A number of recent attacks against DNS suggest that hackers are increasingly targeting the Internet infrastructure rather than individual services. These often serve as a precursor to other violations, such as security theft, installation of spyware or adware on unsuspecting PCs connected to the net etc. As an example, take a technique call pharming, which, although known for many years, only recently made its debut in the media. It will serve to illustrate the value of DNS security.
Pharming works like this
The DNS is hierarchical. When a browser looks up a Web page, www.sita.aero for example, it needs the IP address associated with the URL. If the server does not have up to date information, it will ask one of the Internet root servers for a pointer. This will be a name server which the root knows runs .aero. Then, one of the .aero servers will provide a pointer to servers which, .aero knows, run the "sita.aero domain" and so on. Ultimately, the requestor will receive back an IP address corresponding to www.sita.aero.
Anywhere along that path, you could be given misinformation by a badly configured system, or an intruder. As a result, traffic will be directed to a different site. This might mean a hacker can intercept and read your e-mail, Web browser requests, or any other Internet traffic that uses domain names to locate servers. For example, you could find yourself on a Web page that looks like the Web page of your bank, behaves just like the Web page of your bank and asks you for the same credentials information as your bank would but … it is actually a front put up by a hacker luring you to provide this information or trying to gain access to you computer.
Why would anyone attack you? Money is the primary motive, according to Richard Stiennon, vice president of threat research for Webroot Software, an anti-spyware software maker quoted in the online publication Channel Register.
"Data from adware firms indicate that each PC installed with the software accounts for about US$ 2.40 in annual revenue", he said. "Pairing that data with Webroot's findings that the average PC scanned with the company's software has 2.5 adware programs suggests that adware firms garner nearly US$ 2bn in annual revenue, or about 20 per cent of the more traditional online advertising market."
How DNSSEC can solve the problem?
To some extent, this problem can be addressed today with the correct deployment of digital certificates. However, this will only address part of the problem and due to inefficiencies with this process, many users view certificate warnings as an annoyance and accept them as a matter of course.
To fight pharming and provide tools for the user to improve internet security in general, the NARC report calls for the wide deployment of a security protocol called DNS Security Extensions (DNSSEC).
DNSSEC digitally signs and verifies every DNS mapping using cryptographic keys. At each stage of the DNS lookup, the response can be authenticated using a cryptographic key. A DNS entry relating to "name.aero" would be authenticated by the .aero servers, and the response from .aero servers would be authenticated by the root. The root would be authenticated using a public key. As a user, you would know that the response you receive is complete and authentic. And you would know that the website you arrived at is the website you wanted.
It is important to consider what DNSSEC actually can accomplish. It will make certain attacks in the DNS visible. However, the user will always remain responsible for deciding what to do when this happens. It will raise significantly the level of protection against the falsification of DNS data and help in deterring identity-related theft and SPAM problems.
On the other hand, because DNSSEC introduces cryptographic material in the DNS and allows for the addition of other (non-DNS) keys, some interesting possibilities emerge. Many technologies on the Internet need some kind of simple key distribution mechanism in place, such as SSH and IPSec. What DNSSEC promises is a system in which we can validate a key from an unknown host with only one key. If the validation is successful, we can be quite certain that the host key comes from the host from which it claims to come. We get this without any extra effort or cost (from a client's perspective at least). The possibilities are probably endless and DNSSEC provides a basis to build trust on the Internet to support higher level protocols facilitating IP telephony and web services.
When can we expect DNSSEC deployment ?
The DNSSEC deployment project is under way. Internet root server operators and a number of registries already have pilots in place and they are preparing the technology for implementation. Several governments are also interested in improving Internet security by provide funding and support for deployment projects.
For live deployment however, registries and registrars will have to balance the technical need with the actual market demand. Most of them need to satisfy commercial objectives set by their shareholders and there is no clear business model yet in place. For the consumer to enjoy the benefits, Web browser developers will also need to upgrade browsers.
Deployment will be gradual and slow, starting with the users and community that can benefit most. But as we know from similar events in the past, this slow pace can all change in a matter of days as soon as there are CNN headline news reporting a major breach of DNS security.
While waiting for DNSSEC, as a user there is much you can do to protect yourself. After all, on the Internet, every user has a duty of care.
• For domain registrations, choose a registrar with a good track record. Keep your records up-to-date, to ensure that the registrar can actually contact you if necessary. Always remember to renew your domain.
• Stay on top of all security upgrades and patches be it for an individual PC or the entire enterprise infrastructure.
• Think carefully before deciding to ignore "certificate warnings" displayed by your browser. They may be flagged simply as a result of the system's inefficiencies (for example, if your Web browser does not have the certificate of the issuer installed) but they may well indicate a bigger problem.
The NARC Report (still in pre-publication form as this newsletter went to press) will make a helpful contribution to a debate whose time is now. So let them have the last word: "While the introduction of DNSSEC imposes significant costs and does not eliminate all Internet Security concerns nor address all Internet Threats, its implementation would represent considerable progress in improving the security of the DNS."
Resources
"Signposts in Cyberspace: The Domain Name System and Internet Navigation" published by the National Academies Press, 2005. See www7.nationalacademies.org/cstb/pub_dns.html.
"DNS attacks attempt to mislead consumers" from Channel Register 8 April 2005. See http://www.channelregister.co.uk/2005/04/08/dns_attacks_attempt_to_mislead_consumers.
For general technical reading about the DNSSEC programme, see http://dnssec.net.