ny xem xt tt c cc tp bn
ghi ti nguyn trong cc phn tr li v thm quyn l xc thc. Pha my ch tn
min nn thit lp bit AD khi v ch khi pha Resolver xem xt tt c cc tp bn ghi
ti nguyn trong phn tr li v bt k cc bn ghi ti nguyn phn hi ph nh c
lin quan trong phn thm quyn l xc thc. Pha Resolver phi theo ng th tc
xc nh liu cc bn ghi ti nguyn ny trong truy vn c xc thc. Tuy nhin,
tng thch ngc, my ch tn min quy c th thit lp bit AD khi tr li bao hm
cc bn ghi ti nguyn CNAME cha c k khi cc bn ghi ti nguyn CNAME ny
c th c ng b t mt bn ghi ti nguyn DNAME thm quyn m n cng
c bao hm trong tr li ny theo cc nguyn tc ng b. V d trong cc tr li
DNSSEC.
2.3.3. B phn gii
Gm hot ng ca cc thnh phn bao hm cc chc nng ca Security-Aware
Resolver (kh nng nhn bit an ton). Trong nhiu trng hp cc chc nng ny s
thuc Security-Aware Recursive Name Server (my ch tn min quy c kh nng
nhn thc an ton) nhng mt Security-Aware Resolver n c c nhiu yu cu
ging nhau.
H tr EDNS
Security-Aware Resolver phi bao hm mt EDNS OPT gi - bn ghi ti nguyn
vi bit DO c thit lp khi gi cc truy vn.
Security-Aware Resolver phi h tr kch c bn tin ti thit 1220 octet nn h
tr kch c bn tin 4000 octet v phi s dng trng sender's UDP payload size
trong EDNS OPT gi-bn ghi ti nguyn thng bo kch c bn tin m n sn sng
nhn. lp ip ca Security-Aware Resolver phi x l cc gi tin UDP c phn on
mt cch chnh xc khng cn quan tm n cc gi tin c phn on ny l c
nhn thng qua IPv4 hay IPv6.
H tr kim tra ch k
Security-Aware Resolver phi h tr cc c ch kim tra ch v nn p dng
chng cho mi tr li nhn c tr khi:
- Security-Aware Resolver thuc Security-Aware Recursive Name Server v tr
li l kt qu ca quy da vo mt truy vn nhn c vi bit CD c thit lp.
- Tr li l kt qu ca mt quy c to trc tip thng qua mt dng giao
din ng dng hng dn Security-Aware Resolver khng c thc hin xc thc i
vi truy vn ny.
- Vic xc thc i vi truy vn ny c chnh sch ni b ngn chn.
- Vic h tr kim tra ch k ca mt Security-Aware Resolver phi bao hm
vic h tr kim tra cc tn min ch k t i din.
Cc Security-Aware Resolver c th truy vn cc bn ghi ti nguyn bo mt
thiu trong mt n lc thc hin xc thc. Cc hnh ng thc hin iu ny
phi bit rng cc tr li nhn c c th khng xc thc tr li gc. V d,
vic cp nht zone c th lm thay i (xa) thng tin cn thit gia cc truy vn
gc v k tip.
Khi c gng ly li cc bn ghi ti nguyn NSEC thiu t pha cha zone cut,
mt Security-Aware Resolver ch lp phi truy vn cc my ch tn min v zone
cha m khng phi l zone con.
Khi c gng ly li mt DS thiu, Security-Aware Resolver ch lp phi truy
vn cc my ch tn min v zone cha m khng phi l zone con. Cc Security-
Aware Name Server cn p dng cc nguyn tc x l c bit x l bn ghi ti
nguyn DS ny v trong mt s tnh hung, Resolver cng c th cn p dng cc
nguyn tc c bit nh v cc my ch tn min ny cho zone cha khi Resolver
ny khng c tp bn ghi ti nguyn NS pha cha. nh v tp bn ghi ti nguyn
NS pha cha, Resolver c th bt u vi tn min chuyn giao, loi b nhn ngoi
cng bn tri v truy vn mt tp bn ghi ti nguyn NS bng tn min . Khi khng
c tp bn ghi ti nguyn NS c tn min , tip theo Resolver loi b nhn cn li
Thng bo status: NOERROR cho thy khng pht sinh li khi tm d liu v
tr li, id c gi tr nguyn cho thy hi p ph hp vi truy vn. Trong phn
ANSWER, c ni dung thng tin cho truy vn. Phn AUTHORITY gi cc tn ca
my ch tn min c thng tin lin quan ti zone example.org.
