Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
/

DNS security upgrade promises a safer 'Net

Today's breaking news
Send to a friendFeedback


An emerging technology promises to improve the security of the Internet's infrastructure by preventing hackers from hijacking Web traffic and redirecting it to bogus sites.

The new security mechanism, dubbed DNSSEC, plugs a hole in the Internet's Domain Name System (DNS) that hackers have exploited to spoof Web sites. DNSSEC prevents these attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

"DNSSEC is going to be a huge advancement for security on the 'Net," says Mark Kosters, vice president of research at Network Solutions.

DNSSEC is now available in open source software called BIND 9 that was released last month, and will be bundled in upcoming releases of operating systems from Sun, Hewlett-Packard, Red Hat and others.

Early adopters of DNSSEC will likely include government agencies, financial services firms and business-to-business exchanges, which all need to ensure the authenticity of the content on their Web sites. For example, the U.S. military plans to roll out DNSSEC on the ".mil" domain during the next year.

Experts say DNSSEC requires more powerful hardware and a significant increase in management time than earlier versions of the BIND software running on most DNS servers. Indeed, the extra effort required to set up and manage DNSSEC may slow down the adoption rate.

DNSSEC "is a no-brainer if it can be easily done," says Rohi Sukhia, CEO of tradeloop.com, a Web site offering spare parts and used equipment to computer dealers. "If it requires us to make a change on our DNS server, that's no big deal. But if it requires us to go out to our customers and change something on their systems, it's not going to happen."

How fast Web sites adopt DNSSEC depends on how scared they are of spoofing attacks.

DNSSEC "sounds like a good idea, but it's hard for me to assess the likelihood of this threat," says Michael Saltzman, vice president of network operations at gig.com, an online music distribution service. "In the pantheon of threats, viruses and more direct packet attacks rate a higher frequency. Those are the ones we worry about more."

Most spoofing attacks are designed to embarrass Web site operators. But security experts worry that as more money changes hands over the Web, spoofing will take on a more sinister tone.

"I think we're going to start to see more and more dollar-related crimes tied to DNS and the fact that DNS as it sits today is completely and totally spoofable," says Russ Mundy, manager of network security research at NAI Labs.

The most famous Web site spoofing incident happened in 1997, when a Washington state computer consultant named Eugene Kashpureff redirected traffic from Network Solutions' InterNIC Web site to his own AlterNIC site for several days (see story). Kashpureff later pleaded guilty to computer fraud and received two years probation.

"Cryptographic authentication is the only real answer to these threats," says Steve Bellovin, a network security researcher at AT&T Labs who first wrote about the potential for Web site spoofing in 1991. With DNSSEC, "when you get back an answer from DNS, you can verify that it's from someone who is authorized to give you back an answer."

When an end user types a domain name into his browser, his local DNS server sends a query through the Internet's distributed hierarchical DNS to look up the matching IP address for that domain name. For DNSSEC to work most effectively, the end user's local DNS server and the Web site's DNS server must support DNSSEC, along with the Internet's root and top-level domain servers.

When all of these pieces are in place, the Web site's DNS server uses public-key encryption to send out a digital signature to the local DNS server to verify the authenticity of the Web site. Once the authenticity is confirmed, the end user can access the Web site.

BIND 9 is the first production software to support all the features of DNSSEC. Distributed by the Internet Software Consortium, BIND 9 is a complete rewrite of the open source code used to run most DNS servers. In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones. The DNSSEC portion of BIND 9 was funded by the Defense Information Systems Agency (DISA), which awarded a $2 million contract to the Internet Software Consortium and NAI Labs to develop an operational version of DNSSEC.

"DNS servers are critical to the health and well-being of all [Defense Department] data communications as well as that of our allies and trading partners," a DISA statement says. "DNS has had some well-publicized security issues over the last several years, and DNSSEC was developed . . . to address these."

DISA has been testing DNSSEC for more than a year and is now working on guidelines for Defense Department organizations to implement DNSSEC.

But DISA will not wait for BIND 9 to be fully tested to migrate to DNSSEC; instead the military plans to install BIND 8 with DNSSEC bolted on top.

Like the Defense Department, most large companies run their own domain name zones and can upgrade their DNS servers to support DNSSEC at any time. The upgrade will be easier when BIND 9 comes bundled with commercial Unix and Linux operating systems, which is expected to happen next year.

Although DNSSEC is free with BIND 9, network managers should plan on spending more money on their DNS servers and delegating more resources to DNS administration. DNSSEC places additional processing and memory requirements on DNS servers, and it consumes more network bandwidth. It also requires more setup and maintenance time.

"Network administrators don't touch their DNS servers," says Ravi Iyer, Solaris product line manager at Sun, which helped fund BIND 9's development. Iyer recently visited one of the Baby Bells and found an old Sun system sitting in an electric closet that was running the company's entire DNS infrastructure. It hadn't been touched in three and a half years, he says.

With DNSSEC, "there will be a lot more touching in terms of managing the [public and private] keys involved," Iyer says. "Hopefully over time, we'll make it easier and easier to use."

New management tools will help, with IPWorks planning to offer a DNSSEC-compliant version of its IP address management software sometime next year. Other companies, such as Nominum and UltraDNS, plan to announce outsourced DNSSEC services.

"Because DNSSEC adds another level of complexity to DNS, and users have to deal with the whole issue of digital signatures . . . it will be far, far easier for companies that have limited resources to outsource this," says David Conrad, chief technology officer at Nominum, which wrote BIND 9 under a contract with the Internet Software Consortium.

Similar to many new Internet technologies, DNSSEC suffers from a chicken-and-egg problem. Web site operators and end users won't fully benefit from DNSSEC until it's widely deployed across the Internet. Until then, end users can't differentiate between Web sites that ought to be authenticated and aren't because of a spoofing problem, and sites that simply don't support DNSSEC.

In addition, the Internet Corporation for Assigned Names and Numbers (ICANN) has yet to determine how and when it is going to upgrade the Internet's root and top-level domain servers to support DNSSEC.

"The hardest part of this migration is going to be the political part on ICANN's behalf," Network Solutions' Kosters predicts. "For DNSSEC to truly work, it needs to be a top-down validation scheme . . . . It'll be better if first the root is signed, then the .com is signed and then the domain name is signed."

RELATED LINKS

Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

DNS Security Extensions
RFC 2535.

Bind 9
Read more and download the code (for Unix only).

DNSSEC Workshop
Oct. 25 in Washington, D.C.

Companies point fingers over Nike Web site hijacking
Computerworld, 6/30/00.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.