It truly is amazing how one of the most basic of protocols is the foundation of the Internet. DNS is a service/protocol that is essential to traffic out on the Internet AND in many cases MORE important on internal networks. Humans, by nature, aren’t really adept at remembering long strings of numbers. Hell, most of us can’t remember a name five minutes after you tell it to us! And while IPv4 addresses are broken down into four octets separated by decimals (or dot-decimal notation), it’s still longer than most phone numbers. Servers (or hosts) are not usually referred to by their IP address but rather their hostname (www) followed by the domain’s name (yahoo.com). Enter DNS (or the Domain Name System). It takes a domain name (such as weblog.randomdog.net) and converts it to an associated IP address for that domain (such as 69.0.94.158). It also does the reverse (converting IPs to domain names). DNS is a hierarchical naming system meaning that there are a few top-level domains (.com, .net, .org, .gov, etc) that pass requests to authoritative name servers for each domain, and in turn pass request authoritative name servers for their sub-domains.

Today DNS has expanded beyond its humble roots! It supplies the name of the administrator for the domain and the IP address of the mails servers for that domain. Additionally, DNS has also been expanded to provide listings of where services can be found out on a network, as in the case of SRV records. These SRV records inform systems as to where on the network certain resources (LDAP, AD, mail) can be located. Many other services rely on a properly functioning DNS system. In fact, Microsoft’s Active Directory and Apple’s OpenDirectory will break without a properly functioning DNS.

SO what if DNS breaks?

Well that’s a problem. DNS was not designed with security in mind. It actually grew out of a shared file. Before DNS, people passed host files around. The thought of actually tampering with the associations between host and address was not likely. People wanted to be able to reach the host they were looking for. Times have changed and there’s money at stake. DNS cache poisoning is a very real problem. If I were able to redirect your web browser to a ‘fake’ banking site, I could collect your credentials and make unauthorized withdrawals against your account. In March of 2008, Dan Kaminsky met with various software vendors than provide DNS solutions to discuss a vulnerability he had discovered. The consequences of this discovery were of such concern that all vendors present agreed to release a software patch that would fix the vulnerability on the same day. In very simple terms, Kaminsky’s vulnerability centered on the possibility of a “man in the middle” cause by the lack of true randomization of transaction IDs possible with only 65,000 values available. A DNS look-up query is assigned a random translation ID, but Kaminsky observed that when a vulnerable DNS server is able to perform recursive DNS queries, it was possible to guess the transaction ID and redirect the results (Vamosi, 2008).

Enter DNSSEC!

DNSSEC (short for DNS Security Extensions) adds a layer of security to DNS. Its aim is to minimize threats against the Domain Name System. These threats include the following:

1. DNS Cache Poisoning
2. DNS Amplification Attacks
3. DNS Man-in-the-Middle Attack
4. DNS Spoofing Attacks

The US government has already deployed DNSSEC on the root servers for the .gov and .mil domains. Unfortunately, as of today DNSSEC has not been deployed for the root server of the .com, .net and .org top-level domains.

Resources:

Vamosi, R., (2008, July 9), Massive, coordinated DNS patch released, Retrieved on May 27th, 2009 from http://www.zdnet.com.au/news/security/soa/Massive-coordinated-DNS-patch-released/0,130061744,339290456,00.htm