Trong trng hp, Resolver truy vn v b.example.org TXT, n s nhn c
hi p l tn min cn tm khng tn ti:
(Xc minh rng Khng th lit k cc anchor tin cy" s c hin th.)
G cu lnh sau v nhn Enter hai ln.
Xc nhn rng khng c chnh sch NRPT cho namespace sec.contoso hin
ang p dng cho cc my client (my tnh ca khch hng).
Ri khi mn hnh Windows PowerShell m.
(4). Truy vn mt vng c ng k vi chng nhn DNSSEC cn:
The Name Resolution Policy Table (NRPT) c s dng yu cu xc nhn
DNSSEC. NRPT c th c cu hnh trong Group Policy cho mt my tnh duy nht,
hoc Group Policy chnh cho mt s hoc tt c cc my tnh trong min. Quy trnh
sau s dng tn min Group Policy.
- Yu cu DNSSEC xc nhn c thc hin:
Trn DC1, trn thanh cng c qun l my ch, nhn Tools, v sau nhp vo
Group Policy Managenment.
Trong bng cy iu khin Group Policy, di Domains > contoso.com >
Group Policy Objects, v nhp chut phi vo Defaul Domain Policy, vo
chn Edit.
Trong bng cy iu khin qun l Group Policy, iu hng n Computer
Configuration > Policies > Windows Settings > Name Resolution Policy.
Trong ca s chi tit, di Create Rules v l mt phn ca namespace
khng p dng quy tc ny. Chn Suffix t danh sch th xung v nhp
sec.contoso.com bn cnh Suffix.
Trn tab DNSSEC, chn kch hot DNSSEC trong quy tc ny trong hp
kim tra v sau theo Validation chn Yu cu khch hng DNS kim
tra xem tn v a ch d liu c xc nhn bi cc hp kim my ch
DNS.
gc di bn phi, nhp vo Create v sau xc nhn rng mt quy tc cho
sec.contoso.com c b sung trong phn Name Resolution Policy.
Bm Apply, sau ng Group Policy Management Editor (cc trnh son
tho chnh sch Nhm qun l)
Xc minh rng my tnh v ngi dng chnh sch thng tin cp nht thnh
cng, v gi tr ca DnsSecValidationRequires l ng cho nhng namespace
ca sec.contoso.com.
Lp li cc bn Group Policy (Cp Nht chnh sch Nhm) (Gpupdate/force) v
xc minh NRPT chnh sch v client1.
Note:
T ng cp nht ca anchor tin cy vo mt cc my ch DNS (mi RFC 5011)
khng y quyn, ph chun ch xy ra trong qu trnh ti u t quan trng. Nu bn
khng ng k v ti ng k khu vc mt cch th cng vi phm mi, bn cng bt
buc phi pht hnh mt anchor tin tng mi theo cch th cng. Nu mt my ch
DNS validating c mt anchor tin cy khng chnh xc, truy vn DNS yu cu xc
nhn s ch ra mt my ch tht bi. Khi khng c anchor tin cy c trnh by, truy
vn cng tht bi trong vic xc nhn. K t khi khng c anchor tin cy, cc my ch
khng tm cch xc nhn cc phn ng. Trong trng hp ny, mt li gi ko bo
m s c hin th.
- chng minh mt phn ng unsecure
Trn DNS1, ti Administrator Windows PowerShell, g cc lnh sau y v sau
nhn ENTER hai ln:
Bt u chp Network Monitor nu mun. Ngng chp sau khi pht.
hnh cc lnh sau y, v sau lu chp bng cch s dng tn: Capture5.
