The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Dan Massey - Colorado State University

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Securing the Internet's Domain Name System

Oct 05, 2005

Download: Video Icon MP4 Video Size: 102.6MB  
Watch on Youtube Watch on YouTube

Abstract

This talk considers security challenges facing the Internet's Domain Name System (DNS). The DNS is one of the most widely used and least secure Internet systems. Viirtually every Internet application relies on the DNS to convert names into IP addresses and the DNS provides a wide range of other critical mappings such as identifying mail servers and locate services. But despite its importance, the original DNS design gave very little thought to security and a variety of misdirection and denial of service attacks are possible. For example, a web browser relies on the DNS to convert www.purdue.edu into an IP address. The DNS supplies the web browser with an IP address (more precisely an "A" resource record set) such as 129.82.100.64 (is this address correct?). If this address is wrong, the browser will be directed to the wrong site. If the DNS fails to return a response, the browser will not be able to load the desired web page. Currently, both the operational and research communities are making considerable efforts to improve DNS security. After nearly a decade of development, the IETF has standardized DNS Security Extensions that add public key authentication into the DNS. The hierarchical structure of the DNS is leveraged to authenticate public keys, keys can be managed offline, and the signatures allow a resolver to authenticate a response. However several open issues remain, including key revocation, support for dynamic updates, resolver security policies, incremental deployment, and commercial challenges. The DNS Security Extension enable a number of new techniques, but basic problems on denial of service remain. The research community has largely focused on denial of service attacks against critical top level servers could potentially cause considerable damage to the DNS service. This has led to proposals for replacing the DNS tree with a distributed hash table attacking a few critical top level servers. This talk will argues that, despite some major flaws, the DNS Security Extensions provide the necessary tools to build a robust and secure DNS. By using these tools appropriately, a wholesale replacement of the DNS system by other approaches can and should be avoided.

About the Speaker




Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!