Académique Documents
Professionnel Documents
Culture Documents
Challenges in Securing
the Domain Name System
T
o an Internet-based application such as a Web name servers, also called resolv-
ing/recursive name servers or re-
browser or email, the Domain Name System (DNS) solvers.
Every authoritative name server
is no more than a look-up service for IP addresses. is associated with a zone and, as its
name denotes, is the authoritative
Given a user-friendly domain name such as www. source for DNS data pertaining to
that zone. To provide fault tolerance,
nist.govalso called a fully qualified domain name (FQDN) effective administration, and effi-
cient name resolution, several geo-
RAMASWAMY the DNS provides the correspond- look-up service lies a complex logi- graphically and logically distributed
CHANDRAMOULI ing IP address (129.6.13.23 in this cal and administrative infrastructure. authoritative name servers exist for
AND SCOTT case). This process is called name reso- The DNS name resolution service each zone. These are further classi-
ROSE lution; a DNS response is the data uses a data repository, organized as a fied into primary name servers,
US National provided in response to a name reso- globally distributed database thats which maintain authoritative DNS
Institute of lution query. DNS also performs largely structured after the hierarchi- data in zone files, and secondary
Standards other functions and provides data cal domain name space, or DNS name servers, which frequently re-
and other than IP addresses, but it serves tree. At the top of the hierarchy is the fresh their contents from the pri-
Technology primarily as a name resolution root, a single domain represented by mary name servers.
service that handles DNS query/ a dot (.). Below the root are top- Stub resolvers are lightweight
response transactions. level domains (TLDs), whether clients that formulate DNS look-up
Unfortunately, the DNS has few generic (for example, .com, .gov, or queries on behalf of applications, such
security safeguards. In particular, .edu) or country-specific (such as Web browsers or email servers, and
theres currently no proof that the ccTLDs include .de, .uk, and so on). send them to caching name servers.
DNS server hasnt been corrupted. The next level consists of enterprise- Stub resolvers dont usually have any
This has serious consequences for level domains (ELDs) owned by caching features.
e-commerce and for the control of commercial, government, or acade- Caching name servers each serve
critical infrastructure. Imagine the mic organizations such as nist.gov or multiple stub resolvers. Depending
economic impact if, for example, a mit.edu. A large enterprise generally on the zone or domain requested,
rogue DNS server were to redirect has administrative control over a they either query the appropriate
Amazon.com customers to a fake given zone, classified as an ELD, and authoritative name servers or serve
Web site to which they submitted a set of subdomains (sometimes in- responses from their own caches
credit card and personal information volving other related domains as built from previous queries.
to complete their purchases. In con- well), such as csrc.nist.gov, cl.cam.
junction with various governments, ac.uk, or eecs.mit.edu. Thus, a zone DNS security threats
research organizations, and the private refers to an administrative entity in Two main security threats exist for
sector, the Internet Engineering Task the DNS that provides DNS services DNS in the context of query/
Force (IETF) has recently moved to for a group of domains. The term response transactions. Attackers can
address DNS security issues through zone has percolated up to the top
the development of a specification levels, and the terms root zone, TLD spoof authoritative name servers
and associated protocol called DNS zone, and ELD zones are often used. responding to DNS queries and
Security extensions (DNSSEC). As Figure 1 shows, the informa- alter DNS responses in transit
tion flow in the DNS takes place through man-in-the-middle at-
DNS organization primarily among three distinct sys- tacks, and
and infrastructure tem entities: authoritative name alter the DNS responses stored in
Beneath the seemingly simple DNS servers, stub resolvers, and caching caching name servers.