G lnh sau v nhn ENTER:
Trn DC1, trong trnh qun l DNS, thm bn ghi lu tr (A) mi cho
dns1.sec.contoso.com vi a ch IP ca 10.0.0.2.
Trn DNS1, xem ci t gn y Trust Points cho sec.contoso.com v xc minh
anchor tin cy c s dng thut ton RSA/SHA-1 c trnh by.
C th, cc chi tit frame cho cc truy vn ny cho thy kch thc UDP playload
ln nht l 4000 byte, v trong trng hp ca d liu bigtxt.contoso.com kch thc
l 4.096 byte (vt qu gii hn):
Khi 4000 byte UDP gii hn b vt qu, cc my ch DNS s dng TCP trong
phn hi DNS.
Gii hn 4000 byte cng c th hin th trn my ch DNS s dng Windows
PowerShell:
PS C:\> (Get-DnsServer).ServerSetting.MaximumUdpPacketSize 4000
Cc chi tit trong frame cho tn min oktxt.contoso.com biu din trong bng
di. Ch UDP c s dng cho cc d liu ti nguyn c chiu di 3840 byte v n
di gii hn 4000 byte:
Nhc li rng UDP l quan trng trong cc cuc tn cng DNS m rng v a
ch ngun gi mo l mt phn quan trng ca cuc tn cng. Cch bt tay ba (three-
KT LUN
H thng tn min v h thng my ch tn min chnh l l hng ln ca
Internet. Hacker c th li dng l hng ny thc hin cc mc ch xu nh n cp
thng tin, la o, gi mo. Do cn ch trng vo bo mt h thng tn min DNS
v mt trong nhng phng php c la chn p dng l DNSSEC - ng dng bo
mt tn min.
Sau gn hai thng tm hiu, nghin cu v ng dng bo mt h thng tn min
DNSSEC em c thm nhiu kin thc mi tht b ch trong lnh vc an ton thng
tin mng, l mt phn trong hnh trang qu bu cho em sau ny trn con ng lnh
hi tri thc. Bn cnh kh nng tm ti, hc hi v t duy ca em cng c hon
thin v nng cao. Tuy nhin, do kin thc cn hn ch nn trong ti ny s kh
trnh khi sai st. Rt mong nhn c kin ng gp t qu thy c v mi ngi.
n a ra cc ni dung:
- Nghin cu v h thng tn min DNS, gii thiu v DNSSEC.
- Tnh hnh trin khai v tiu chun ha trn th gii v ti Vit Nam.
- Nghin cu v m hnh trin khai, cc bn tin ti nguyn, v cc giao thc m
rng trong DNSSEC.
- ng dng DNSSEC trong m bo an ton h thng tn min DNS. Vi cc
kch bn tn cng mng v gii php DNSSEC vi cc kch bn tn cng DNS .
4. [RFC 4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource
Records for DNS Security Extensions", RFC 4034, (03-2005).
5. [RFC 4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol
Modifications for the DNS Security Extensions", RFC 4035, (03-2005).
Ting Vit
1. TS. Hong Trng Minh, An ninh mng thng tin, HVCNBCVT, 2015.
2. ThS. Nguyn Trn Tun, Bo co ti KHCN, Nghin cu xy dng tiu
chun v hm bo mt DNS xc thc nh danh phn b cho DNSSEC, Vin
KHKT B, 2016.
3. Nguyn Vit Dng, Bo co ti KHCN, Nghin cu xy dng tiu chun v
cc yu cu v hng dn bo mt DNS (DNSSEC), Vin KHKT B, 2015.
Website
1. https://www.vnnic.vn/dns/congnghe/cng-ngh-dnssec
2. https://technet.microsoft.com/en-us/library/hh831411(v=ws.11)#demo_1
3. https://technet.microsoft.com/en-us/security/hh972393.aspx
4. http://www.thongtincongnghe.com/article/16547