the registry of the future
play

The Registry of the Future Cristian Hesselman 1 , Giovane C. M. - PowerPoint PPT Presentation

The Registry of the Future Cristian Hesselman 1 , Giovane C. M. Moura 1 , Ricardo de O. Schmidt 2 , and Cees Toet 1 1: SIDN, the Netherlands 2: University of Twente, the Netherlands Key Concept: TLD Control Plane Modular system that enables


  1. The Registry of the Future Cristian Hesselman 1 , Giovane C. M. Moura 1 , Ricardo de O. Schmidt 2 , and Cees Toet 1 1: SIDN, the Netherlands 2: University of Twente, the Netherlands

  2. Key Concept: TLD Control Plane • Modular system that enables a registry to further increase the operational security and stability of its TLD by leveraging its key datasets (registrations, zone file, DNS queries) • Motivation: protect TLD users from increasing number of attacks (such as phishing, DDoS, and malware), thus increasing added value of the TLD • Approach: automatically share threat info with other players in the TLD (collaborative security) and adapt registry’s DNS anycast services more dynamically • Today: overview and illustrate what it takes to run a control plane, using .nl (the Netherlands) as a use case

  3. Required Functions TLD operator Privacy Extends standard Board registry func1ons privacy policies domain registra-on Tradi-onal DNS Services Control Plane transac-ons Registra-on (e.g., EPP) updates Registrant Registrar TLD players such as: Dashboard • Access providers, zone file • Hos-ng providers, specs reports • Registrars Reconfig Commands DNS Reconfigura-on DNS 2 Access Module (DRCM) DNS Provider PEP s t Clients a threats reports e r h t Resolver 1 End-user Threat Detec-on Modules (TDMs) DNS stats PEP threats Ext. Data Hos-ng stored data Sources Provider DNS traffic ENTRADA DNS anycast network (mul--node cluster) www.example.nl PEP = anycast name server = hos-ng plaPorm

  4. Required Functions TLD operator Privacy Board privacy policies domain registra-on Tradi-onal DNS Services Control Plane transac-ons Registra-on (e.g., EPP) updates Registrant Registrar TLD players such as: Dashboard • Access providers, zone file • Hos-ng providers, specs reports • Registrars Reconfig Commands DNS Reconfigura-on DNS 2 Access Module (DRCM) DNS Provider PEP s t Clients a threats reports e r h t Resolver 1 End-user Threat Detec-on Modules (TDMs) DNS stats PEP threats Ext. Data Hos-ng stored data Sources Provider DNS traffic ENTRADA DNS anycast network (mul--node cluster) www.example.nl PEP = anycast name server = hos-ng plaPorm Func%on 1: DNS traffic import, storage, and retrieval

  5. Required Functions TLD operator Privacy Board privacy policies domain registra-on Tradi-onal DNS Services Control Plane transac-ons Registra-on (e.g., EPP) updates Registrant Registrar TLD players such as: Dashboard • Access providers, zone file • Hos-ng providers, specs reports • Registrars Reconfig Commands DNS Reconfigura-on DNS 2 Access Module (DRCM) DNS Provider PEP s t Clients a threats reports e r h t Resolver 1 End-user Threat Detec-on Modules (TDMs) DNS stats PEP threats Ext. Data Hos-ng stored data Sources Provider DNS traffic ENTRADA DNS anycast network (mul--node cluster) www.example.nl PEP = anycast name server = hos-ng plaPorm Func%on 2: threat detec1on and automa1c sharing

  6. Required Functions TLD operator Privacy Board Func%on 3: DNS anycast privacy policies domain reconfigura1on registra-on Tradi-onal DNS Services Control Plane transac-ons Registra-on (e.g., EPP) updates Registrant Registrar TLD players such as: Dashboard • Access providers, zone file • Hos-ng providers, specs reports • Registrars Reconfig Commands DNS Reconfigura-on DNS 2 Access Module (DRCM) DNS Provider PEP s t Clients a threats reports e r h t Resolver 1 End-user Threat Detec-on Modules (TDMs) DNS stats PEP threats Ext. Data Hos-ng stored data Sources Provider DNS traffic ENTRADA DNS anycast network (mul--node cluster) www.example.nl PEP = anycast name server = hos-ng plaPorm

  7. Required Functions Func%on 4: TLD-level security and stability TLD operator Privacy visualiza1on Board privacy policies domain registra-on Tradi-onal DNS Services Control Plane transac-ons Registra-on (e.g., EPP) updates Registrant Registrar TLD players such as: Dashboard • Access providers, zone file • Hos-ng providers, specs reports • Registrars Reconfig Commands DNS Reconfigura-on DNS 2 Access Module (DRCM) DNS Provider PEP s t Clients a threats reports e r h t Resolver 1 End-user Threat Detec-on Modules (TDMs) DNS stats PEP threats Ext. Data Hos-ng stored data Sources Provider DNS traffic ENTRADA DNS anycast network (mul--node cluster) www.example.nl PEP = anycast name server = hos-ng plaPorm

  8. Required Functions TLD operator Privacy Board Func%on 5: privacy policies domain Privacy registra-on Tradi-onal DNS Services Control Plane protec1on transac-ons Registra-on (e.g., EPP) updates Registrant Registrar TLD players such as: Dashboard • Access providers, zone file • Hos-ng providers, specs reports • Registrars Reconfig Commands DNS Reconfigura-on DNS 2 Access Module (DRCM) DNS Provider PEP s t Clients a threats reports e r h t Resolver 1 End-user Threat Detec-on Modules (TDMs) DNS stats PEP threats Ext. Data Hos-ng stored data Sources Provider DNS traffic ENTRADA DNS anycast network (mul--node cluster) www.example.nl PEP = anycast name server = hos-ng plaPorm

  9. Function 1: ENTRADA (entrada.sidnlabs.nl)

  10. Function 2: Collaborative Security DNS/EPP interac1on User Threat intelligence flow user reports domain name lookup (DNS) no1fica1ons inves1ga1on Report Judicial Site Classifier Authori1es Operator Criminal inves1ga1on Technical no1fica1ons no1fica1ons opera1ons Resolver JTIE interac%es (index Registrar Registrant Operator = domeinnaam) registra1on updates registra1on updates Domain Hos1ng Classifier Provider no1fica1ons domain name lookup (DNS) DNS queries and responses (ENTRADA) DNS Name Servers

  11. Function 4: .nl Security Dashboard

  12. Next Steps • Flesh out TLD control plane functions through various collaborative research projects • Incrementally transition the control plane into production • Continue to share and discuss with the (technical) community • Longer term: fully distributed control plane • Running at different DNS operators • Distributed threat detection/analysis • Sharing threat info using standard formats • Taking different privacy regulations into account

  13. Follow us SIDN.nl Q&A @SIDN SIDN Presentation based on: C. Hesselman, G. Moura, R. de O. Schmidt, and C. Toet, "Increasing DNS Security and Stability through a Control Plane for Top-level Domain Operators" , IEEE Communications Magazine, Network and Service Management Series, January 2017 URL: https://www.sidnlabs.nl/downloads/papers-reports/ sidnlabs-commag.pdf

Recommend


More recommend