84 PUBLISHED BY THE IEEE COMPUTER SOCIETY 1540-7993/06/$20.00 2006 IEEE IEEE SECURITY & PRIVACY
Emerging Standards
been insufficient, and its been diffi- DNSSEC deployment integrity their installed trust anchors. An in-
cult to leverage knowledge gained depends on the presence of an in- herent complexity in this approach
from such infrastructures as PKI. frastructure to securely distribute is that zones perform both sched-
The DNSSEC environment differs these trust anchors to the various uled and emergency rollovers and
often have two sets of signing
keysone for signing just the pub-
The major security objectives for DNS clients lic key set and the other for signing
the rest of the zone data.
are source authenticationensuring the data Pilot projects in some European
ccTLDs have demonstrated an ap-
received originated from an authoritative proach to securely updating trust
anchor lists by having a period of
sourceand data integrity. overlap during which clients can use
both the old and new public keys
from a PKI-based environment in DNSSEC-aware caching name with signed DNS responses. (See
several ways: servers. Networks switching over http://dnssec.nic.se/ for informa-
to DNSSEC-aware caching name tion on DNSSEC at the Network
The signed zone doesnt use the servers for the first time can obtain Information Centre, Sweden, and
concept of trusted third parties such these trust anchors as part of the www.nlnetlabs.nl/dnssec/ for in-
as certificate authorities (CAs). software distribution. However, formation on DNSSEC in the
The volume and frequency of sig- the public keys and their associated Netherlands.) Zone administrators
natures generated using a given private keys that form the trust an- use the existing private key to sign
cryptographic keyspecifically, chor list are likely to change peri- the new public key; the DNSSEC-
the private part of the public odically (key rollover) in the zones aware caching name server can then
private key pairis larger than in that own them. The main security use the new signature-verified pub-
traditional PKI. challenge is to enable DNSSEC- lic key to update its trust anchor list.
Using conservatively large key aware caching name servers to se- One limitation is that this approach
sizesas in PKIcan negatively curely update their trust anchors in works only in situations in which a
impact performance in zone sign- response to key rollovers. DNSSEC-aware caching name
ing and DNS response signature- Researchers have proposed sev- server is online when zones in its
verification processes. eral solutions for the trust anchor trust anchor list go through the
Certain secure practices adopted update problem, but each has its overlap period for key rollovers
in PKI environments, such as drawbacks. We can use either a pull usually 30 days.
keeping private keys offline, arent or push paradigm to distribute in- Another proposed solution is to
possible for some authoritative formation between one-to-many create an out-of-band (outside of the
name servers for which zone file or many-to-one entities. In a push DNS protocol) means, possibly a se-
contents must be dynamically up- paradigm, an authoritative name cure publishsubscribe protocol for
dated online. Thus, private keys server that performs a key rollover distributing trust anchors that would
must be present online to regener- must send the changed keys to all let DNSSEC-aware authoritative
ate signatures for modified zone DNSSEC-aware caching name name servers publish their keys to
file records. servers that use its public key in their secure common locations from
trust anchor list. This is infeasible which DNSSEC-aware caching
DNSSEC needs to evolve its own given that authoritative name name servers could download them.
policies and best practices for key servers dont maintain state infor-
size, key storage, and key life times mation with respect to DNS End-to-end
for deciding on timelines for key query/response transactions, which secure DNS
rollovers. There are trade-offs be- can run into the millions and even Even after the community over-
tween signature strength and DNS the billions. On the other hand, em- comes the preceding challenges and
performance. ploying a pull paradigm implies that DNSSEC finds large-scale deploy-
The second deployment issue is every DNSSEC-aware caching ment, trust in DNSSEC ends at the
secure distribution and updating name server runs an automated pro- caching name server because its the
of trust anchors. DNSSEC-aware cedure for updating public keys entity that validates signatures in
caching name servers depend on such that the caching server must ei- signed DNS responses. The next
trust anchors to carry out DNS re- ther poll relevant zones periodically key step will be to expand
sponse signature verification, and or know the rollover schedules for DNSSEC, which is now limited to
the DNS infrastructure, into a spec- servers. To realize either feature, the curity mechanisms to the stub re-
ification for securing DNS from communication link between the solver because theres no perceived
end to end. The caching name twothe DNS last hopmust demand from the network applica-
server forms the DNS infrastruc- be secure. In situations in which stub tion development community.
