DNS Security Technology: Security Investigation Report

DNS and DNS security standards and protocols

To understand how DNS security technology, standards and protocols functions it is necessary to provide adequate analysis of conventional DNS protocols and services.

Domain Name System is designed to associate different kinds of information with domain names by translating readable hostnames into certain IP addresses which are needed to deliver information (RFC 1034). Thus, it provides with a global keyword redirection service. DNS services are not reduced to mere translating of hostnames into IP addresses. There exist such services as virtual hosting, which provides a single machine with a possibility to serve various web-sites. Then, for instance Mail transfer agents utilize DNS to detect where to deliver e-mails for a certain address.

The functioning of DNS system can’t be prevented by any single machine failure but permanent development of Internet space place higher demands on DNS security. The main mechanism of providing security to the specific information in DNS is DNS Security extensions, which guarantees original authentication of DNS data, its integrity (data) and denial of existence (RFC 2535).

The implementation of DNS Security is very important for securing the entire Internet infrastructure but it proved difficult to design such a standard that could cover the size of whole Internet and provide implementations to various DNS servers and clients.

DNS security protocols are aimed at protecting DNS system fro several types of threats which are not always directly related to DNS specific problems but to more general Internet threats.

DNSSEC protects Internet clients from various forged DNS data such as for instance created by DNS cache poisoning. Except protecting IP-addresses DNSSEC can protect various cryptographic certificates packaged in DNS. In RFC 4398 we can see how to disseminate certificates via DNS (for instance for email), which gives possibility of using DNSSEC as global public key cryptography infrastructure for email. Moreover, DNSSEC helps to authenticate whether data given to a client belongs or not belongs to a certain server, which is the crucial prerequisite for security in the Internet. Corrupting of the functioning of DNS is regarded by attackers as one of the most fruitful way of breaking the integral condition of Internet applications and services. If the attacker changes the DNS response than the large group of possible attack vectors are opened. For instance, the DNS attack can result in users being redirected to the attacker’s URL while thinking that he is communicating with a valid source. Email, Web servers, services of VOIP are various other services are vulnerable to those kinds of attacks on DNS.

The original approach to designing DNS security standards and services was rather flawed because it couldn’t cover the whole space of the Internet as it was noted above, thus IETF had to modify the existing security protocol to create new one called DNSSEC-bis, which greatly differs from original approaches (such as RFC 2535). If the earlier versions DNSSEC protocols presupposed difficult patterns of authentication between parent and child branches of DNS the latest version resolve these issues by introducing more flexible system of authentication. There existed some problems with previous versions of DNSSEC which required the revelation entire list of zone names, which was regarded by many private companies and organizations as the threat for their data security (RFC 4033).

The DNSSEC introduced this kind of a problem since it must be able to inform a client when a domain name was not found. The security specialists consider that DNS servers which support DNSSEC are to sing this not-found report since if not these reports can be spoofed by the authorized intruders to the networks. Though, in order to maintain a high security level signing key should not be revealed online.

The abovementioned problems which were confirmed by the complaints of many organizations are being tried to resolve by approach for preventing DNS trivial zone enumeration in DNSSEC, which is called “DNSSEC Hashed Authenticated Denial of Existence” (called informally NSEC3). This approach provide DNSSEC-installed servers with an option to send “NSEC3” records instead of sending NSEC records when specific record is not detected. Instead of sending complete DNS name and providing the complete zone enumeration, the NSEC3 record contains hashed cryptographically value of DNS name. Hash and optional salt increases the difficulty for attacker of creating a full pre-computed dictionary which is needed to accomplish full-scale attack on the source. Now Verisign is trying NSEC3 DNSSEC Pilot in order to provide other entities and Internet community with relevant information on new security protocols, standards and services.

The importance and relevance of DNS Security protocols was confirmed by many participants of Internet community – for instance U.S. National Strategy to Secure Cyberspace specifically pointed out to the necessity of securing DNS. But still as it was pointed out above some problems exist. Though DNSSEC can be applied to any level of hierarchy, it must be available in a certain zone before others can adopt it. DNS-aware servers must be updated with necessary software supporting DNSSEC, and data of DNSSEC must be classified and enlisted to the DNS zone data.

