The Domain Name System and Internet Still Survive

1
The Domain Name System and Internet Still Survive

• Presented by Ao-Jan Su

2
Please clarify

• Section 4. Two recent survey by Pappas and
  Ramasubramanian most domain names are served by
  a small number of nameservers.
  
• Abstract The survey shows that a typical name
  depends on 46 servers on average.
  
• Which one is correct?

3
Ordered Records (Large TCB is not an important
issue)

• Most DNS queries use the first entry in the
  ordered list
  
• It is very unlikely to ask Rochester for
  Cornells IP address
  
• QUESTION SECTION
• cornell.edu. IN A
• ANSWER SECTION
• cornell.edu. 86400 IN A
  128.253.161.179
  
• AUTHORITY SECTION
• cornell.edu. 432000 IN NS
  dns.cit.cornell.edu.
  
• cornell.edu. 432000 IN NS
  cudns.cit.cornell.edu.
  
• cornell.edu. 432000 IN NS
  simon.cs.cornell.edu.
  
• cornell.edu. 432000 IN NS
  bigred.cit.cornell.edu.
  
• cornell.edu. 432000 IN NS
  cayuga.cs.rochester.edu.
  

4
Hijack FBI (DNS designs fault?)

• reston-ns2.telemail.net is running an old
  nameserver (BIND 8.2.4)
  
• It is the vulnerability of software (server) NOT
  the design of DNS.
  
• This problem can be easily detected and corrected
  (by scanning the versions of BIND in the
  nameservers periodically and keep the software up
  to date)

5
OK, .edu and .org are Lazy

• But, this also implies that hackers have very
  little interest in hijacking these domains.
  
• Or cs.northwestern.edu would be hijacked now!
• Same reason goes to Ukraine, Belarus, San Marino,
  Malta
  
• BTW Can you give me some examples of domains with
  .aero and .int?

6
Conclusion

• Dont blame on DNS for vulnerability (bugs) of
  BIND
  
• TCB is not a good representation of daily DNS
  operations (extreme conditions should not count
  the same weight as normal cases)
  
• However, I agree that .edu and .org nameservers
  should update their BIND as soon as possible
  

7
Thank you.