Title: Perils of Transitive Trust in the Domain Name System
1Perils of Transitive Trust in the Domain Name
System
- Venugopalan Ramasubramanian
- Emin Gün Sirer
- Cornell University
2Introduction
- DNS is critical to the Internet
- DNS architecture is based on delegations
- control for names is delegated to name servers
designated by the name owner - delegations facilitate high scalability and
decentralized administration - what is the impact on security?
3Dependencies for www.fbi.gov
root
www.fbi.gov
gov
- gov.zoneedit.com
- zoneedit.com
fbi.gov
dns,2.sprintip.com ns3,4,5,6.vericenter.com
sprintip.com
- sprintlink.net
- telemail.net
vericenter.com
4Subtle Dependencies in DNS
- www.fbi.gov
- 86 servers, 17 domains, depth 3
- www.cs.cornell.edu
- cs.rochester.edu ? cs.wisc.edu ? itd.umich.edu
- 48 nameservers, 20 domains, depth 4
-
- DNS dependencies are subtle and complex
- increases risk of domain hijacks
- use of caching (TTL) worsens impact
5Servers with Security Loopholes
www.fbi.gov
- www.cs.cornell.edu ? slate,cayuga.cs.rochester.
edu - source internet systems consortium (www.isc.org)
6Survey Goals
- Which domain names have large dependencies and
entail high risk? -
- Which domains are affected by servers with known
security holes and can be easily taken over? -
- Which servers control the largest portion of the
namespace and are thus likely to be attacked?
7Survey Methodology
- 593160 domain names (Yahoo and Dmoz.org)
- 166771 name servers
- 535036 domains, 196 top-level-domains
8Number of Dependencies
Number of Dependencies
9Length of Dependency Chains
Length of Dependencies
10Dependencies by TLDs
11Bottleneck Servers
Size of Bottlenecks
12Availability vs. Vulnerability
13Security Flaws in Nameservers
Survey of BIND
source Internet Systems Consortium (ISC)
14Vulnerability to Security Flaws
- 17 of servers have known loopholes
- 45 of names are not totally safe
- security through obscurity!
- more than 40 of servers hide version numbers
- 19/46 reports for cs.cornell.edu and 18/86 for
fbi.gov
15Vulnerability in Bottlenecks
Size of Safe Bottlenecks
16Valuable Nameservers
17Valuable Nameservers
Top 5 Domains
arizona.edu ucla.edu uoregon.edu nyu.edu berkeley.
edu
18Summary and Discussions
- Easy to take over the Internet
- identify the domain you want to attack
- determine a set of servers that control the
domain - compromise or DoS the bottleneck servers
19DNS-SEC
- Security Standard for DNS based on public-key
cryptography and digitally signed certificates - Not widely used currently
- security at delegation points
- authenticated denials
- islands of security
- Does not eliminate risks of DoS attacks
20CoDoNS Approach
- Separate name management from lookup resolution
- No delegations
- self-certifying data for authenticity
- Fast, Robust, and Scalable Lookup Service
- optimal proactive caching on structured overlays
21Conclusions
- Domain names have subtle dependencies
- name-based delegations
-
- Blind delegation of trust to improve availability
is counter-productive - High susceptibility to domain hijacks
- Critical servers are not well-secured
- http//www.cs.cornell.edu/people/egs/beehive/codon
s.php
22(No Transcript)