There are several additional problems and issues connected with functioning of DNSSEC:

1. With the increase of DNS response messages average size the number of resources to manage TCP connection increases too.
2. The increased number of DNS transactions places more pressure on traffic, the problem which is not completely resolved even through the mechanism of caching.
3. The increase of zone file due to adding DNSEC files and records is observed, thus making the system inflexible.
4. The client programs are to spend much more time for validating signed data and various public keys, which slows the process of resolution.
5. Servers functioning intensity also increases due to its role in generating new signatures for RRset changes.
6. Configuration errors and settings errors for keys may also cause deficiencies in DNSSEC functioning.
7. DNS using DNSSEC creates ideal possibilities for the denial-of-service attacks.

The process of DNSSEC implementation requires action on the side of servers and clients which will be discussed in the next section.

Software for DNSSEC

Various software is required for the servers and clients who want to introduce DNSSEC technologies. Among them one should mention the following:

1. Bind – This is the most renowned DNS name server. Though the newest version of this software supports DNSSEC-bis it yet doesn’t updated to support the newer version such NSEC3 discussed above.
2. Drill extensions for web-browsers such as Mozilla Firefox have an option of determining whether a certain domain’s validity may be verified by using DNSSEC.
3. DNSSEC-Tools – is a project of SourceForge aimed at providing flexible instruments for web-administrators and internet users to utilize DNSSEC. Among them one should mention such as zonesigner – making easy signing of zones; donuts: lint checker of DNS zone file; Firefox patches to provide DNSEC integrated into Firefox structure; maintenance of keys tools for rollover and various other helpful instruments.
4. Among other critical software for DNSSEC implementation one should mention such as Zone Key Tool which is designed to make easier the procedure of DNSSEC zones’ maintenance. It is constructed in the first place for the environments with medium or even small number of zones and provides various instruments for zone administering such as automatic zone singing keys and automatic zone resigning.

DNS roots and DNSSEC

DNSSEC can be deployed also at the Internet root level, which may provide with a possibility of supporting dissemination of public keys connected with any domain name, which helps preventing various spoof and spam attacks. The availability of several DNS root public keys may considerably simplify the process of DNSSEC ‘resolvers’ deployment, because these several public keys could be regarded as the basis for other keys used in the root level.

But still many problems are left for the implementation of this kind of technology. Among them are the following :

1. Privacy issues of zone enumeration;
2. The problem of trust-anchor-key-rollover;
3. The further testing before the implementation of new technologies is necessary to ensure that new DNSSEC versions would be adequate for meeting security challenges.

But besides merely technical issues political problems can cause troubles. The thing is that various countries oppose U.S. Internet control and thus reject any centralized system of keys. For many governments may simply forbid the utilization of DNSSEC in their root levels the DNS Security technologies will not fully develop on the global level.

To sum it up, theoretical characteristics of DNSSEC technologies, protocols and standards provide us both with new possibilities and challenges, which must be taken into consideration by those who would like to implement these security technologies. The process of practical implementation of this technology will be discussed in the following section of this work.

IP-based networks, involving the Internet, direct information among computers based on their IP address, a multi-byte digit (4 bytes in IP version 4, 16 bytes in IP version 6). Straightforwardly using these digits would origin lots of problems, so DNS is a significant service of such systems. DNS admits a domain name (such as www.nominum.com) and replies with data about that name, such as its identical IP address. DNS can also execute overturn look-ups (given an IP address, return the corresponding name). DNS is deployed as a widely spread system, for scalability. Unluckily, DNS was not created to be secure.

The Domain Name System Security Extensions (DNSSEC) are a group of IETF arrangements for securing particular kinds of data provided by the Domain Name System (DNS) as utilized on Internet Protocol (IP) systems. These are the tools of annexes to DNS which grant to DNS clients (resolvers):

• Basic authentication of DNS information.
• Data veracity.
• Authenticated refutation of subsistence.

It is generally considered that deploying DNSSEC is significantly important for securing the Internet as a whole, but the consumption has been hindered by the complexity of:

• Conceiving a rearward-attuned standard that can range to the size of the Internet.
• Deploying DNSSEC completions across a wide diversity of DNS servers and clients.

There are numerous different types of hazards to the DNS, most of which are DNS-associated occurrences of more universal issues, but a few of which are definite to idiosyncrasies of the DNS protocol. A Request for Comments document, RFC 3833, challenges to register some of the known hazards to the DNS, and, in doing so, efforts to measure to what extent DNSSEC is a constructive measure in protecting alongside these hazards.

DNSSEC was elaborated to shield Internet users from fictitious DNS data, such as that appeared by DNS cache poisoning. All replies in DNSSEC are digitally marked. By verifying the digital mark, a DNS user is able to verify if the information is matching (correct and complete) the information on the commanding DNS server. While defending IP addresses are the instantaneous apprehension for lots of users, DNSSEC can shield other data such as universal-function cryptographic credentials stockpiled in DNS. DNSSEC in no way offers privacy of data; in particular, all DNSSEC rejoinders are verified but not ciphered. DNSSEC is not able to protect against DOS attacks straightforwardly, although it indirectly offers some advantage (as signature authentication affords the use of potentially unreliable parties).

