DNS insecurity and DNSSEC

A number of recent attacks against DNS suggest that hackers are increasingly targeting the Internet infrastructure rather than individual services. These often serve as a precursor to other violations, such as security theft, installation of spyware or adware on unsuspecting PCs connected to the net etc. As an example, take a technique called pharming, which, although known for many years, only recently made its debut in the media. It will serve to illustrate the value of DNS security.

Pharming works like this

The DNS is hierarchical. When a browser looks up a Web page, www.sita.aero for example, it needs the IP address associated with the URL. If the server does not have up to date information, it will ask one of the Internet root servers for a pointer. This will be a name server which the root knows runs .aero. Then, one of the .aero servers will provide a pointer to servers which, .aero knows, run the "sita.aero domain" and so on. Ultimately, the requester will receive back an IP address corresponding to www.sita.aero.

Anywhere along that path, you could be given misinformation by a badly configured system, or an intruder. As a result, traffic will be directed to a different site. This might mean a hacker can intercept and read your e-mail, Web browser requests, or any other Internet traffic that uses domain names to locate servers. For example, you could find yourself on a Web page that looks like the Web page of your bank, behaves just like the Web page of your bank and asks you for the same credentials information as your bank would but … it is actually a front put up by a hacker luring you to provide this information or trying to gain access to you computer.

Why would anyone attack you? Money is the primary motive, according to Richard Stiennon, vice president of threat research for Webroot Software, an anti-spyware software maker quoted in the online publication Channel Register.

"Data from adware firms indicate that each PC installed with the software accounts for about US$ 2.40 in annual revenue", he said. "Pairing that data with Webroot's findings that the average PC scanned with the company's software has 2.5 adware programs suggests that adware firms garner nearly US$ 2bn in annual revenue, or about 20 per cent of the more traditional online advertising market."

How DNSSEC can solve the problem?

To some extent, this problem can be addressed today with the correct deployment of digital certificates. However, this will only address part of the problem and due to inefficiencies with this process, many users view certificate warnings as an annoyance and accept them as a matter of course.

To fight pharming and provide tools for the user to improve internet security in general, the NARC report calls for the wide deployment of a security protocol called DNS Security Extensions (DNSSEC), which provide: (a) origin authentication of DNS data, (b) data integrity, and (c) authenticated denial of existence.

DNSSEC digitally signs and verifies every DNS mapping using cryptographic keys. At each stage of the DNS lookup, the response can be authenticated using a cryptographic key. A DNS entry relating to "name.aero" would be authenticated by would be authenticated by the .aero servers, and the response from .aero servers would be authenticated by the root. The root would be authenticated using a public key. As a user, you would know that the response you receive is complete and authentic. And you would know that the website you arrived at is the website you wanted.

It is important to consider what DNSSEC actually can accomplish. It will make certain attacks in the DNS visible. However, the user will always remain responsible for deciding what to do when this happens. It will raise significantly the level of protection against the falsification of DNS data and help in deterring identity-related theft and SPAM problems.

On the other hand, because DNSSEC introduces cryptographic material in the DNS and allows for the addition of other (non-DNS) keys, some interesting possibilities emerge. Many technologies on the Internet need some kind of simple key distribution mechanism in place, such as SSH and IPSec. What DNSSEC promises is a system in which we can validate a key from an unknown host with only one key. If the validation is successful, we can be quite certain that the host key comes from the host from which it claims to come. We get this without any extra effort or cost (from a client's perspective at least). The possibilities are probably endless and DNSSEC provides a basis to build trust on the Internet to support higher level protocols facilitating IP telephony and web services.

When can we expect DNSSEC deployment?

The DNSSEC deployment project is under way. Internet root server operators and a number of registries already have pilots in place and they are preparing the technology for implementation. Several governments are also interested in improving Internet security by provide funding and support for deployment projects.

For live deployment however, registries and registrars will have to balance the technical need with the actual market demand. Most of them need to satisfy commercial objectives set by their shareholders and there is no clear business model yet in place. For the consumer to enjoy the benefits, Web browser developers will also need to upgrade browsers.

For more detailed information visit the following links

"Signposts in Cyberspace: The Domain Name System and Internet Navigation" published by the National Academies Press, 2005. See www7.nationalacademies.org/cstb/pub_dns.html.

"DNS attacks attempt to mislead consumers" from Channel Register 8 April 2005. See http://www.channelregister.co.uk/2005/04/08/dns_attacks_attempt_to_mislead_consumers.

For general technical reading about the DNSSEC programme, see http://dnssec.net.