Domain Name Security
Written by Peter Buxbaum
MIT 2009 Volume: 13 Issue: 8 (September)
Defense Agencies and Industry Move to
Protect the Vital "Telephone Book" that
Looks Up the IP Address of Websites
The DNS was compromised last year by a “cache poisoning attack” in which someone with permission to interact with a DNS server succeeded in modifying the answers DNS provided for lookups of a domain name. The result was that lookup requests were directed to the attacker’s site rather than the legitimate site.
These kinds of attacks are perpetrated by criminals who lure Internet users to fake sites where they can harvest credentials for illicit use on the real sites. Cyberwarfare is also a known venue for DNSrelated threats, and hackers have launched denial-of-service attacks against DNS servers.
“The consequences of a successful cache-poisoning attack on DNS servers are so dire that describing them inevitably sounds like hyperbole,” commented Cricket Liu, vice president of architecture at Infoblox, a provider of DNS appliances. “Virtually every nontrivial transaction that takes place on the Internet relies on DNS, so in a real sense, widespread vulnerability to cache poisoning means the end of trust on the Internet.”
“DNS is a hierarchical system with many redundant servers,” explained Victor Larson, director of research and development at VirnetX, a provider of Internet security technologies. DNS also features caching servers to provide massive scale and redundancy for the critical service of responding to requests for name lookups.
Root DNS servers provide information on global top level domains (gTLDs) such as .com, .net, .org, .gov, and .mil. The DNS servers for a gTLD provide information on servers for the next level of domain names. For example, a .mil server provides information on where a server exists with information on darpa.mil. The owner of darpa.mil provides a server with name lookups in that domain and, optionally, for additional name servers for its subdomains.
“The reality today is that all these names in all those databases are kept in an unsecure, unencrypted manner,” said Ram Mohan, executive vice president and chief technology officer at Afilias USA, a provider of Internet infrastructure solutions.
That means that traditional network security mechanisms are of no avail when it comes to compromises of DNS. “You can put in a firewall or a packet inspector at the server level, and it wouldn’t mean anything because you never get to the site in the first place because DNS lied,” noted Joe Gersch, chief operating officer of Secure64 Software. “What is the point of putting in that kind of security if the basic addressing mechanism fails you?”
SECURITY EXTENSIONS
There is a solution, however, called Domain Name System Security Extensions (DNSSEC). The Department of Defense and the rest of the federal government have been in the process of implementing DNSSEC in the months leading up to a September 30 deadline to secure the top level of their domain hierarchies. Worldwide, only a few thousand of the many millions of existing Websites have thus far been secured with DNSSEC, according to Mohan.
“Experts agree that the best long-term approach for fixing the DNS system is to get a cryptographic solution like DNSSEC deployed,” said Larson. “In order for DNSSEC to provide complete protection of the transactions at all server levels, they need to be signed using DNSSEC.”
DNSSEC is a protocol for DNS security extensions that provides a special cryptographic element to ensure that DNS traffic does not get hijacked. When an Internet user requests a particular entry in the global directory, the server first checks whether the requester has the correct key to open the lock for that particular record. If not,the system does not provide an answer.
“It is a fairly straightforward mechanism,” explained Gersch. “DNSSEC uses digital cryptographic techniques to create a digital signature. It compares the signature to the data sent. If it looks good, it will let the data through to the user’s computer. If the server gets a bogus response, it will come back and tell the user it can’t access the site because the signatures don’t match.”
DNSSEC is designed so that a key for a domain is signed by the next level up the chain. For example, if disa. mil has a key for signing its names, that key is signed by .mil, and .mil’s key is signed by the Internet root.
“However, since DNSSEC deployment at all levels is going slowly,” Larson noted, “DNSSEC can optionally be set up so that lower level domains can provide DNSSEC integrity without the higher level domains being DNSSEC compliant.”
DNSSEC was originally designed in the 1990s as an approach to protect DNS information using public key infrastructure. “It has been an overnight sensation 15 years in the making,” quipped Mohan. “DNSSEC was created by the Internet Engineering Task Force, a global standards body. The original idea was the DNS trusted everybody. But by the mid-1990s it became apparent that the old model was breaking because bad actors will try to exploit the inherent trust built into the DNS architecture.”
A year and half ago, the standards were finally agreed to and ratified. Afilias was one of the first companies to convert to those standards. In June 2009, Afilias deployed DNSSEC to the .org domain, the world’s largest.
“DNSSEC is important because once you click on a link, you want to be absolutely sure you will get there,” said Mohan. “If that does not happen you can get hijacked somewhere else. But a domain name that is signed with a secure key will guarantee that you will get where you said you want to go 100 percent of the time.”
IMPLEMENTATION TEAM
The Defense Information Systems Agency (DISA) is one of the focal points within DoD for the implementation of DNSSEC. The DoD plan calls for a phased implementation of DNSSEC from the top down, based on guidance issued by the Office of the Secretary of Defense, the Joint Task Force for Global Network Operations (JTF-GNO), a unit of U.S. Strategic Command, and the National Institute of Standards and Technology (NIST).
“Responsibility for implementation is shared across DoD,” said Fred Kopp, division chief of the Program Executive Office Mission Assurance within DISA’s Computer Network Defense branch. “We are one member of the team in implementing DNSSEC for defense agencies and coordinating planning and actions necessary to execute implementation across the federal community.”