The deployment of DNSSEC

Possibly the feature of the DNSSEC technology is worthy of a special note down to spectators of the DNS ascendancy: while a secure allocation (DS reserve record) corresponds the plain DNS designation (NS reserve records) along the domain hierarchy, they are otherwise autonomous relations. It signifies that almost nothing from the accessible ICANN guidelines for range of the names management can be taken for granted when crucial policy for DNSSEC support. The Internet is regarded as a critical point in the activity of any organization by originally based on the basically insecure DNS. Thus, there exists a strong motivation to securing DNS, and implementing DNSSEC is naturally regarded to be a significant part of that effort. Wide-range deployment of DNSSEC could determine many other sanctuary problems as well, such as sheltered key sharing for e-mail addresses.

To achieve the high level of net security, it is necessary to provide the reliable encryption. Network gadget security is steadfastly becoming one of the most significant features of a digital security industry. The growing dependence on networks and network system machines is raising the number of nodules that must be secured and supervised, which is usually not done efficiently. In addition, many new devices, such as printers and other peripheral gadgets, are network enabled with unconfident default arrangements.

The DNSSEC deployment in huge-size networks is also challenging. DNSSEC can be implemented at any level of a DNS ladder, but it must be broadly accessible in a zone prior to lots of others will be able to adopt it. DNS servers must be modernized with software that maintains DNSSEC, and DNSSEC data must be worked out and added to the DNS sector data.

A TCP/IP-using resolver must have their DNS client modernized before it can use DNSSEC’s capacities. Furthermore, any resolver must comprise, or have a way to get hold of, at least one open unrestricted key that it can rely before it can start using DNSSEC. Ozment and Schechter scrutinize that DNSSEC (and other methods) has a “bootstrap problem”: users characteristically only arrange a machinery if they obtain an instantaneous benefit, but if a negligible level of consumption is required before any users get an advantage superior than their expenses, it risks remaining undeployed.

To tackle these confronts, significant effort is continuing to deploy DNSSEC, as the Internet is of the great essence to so many enterprises.

DNSSEC deployment necessitates the necessary software on the server and client side. Some of the means that prop up DNSSEC embrace:

• BIND, the most accepted DNS name server. Version 9.3 updated its DNSSEC support to sustain the newer DNSSEC (DS records); this version does not maintain NSEC3 records.
• Drill extension for Firefox adds to Mozilla Firefox the ability to conclude if a domain can be confirmed using DNSSEC.
• DNSSEC-Tools, which are the SourceForge project directed at offering easy to use tools for assisting administrators and users to use of DNSSEC. Amongst the tools it provides are: zone-signer: which simplifies the process of zone signing; donuts: a DNS area file lint regulator; a Firefox patch to offer incorporated DNSSEC into the Firefox libraries; key preservation and overturn tools.
• Zone Key Tool. It is the software created to simplify the support of DNSSEC alert areas. It has been primarily designed for environments with a tiny to middle number of areas and offers a full automatic area marking key overturn as well as automatic remarking of the area.

The routers are often the primary device an attacker takes into account. A router or switch that exist between the firewall and Internet entrance provider or between the firewall and intranet shapes key security summit that needs to be sufficiently shielded. Conciliation of these kinds of gadgets can offer precious data for the attackers about the network infrastructure or give them the chance to arrange so-called man-in-the-middle assaults, such as rerouting traffic predestined for the Web servers to a substitute system.

Data collection and refutation of service are the two assaults most often initiated against network gadgets. The most widespread form of data-collection assail is the password assault. Once the password is identified, invaders can regularly make as many changes to the device arrangement as they need. Moreover, the password used on one device may be used on the others, offering something like “one-stop shopping” for an attacker. Thus, to provide the security functioning, the policy of changing passwords should be implemented. The passwords should be changed regularly, and never be stored in some one place. Everyone must know only the passwords one needs for work, and be fined (for example) for the disclosure of the password to another person, non-authoritative change of the password or forgetting of it. Rejection of service assaults may be commenced intentionally, or they may be reasoned by mistake by client or supervisor error. While these types of assaults will not disclose responsive data to attackers, they can comprise just as important an effect. A well-performed rejection of service assault can cost an organization millions of dollars in lost income or efficiency during the time consumers are not capable to access services or staff-members are incapable to access the system to execute their job obligations.

