CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Securing the Internet's Domain Name System

Dan Massey - Colorado State University

Oct 05, 2005

Size: 102.6MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

This talk considers security challenges facing the Internet's Domain Name System (DNS). The DNS is one of the most widely used and least secure Internet systems. Viirtually every Internet application relies on the DNS to convert names into IP addresses and the DNS provides a wide range of other critical mappings such as identifying mail servers and locate services. But despite its importance, the original DNS design gave very little thought to security and a variety of misdirection and denial of service attacks are possible. For example, a web browser relies on the DNS to convert www.purdue.edu into an IP address. The DNS supplies the web browser with an IP address (more precisely an "A" resource record set) such as 129.82.100.64 (is this address correct?). If this address is wrong, the browser will be directed to the wrong site. If the DNS fails to return a response, the browser will not be able to load the desired web page. Currently, both the operational and research communities are making considerable efforts to improve DNS security. After nearly a decade of development, the IETF has standardized DNS Security Extensions that add public key authentication into the DNS. The hierarchical structure of the DNS is leveraged to authenticate public keys, keys can be managed offline, and the signatures allow a resolver to authenticate a response. However several open issues remain, including key revocation, support for dynamic updates, resolver security policies, incremental deployment, and commercial challenges. The DNS Security Extension enable a number of new techniques, but basic problems on denial of service remain. The research community has largely focused on denial of service attacks against critical top level servers could potentially cause considerable damage to the DNS service. This has led to proposals for replacing the DNS tree with a distributed hash table attacking a few critical top level servers. This talk will argues that, despite some major flaws, the DNS Security Extensions provide the necessary tools to build a robust and secure DNS. By using these tools appropriately, a wholesale replacement of the DNS system by other approaches can and should be avoided.

About the Speaker



Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.