DNS: Security

Editor Note: THIS PAGE SHOULD BE SPLIT INTO TWO

Derived From: NIST Special Publication (SP) 800-81, Secure Domain Name System (DNS) Deployment Guide, Exec. Sum. May 2006

Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a security objective. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. Availability of DNS services and data is also very important; DNS components are often subjected to denial of service attacks intended to disrupt access to the resources whose domain names are handled by the attacked DNS components.

DNS is susceptible to the same types of vulnerabilities (platform, software, and network-level) as any other distributed computing system. However, because it is an infrastructure system for the global Internet, it has the following special characteristics not found in many distributed computing systems:

• No well-defined system boundaries?participating entities are not subject to geographic or topologic confinement rules
• No need for data confidentiality?the data should be accessible to any entity regardless of the entity?s location or affiliation.

Because of these characteristics, conventional network-level attacks such as masquerading and message tampering, as well as violations of the integrity of the hosted and disseminated data, have a completely different set of functional impacts, as follows:

• A masquerader that spoofs the identity of a DNS node can deny access to services for the set of Internet resources for which the node provides information (i.e., domains served by the node). This denial is not only for a limited set of clients but also for the entire universe of all clients needing access to those resources.
• Bogus DNS information provided by a masquerader or intruder can poison the information cache of the DNS node providing that subset of DNS information (i.e., the name server providing Internet access service to the enterprise?s users), resulting in a denial of service to the resources serviced by it.
• Violation of the integrity of DNS information resident on its authoritative source or the information cache of an intermediary that has accumulated information from several historical queries may break the chained information retrieval process of DNS. This could result in either a denial of service for DNS name resolution function or misdirection of users to a harmful set of illegitimate resources.
• If the name resolution data hosted by the DNS system violates content requirements as defined in DNS standards, it could have adverse impacts such as increased workload on the DNS system, or serving obsolete data that could result in denial of service to Internet resources. In most software, program data independence (as in conventional database management systems [DBMS]) provides a degree of buffer against adverse impacts due to erroneous data. In the case of DNS, the data content determines the integrity of the entire system.

Based on these functional impacts, the deployment guidelines for secure DNS presented by NIST consist of the following generic and DNS-specific recommendations:

• Implement appropriate system and network security controls for securing the DNS hosting environment, such as operating system and application patching, process isolation, and network fault tolerance.
• Protect DNS transactions such as update of DNS name resolution data and data replication that involve DNS nodes within an enterprises control. The transactions should be protected using hash-based message authentication codes based on shared secrets, as outlined in the Internet Engineering Task Force's (IETF) Transaction Signature (TSIG) specification.
• Protect the ubiquitous DNS query/response transaction that could involve any DNS node in the global Internet using digital signatures based on asymmetric cryptography, as outlined in IETF's Domain Name System Security Extensions (DNSSEC) specification.
• Enforce content control of DNS name resolution data using a set of integrity constraints that are able to provide the right balance between performance and integrity of the DNS system.

(ii) Secure the Domain Name System. DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains. The October 21, 2002 attacks on the core DNS root servers revealed a vulnerability of the Internet by degrading or disrupting some of the 13 root servers necessary for the DNS to function. The occurrence of this attack punctuates the urgent need for expeditious action to make such attacks more difficult and less effective. - U.S. National Strategy to Secure Cyberspace , February 2003 p. 30

DNSSEC

DNS Security (DNSSEC) refers to the addition of data authentication and integrity protection to the DNS protocol. This is accomplished by the inclusion of public keys and the use of digital signatures to DNS information.