The required September 30 implementation is for the top level domain only, Kopp noted, with the second level due by a date yet to be determined. In an interview this summer, Kopp predicted that DoD would meet the deadline for deploying DNSSEC at the .mil level. “We are proceeding with that implementation within DISA and are working with the services as well,” he said.
The phased approach to the implementation of DNSSEC means that DoD will start applying the security extensions to the .mil domain and then proceed to army.mil, navy. mil, af.mil, and so on, and then to their subdomains. “We’ll be working our way through the hierarchy one level at a time,” said Kurt Biernick, the lead government engineer at DISA’s Computer Network Defense Branch.
A program to ensure the secure availability of Websites to the population of authorized users requires three steps, according to Mohan. “First, add DNSSEC encryption to domain names—both Internet Websites as well as those domains running internally on private networks,” he said. “Second, upgrade the DNS hosting system in such a way as to provide a secure response to DNSSEC request. Third, work with technology providers to ensure that domain names with the DNSSEC key are widely available and propagated on machines around the world so that one or more sets of attacks on the infrastructure cannot take them down.”
Gersch said he has been working with NIST to train and educate large numbers of government departments and personnel on how to make DNSSEC work. “There has been a huge educational effort in the last number of years among the many departments, agencies and bureaus on procedures and best practices,” he said. “Now they are starting with their deployment efforts.”
DISA has reviewed some commercially available automated tools to help DoD with configuration management and the implementation of the DNSSEC protocol extensions. “Part of what is difficult in the implementation of DNSSEC is in deciding on the cryptographic keys as well as maintaining and modifying them,” said Kopp. “Manipulation of the keys is one of the areas in which industry has to provide tools to help make this a manageable process. Different keys have to be assigned to different network zones, and they must be changed periodically in order to maintain security when data is transferred from one portion of the network to another.”
All of this is complex and requires expertise, Gersch said, adding, “It can be a pain in the neck if your staff turns over and you lose the recipe.” It can be a major undertaking, in other words, to be periodically reassigning keys to the various network zones.
AUTOMATED ASSIGNMENT
Secure64 provides a technology aimed at alleviating two of the major challenges associated with maintaining DNSSEC standards: automating the assignment and reassignment of keys and securing the cryptography associated with them.
“You want to prevent someone from stealing the cryptographic keys,” said Gersch. “In our solution the keys are locked tight in a cryptographic module. You can issue a single command, ‘Do DNSSEC,’ instead of an operator manually doing and redoing each zone. Implementing DNSSEC operations can be as simple as adding a single statement to the system configuration file.”
The Secure64 product, known as Secure64 DNS Signer, rests on three enabling technologies: the SourceT micro operating system, the Secure64 DNS Authority server, and a hardware trusted platform module (TPM) device. The SourceT micro operating system was designed by Secure64 to be immune to malware and rootkits— programs designed to hide the fact that a system has been compromised.
“Rather than relying on a general-purpose operating system that must be hardened,” Gersch said, “SourceT is designed specifically for security and performance.” The Secure64 DNS Authority server is a dedicated authoritative DNS name server that runs on the HP Integrity rx2660 hardware platform. The TPM executes secure cryptographic functions, including seeding the random number generator and generating a storage root key unique for each machine to protect subkeys and other encryption material.
VirnetX takes a somewhat different approach. The VirnetX Gabriel product focuses on securing private and semi-private destinations on the Internet. “DNSSEC provides good security for large public and portal sites,” said Larson. “VirnetX Gabriel secure name services provide a unified approach for providing DNS services to authenticated users where the response is dependent on the identity of the requester so your network location is only available to those that you want to reach you. One very useful attribute of the Gabriel design is that it is much harder for an attacker to attack what it cannot find.”
The second major feature of Gabriel secure name services is that following the secure lookup of DNS information, it automatically forms a secure connection with the requested name, and provides services for this secure connection even if both parties are not directly on the Internet.
A third Gabriel feature, secure name services, provides support for dynamic addresses. “Legacy DNS fundamentally has a ‘pull’ architecture,” said Larson. “You can force legacy DNS to support dynamic IP addresses, but legacy DNS wasn’t designed particularly well to handle them. VirnetX Gabriel secure name services has a ‘push’ architecture, where changes in information are pushed when they occur.”
While the currently conceived timelines for implementing DNSSEC are achievable by DoD, as yet there is no specific timeline for implementing DNSSEC across the entire DoD network infrastructure, Kopp noted. The department will be looking to implement automated tools, he added, especially as the deployment proceeds down the network hierarchy.
“We believe that the way we are attacking the problem is the way to go,” he said, “in terms of identifying mechanisms, tools and processes to try to make it easier for those who need to do this and also to avail training to them to provide an understanding of DNSSEC and to keep the learning curve up.
“Deploying DNSSEC will make it much more difficult to hijack traffic meant for government domains,” Kopp added. “It will make our services more secure.”
Infoblox also supports DNSSEC in its line of purpose-built, security-hardened appliances for secure, highly reliable and manageable DNS services, among others. The latest shipping version of Infoblox NIOS software has built-in support for DNSSEC. ♦
