Perils of Transitive Trust in the Domain Name System

1
Perils of Transitive Trust in the Domain Name
System

• Venugopalan Ramasubramanian
• Emin Gün Sirer
• Cornell University

2
Introduction

• DNS is critical to the Internet
• DNS architecture is based on delegations
• control for names is delegated to name servers
  designated by the name owner
• delegations facilitate high scalability and
  decentralized administration
• what is the impact on security?

3
Dependencies for www.fbi.gov
root
www.fbi.gov
gov

• gov.zoneedit.com
• zoneedit.com

fbi.gov
dns,2.sprintip.com ns3,4,5,6.vericenter.com
sprintip.com

• sprintlink.net
• telemail.net

vericenter.com
4
Subtle Dependencies in DNS

• www.fbi.gov
• 86 servers, 17 domains, depth 3
• www.cs.cornell.edu
• cs.rochester.edu ? cs.wisc.edu ? itd.umich.edu
• 48 nameservers, 20 domains, depth 4
• DNS dependencies are subtle and complex
• increases risk of domain hijacks
• use of caching (TTL) worsens impact

5
Servers with Security Loopholes
www.fbi.gov

• www.cs.cornell.edu ? slate,cayuga.cs.rochester.
  edu
• source internet systems consortium (www.isc.org)

6
Survey Goals

• Which domain names have large dependencies and
  entail high risk?
• Which domains are affected by servers with known
  security holes and can be easily taken over?
• Which servers control the largest portion of the
  namespace and are thus likely to be attacked?

7
Survey Methodology

• 593160 domain names (Yahoo and Dmoz.org)
• 166771 name servers
• 535036 domains, 196 top-level-domains

8
Number of Dependencies
Number of Dependencies
9
Length of Dependency Chains
Length of Dependencies
10
Dependencies by TLDs
11
Bottleneck Servers
Size of Bottlenecks
12
Availability vs. Vulnerability
13
Security Flaws in Nameservers
Survey of BIND
source Internet Systems Consortium (ISC)
14
Vulnerability to Security Flaws

• 17 of servers have known loopholes
• 45 of names are not totally safe
• security through obscurity!
• more than 40 of servers hide version numbers
• 19/46 reports for cs.cornell.edu and 18/86 for
  fbi.gov

15
Vulnerability in Bottlenecks
Size of Safe Bottlenecks
16
Valuable Nameservers
17
Valuable Nameservers
Top 5 Domains
arizona.edu ucla.edu uoregon.edu nyu.edu berkeley.
edu
18
Summary and Discussions

• Easy to take over the Internet
• identify the domain you want to attack
• determine a set of servers that control the
  domain
• compromise or DoS the bottleneck servers

19
DNS-SEC

• Security Standard for DNS based on public-key
  cryptography and digitally signed certificates
• Not widely used currently
• security at delegation points
• authenticated denials
• islands of security
• Does not eliminate risks of DoS attacks

20
CoDoNS Approach

• Separate name management from lookup resolution
• No delegations
• self-certifying data for authenticity
• Fast, Robust, and Scalable Lookup Service
• optimal proactive caching on structured overlays

21
Conclusions

• Domain names have subtle dependencies
• name-based delegations
• Blind delegation of trust to improve availability
  is counter-productive
• High susceptibility to domain hijacks
• Critical servers are not well-secured
• http//www.cs.cornell.edu/people/egs/beehive/codon
  s.php

22
(No Transcript)