Commonly described as the phone book for the Internet, the Domain Name System (DNS) associates and translates a colossal number of hostnames and IP addresses. The DNS Security Extensions (DNSSEC) is a suite of specifications aimed at weaknesses in this system.
Although there are many hurdles left in the deployment of DNSSEC, it got a boost in late February. As reported in Network World, VeriSign, the company that controls .com and .net, has pledged to implement it on those domains within two years.
The news came just a few months after the federal government mandated deployment of DNSSEC on the top-level .gov domain and in its DNS servers by January 2009 and in the sub-domains by the end of the year.
These actions are indicative of heightened concern about the DNS. Last summer, Dan Kaminsky, renowned "Black Ops" software expert and director of penetration testing at computer security services firm IOActive, discovered a significant flaw. (Click here for more.) Media reports indicated that he was able to poison a cache within 10 minutes.
"(This means) you can change the responses the server gives for www.myonlinebank.com to be your own server," said Chris Busch, vice president, broadband technologies, Incognito Software. "If you take the time to make the server’s Web page look like Wachovia, for example, all of a sudden people think they have reached the Wachovia Web site and begin to log in."
With DNSSEC, when queried, the authoritative servers will provide a digitally signed answer allowing the validating resolver (a caching server that implements DNSSEC) to confirm the authenticity of the information.
Implementation, however, is complex, said Bruce Van Nice, Nominum director of corporate marketing. There are millions of domains. "If the .gov domains get signed this year, there are still a couple of issues," he said. "The server the subscriber uses to access (.gov) may not be (protected)." Van Nice believes widespread deployment of DNSSEC is still three to five years away.
DNS servers need to be upgraded to handle DNSSEC, which could involve a capital expenditure if the infrastructure is outdated. "In the case of digital signatures on a DNS transaction, you are asking the server to expend more processing time on ongoing upgrades of DNS," Busch said.
Some believe implementing DNSSEC in the 13 root servers, the top of the DNS hierarchy, could speed up the process. In response to a Notice of Inquiry last fall by the NTIA, Comcast said it would make it "less burdensome" for ISPs to support DNSSEC-capable resolvers, thus encouraging more ISPs to deploy DNSSEC.
In the meantime …
Until all of these issues are sorted out and DNSSEC is widely implemented, companies like Nominum, which offers a DNS caching platform, have upgraded to provide additional protection (For more, click here.) Van Nice called his company’s solution a complement to DNSSEC, which doesn’t provide guard against phishing.
In addition, cable operators providing voice services should keep their DNS for PacketCable client devices and CMS/Softswitches separate from general Internet DNS servers, Busch said.
If they use the same server, malicious users may be able to gain knowledge about the devices providing phone service, i.e. how many exist, which subscriber belongs to which device, the domain name assigned to the device. "(This is) an unbelievable key to the kingdom," Busch said.
Busch also advised denying recursive lookups on DNS servers and being on the latest version of BIND (Berkeley Internet Name Domain), which according to Wikipedia is the "most dominant DNS software." It was recently updated to include a cache poisoning patch.
Van Nice, however, warns that this patch is a "probabilistic" defense. It adds 16 more bits of protection to identifying queries between servers, but has been shown that it can be compromised, he said.
On the other hand, Van Nice is unequivocal about the kind of cache poisoning demonstrated last summer. "(Nominum has) definitively stopped the Kaminsky attack," he said.
– Monta Monaco Hernon
Read more news and analysis on Communications Technology‘s Web site at www.cable360.net/ct/news/.