tures boundary, but the specifica- resolvers and the caching name
tion needs to be extended to include servers that serve them are behind Acknowledgments
the stub resolver, which shares the corporate firewalls or communicate Certain commercial entities, equipment, or
same address and execution space through virtual private networks materials are identified in this article in order to
with the networked application. (VPNs), the security of this link isnt describe an experimental procedure or concept
An end-to-end secure DNS an issue. Establishing a secure link adequately. Such identification is not intended
would let applications make deci- isnt practically feasible, however, to imply recommendation or endorsement by
sions based on the nature of the with caching name servers that serve the US National Institute of Standards and
DNS response. One way to achieve public networks or stub resolvers in Technology, nor is it intended to imply that the
this is to incorporate the DNS re- mobile devices that connect to dif- entities, materials, or equipment are necessarily
sponse signature validation function ferent caching name servers each the best available for the purpose.
into the stub resolver. The other op- time. Even when a secure link is pos-
tion is to create a mechanism that sible, there are currently no stan- References
lets the caching name server se- dardized formats or APIs to let 1. R. Arends et al., DNS Security
curely pass DNS response security sta- caching name servers convey secu- Introduction and Requirements, IETF
tusinformation about the rity status to stub resolvers or to let RFC 4033, Mar. 2005; www.
signature-validation processs out- stub resolvers read and interpret ietf.org/rfc/rfc4034.txt.
cometo the stub resolver. The them. In the latter case, the stub re- 2. R. Arends et al., Resource Records for
validation process could yield any of solvers would have to perform the the DNS Security Extensions, IETF
the following status options: un- signature verification, which might RFC 4034, Mar. 2005; www.ietf.
signed response, validated signed re- require stub resolvers with larger org/rfc/rfc4034.txt.
sponse, failed signed response footprints, adversely affecting per- 3. R. Arends et al., Protocol Modifica-
(sometimes called bogus response), formance, especially on small net- tions for the DNS Security Extensions,
or nonvalidatable signed response worked devices. IETF RFC 4035, Mar. 2005;
(that is, the caching name server www.ietf.org/rfc/rfc4035.txt.
doesnt have the right trust anchors
in its list). In fact, the validating stub Ramaswamy (Mouli) Chandramouli is
resolver could also generate this se-
curity status information. From the
T he US Department of Home-
land Security is sponsoring an
international effort to identify barri-
a computer scientist with the US National
Institute of Standards and Technology.
His research interests include formal
applications viewpoint, whether ers and facilitate DNSSEC deploy- model-based security testing, smart
the caching name server or the stub ment to the global DNS tree, as well cards, access control models, and secu-
rity architectures. Mouli has a PhD in
resolver generates the information is as to evaluate proposals seeking to information technology from George
immaterial. The application just address remaining technical chal- Mason University. Contact him at
needs the security status so it can de- lenges (www.dnssec-deployment. mouli@nist.gov.
cide, based on its own mission- org). The DNSSEC-Deployment
Scott Rose is a computer scientist with
critical nature, whether to use the groups main focus is on promotion, the US National Institute of Standards
DNS response. For example, a Web education, and organizing research and Technology. His research interests
server might be willing to accept work on DNS security. include DNS security and measurement
nonvalidatable signed responses, In addition to the issues relating of discovery protocols. Rose has an MS in
computer science from the University of
whereas a mail server might accept to technical implementation and Maryland, Baltimore County (UMBC).
only validated signed responses. standards, theres also an economic Contact him at scottr@nist.gov.
These end-to-end secure DNS pro- dimension to securing DNS
posals have come from the DNS re- especially end to end. Currently,
search community. no mechanisms or APIs exist that
will enable networked applications Interested in writing for this
End-to-end secure to use signed DNS response va- department? Please contact editors
DNS standards lidation outcomes. As a result, Tom Karygiannis (tomkary@nist.
End-to-end secure DNS requires DNSSEC-aware networked appli- gov), Rick Kuhn (kuhn@nist.gov),
that stub resolvers perform signature cations arent being developed. At or Susan Landau, (susan.landau@
validation or obtain DNS response the same time, there arent any sun.com).
security status from caching name market drivers to extend DNS se-