• DNSSEC
  • Modifies DNS resource records and protocols; introduces public key crypto.
  • Hierarchical model of trust
  • Validation of responses established by an authentication cahin from a known trust anchors
  • Chain can always be constructed from the root to the lower zones, assuming that the intermediary zones are validated
  • Root
    • Root Names Space - this is what DNSSEC would protect
    • Root infrastructure

DNSSEC is designed to

• Provide Data Integrity
• Provide origin authentication
• authenticate denial of existence of record (its really not there)
• Prevent Man in the Middle Attack
• Helps deal with population from alternate roots, cache poisoning, hijacking of domain names.
• Prevent Corrupt DNS Records. (RFC 3833)

DNSSEC does not

• provide for confidentiality of data (DNS is an open public database)
• prevent DDOS

Administrative requirements for DNSSEC include

• Key generation and managment
• Zone signing operations

DNSSEC implementation concerns include

• Key security
  • What do you do if all keys are compromise
    • Creates a single point of failure - which must therefore be guarded carefully
• Key rollover
• Keys have a temporal dependancy and therefore need synchronized time
• Key management
  • If the keys dont work for any particular reason, domain zones will simply vanish
• Zone walking
• Signed records are 3 to 5 times larger and require greater computational power
• Administrative Concerns
  • The key question is who signs the root. DHS is concerned about this
    • IGP recommends that root be signed by multiple root key operators. IGP Paper released May 17, 2007. Diffuses responsibility across multiple parties.
      • Multiple signatures required in order to generate sufficient trust each time published
      • Add process to a procedure that is already demanding - creating more points of failure
      • Currently root zone is published twice a day every day
    • Signer of the root key decides who can edit the root and who can read the zone
    • Issue of liability for holding the key
      • Risk to economic infrastructures
    • One assumption was that IANA would sign the root. Prob: Signing the root does not appear to be within the contract between IANA/ICANN and USG.
• Economic incentive problem
  • No incentive to invest in infrastructure until demand; no demand until there is an infrastructure
• Issue of alternate roots - would appear to kill alternate root initiates
  • Alt Root would have to strip out ICANN root signatures and insert all of its own signatures

Currently, DNS Security is still in the experimental stage. There are currently several experimental tests of secure DNS zones. [NIST]

DNSSEC Deployment	Status
RIPE NCC	Zone by Zone as requested
dot ORG	Testbed
Netherlands
Sweden
Japan
Verisign dot net

Trust anchor - signed areas within the DNS hierarchy without the whole hierarchy being signed. Where foo.acme is signed but .foo is not yet signed.

DNSSEC Documentation

• IETF RFC 4035, Protocol Modifications for the DNS Security Extensions (March 2005)
• IETF RFC 4034, Resource Records for the DNS Security Extensions (March 2005)
• IETF RFC 4033, DNS Security Introduction and Requirements (March 2005)
• D. Atkins, R. Austein, IETF RFC 3833, Threat Analysis of the Domain Name System (DNS) (Aug 2004) ("This note attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent (if any) DNSSEC is a useful tool in defending against these threats.")
• DNS SECURITY SPECS RFC 2535-2539, 2845, 2930, 2931, 3007, 3008, 3090, 4033, 4034, 4035
• D Eastlake , IETF RFC 2535, Domain Name System Security Extensions (March 1999)
• D Eastlake , C. Kaufman, IETF RFC 2065, Domain Name System Security Extensions (Jan 1997)
• NIST DNSSEC Project website
  • USG in the process of adoption.
  • NIST Special Publication (SP) 800-81, Secure Domain Name System (DNS) Deployment Guide, May 2006
  • DNSSEC and its Impact on DNS Performance
• DNSSEC Deployment Initiative ("The U.S. Department of Homeland Security provides support for coordination of the initiative.")
• US DHS,
  • Signing the Domain Name System Root Zone: Technical Specification, Oct 31, 2006 Draft (document states "Draft - Not for Further Distribution" - but of course it is publicly available on the Net)
  • Cyber Security R&D Center
• Dot ORG Registrar FAQs DNS Security Q 6
• RIPE NCC DNSSEC Policy

DNSSEC Current Drafts

• DNS Security Introduction and Requirements
• Resource Records for the DNS security Extensions
• DNS Security protocol Modifications