For further implementation and deployment it would be necessary to define all the pros and cons, everybody who may benefit or lose after the deployment of the DNSSEC system.

Any innovation in enterprises is often taken only after the approval of the management. Thus, one of the first steps for the deployment of DNSSEC system must be the conviction of the management to provide the new system, the new data-security policy which will follow after that.

After all the propositions have been approved, and the offers of new policies have been regarded and partially adopted (which includes the acquaintance of the staff with at least the key points of it), the deployment can be transferred to the technical part of the case. The following step is the hiring of the IT staff, familiar with the security systems and policies (system administrators), who will manage the updated computer network. The worthy alternative for hiring new sys-administrators is the arrangement of the training programs and special seminars for the existing IT specialists. It is necessary to think over the motivational factor of these trainings, which also may be included in the current report.

Then, the purchase of the necessary equipment and the installation of the required software are the key, but not the last step in the process of deployment. The equipment involves the gadgetry with the secure configurations, and with the included security schemes. The IT staff should be provided with all the necessary gadgetry, preferably with portable devices (PDAs) in order to be able to react to any attack staying in any location within the territory of the enterprise. This will necessarily the increased level of data protection, and the new policy must be helpful for any organization, dealing with the data storage, and dependable on the security of data storage, including the protection of data leakages and data losses. Another point of security is the creation of the separate, but interlinked computer networks, each with its own security policy. This creation should guarantee the security of all the other networks, in the case if one is attacked.

DNSSEC deployment is originally regarded to be question to politics, but there is rarely specified discussion about this “DNS root signature” politics. Actually, DNSSEC use necessitates more than signing the DNS root area data; it also includes secure designations from the origin to the TLDs, and DNSSEC deployment by TLD administrations.

For the successful implementation of such large scale project, it is rather crucial to take into account the experience of the other companies, familiar with the data security policies, and those have already implemented the similar technologies, or stay at a higher level of the deployment. The cooperation also must include the membership in DNSSEC deployment initiative, as this should provide the accessibility to the recent innovations and information on the computer net security and data storage. The DNSSEC Deployment Initiative acts in order to encourage all sectors to willingly accept security measures that will improve security of the Internet’s naming infrastructure, as part of a global, supportive attempt that engages lots of states and organizations in the community and private sectors. The U.S. Department of Homeland Security offers support for management of the program.

The requirement calls for four new reserve record types (Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC) in accumulation to new data in the packet title. The data in the header used by DNSSEC points towards that the reply to an inquiry passed checks on the server part. An area manager who wishes to deploy DNSSEC first needs to create a key pair, consisting of an open key and a confidential key. The open key is stored in a DNSKEY record; the confidential key is stored offline. The confidential key is used to digitally mark the records and the ensuing digital signature is stored in a RRSIG record.

Conclusion

Thus, the outline of the report may be composed as a brief plan of implementation:

• Offer
• Discussion
• Elaboration of the security policy
• Managerial approval
• The recruitment policy (training or hiring)
• The Contacts with the other enterprises
• The Contacts with the DSNSEC deployment initiative (getting information and consultation)
• Purchase of the necessary gadgetry
• Providing the new policies, and acquaintance of the employees with it

References

Andress, Amanda. Surviving Security: How to Integrate People, Process, and Technology. Boca Raton, FL: Auerbach Publications, 2003.

Burns, Conrad. “Communications Policy for the Next Four Years.” Federal Communications Law Journal 57.2 (2005): 167

Lee, Alessandra. “Focus on Internet Safety.” T H E Journal (Technological Horizons In Education) 27.2 (1999): 80.

Phifer, Lisa. “Rethinking Network Security: Perimeter Security Is No Longer Good Enough. Network Security Must Be Built in, Not Bolted On.” Business Communications Review. 2004: 16

“Security Software Works Transparently, Reliably.” T H E Journal (Technological Horizons In Education) 23.8 (1996): 46.

Sevcik, Peter. “Who Will Control Tomorrow’s Internet?.” Business Communications Review. 2003: 8

Arends, R. (2005). Request for Comments: 4033. Network Working Group.

Atkins, D, Austein R. (2004). Request for Comments: 3833. Network Working Group: IHTFP Consulting.

Josefsson, S. (2006). Request for Comments: 4398. Network Working Group.

Eastlake, D. (1999). Request for comments: 2535. ISI, Network Working.

Mockapetris, P. (1987). Request for Comments: 1034. ISI, Network Working Group.