Addressing Weaknesses in the Domain Name System Protocol
Tech report number
COAST TR 94-05
The Domain name System (DNS) is a widely implemented distributed database system used throughout the Internet, providing name resolution between host names and Internet Protocol addresses. This thesis describes problems with the DNS and one of its implementations that allow the abuse of name based authentication. This leads to situations where the name resolution process cannot be trusted, and security may be compromised. This thesis outlines the current design and implementation of the DNS. It states the main problem both on a high level and as applied to the DNS in a more concrete fashion. We examine the weaknesses by describing the necessary modifications in authoritative DNS data and Domain Name System code. We list experiences gained during experiments with several setups of name servers and trusting hosts in a local area network. Too weak assumptions during the authentication processes cause many security breaches. We state the security considerations in the official design documents and analyze the algorithms used in the DNS protocol looking for weak assumptions. Using a wide variety of criteria, we discuss several approaches to solve the main problem in the Domain name System protocol. Two of these solutions, hardening the name server and using cryptographic methods for strong authentication, receive more attention than the other solutions.
1. Introduction 2. The Domain Name System 3. Description and Demonstration of Weaknesses 4. Security Analysis and Solutions 5. Conclusions and Outlook
A hard-copy of this is in REC 216