1 / 22

What DNS is Not 0

What DNS is Not 0. Kylie  Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore,  Charles Newton, Lindsay Romano, Lisa Soros. 0 Paul Vixie. 2009. What DNS Is Not.  Queue  volume 7, issue 10.  http://doi.acm.org/10.1145/1647300.1647302 . DNS: An Overview. Companion Paper

marinel
Télécharger la présentation

What DNS is Not 0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What DNS is Not0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore,  Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009. What DNS Is Not. Queue volume 7, issue 10.  http://doi.acm.org/10.1145/1647300.1647302 .

  2. DNS: An Overview • Companion Paper • DNS Complexity - Published in ACM's Queue, Volume 5 Issue 3, April 2007. • http://eustis.eecs.ucf.edu/~ch552141/p24-vixie.pdf

  3. DNS: An Overview • GIANT Database • DNS translates a domain name into an IP address. • Why is this hard? • Billions of IP addresses in use • Billions of daily DNS requests • Constantly changing • Human Convenience

  4. How Does DNS Work? • Example: www.facebook.com • Request for IP address sent to your web browser • Cached if you have visited recently • If not, a search begins.

  5. How Does DNS Work? • The search process starts at the root name servers. The root servers refer the resolver to the  .COM name servers. • Request IP addresses for the Facebook name server • Request IP address of www.facebook.com from the Facebook name servers. • Web browser caches IP address

  6. What DNS is Not: Overview • Misuses of DNS • DNS is not a routing protocol • DNS is not a tool to monetize typos • DNS is not a directory system • This paper talks about different properties that allow DNS to be misused, the common practices of misuse, and the consequences of misuse.

  7. Stupid DNS Tricks

  8. DNS is not a routing protocol • Content Distribution Networks (CDNs) often use DNS queries as an opportunity to route user requests. • E.g., Akamai, Cisco DistributedDirector • Users are routed to an appropriate content server based on their geographic / network proximity and content server load. • Problems • This scheme requires limiting caching (i.e., low TTL) and increases load on DNS infrastructure. • Most end-users are using their ISP's recursive name servers. This hides the user's original location and decreases the accuracy of DNS-based routing.

  9. NXDOMAIN Remapping

  10. NXDOMAIN Remapping Expected Causes of NXDOMAIN: • Typo (e.g., www.goglee.com) • Broken Link • Hardware or Software Error What should happen: • Browser catches bad domain name: “Error page”  • E-mail - “bounced e-mail”

  11. What you should see Googler.com

  12. What you usually see Bestbuyt.com

  13. A Growing Problem Many major ISPs' DNS servers (e.g., Comcast) and some public DNS servers (e.g., OpenDNS) redirect users to these spammy search pages. VeriSign example (2006): Added a wild card on top of the .com zone Prevented NXDOMAIN returns. Any non-existent domain, regardless of DNS servers used, was redirected to SiteFinder's website.

  14. NXDOMAIN is important. Some things depend on accurate negative results. 1. Web security • Many sites, like Google, use wildcard cookies so users can maintain sessions over sub domains (Google Docs, Google Sites, etc). • If sdfgaj.google.com. is redirected to a search page, web browsers will send user cookies.

  15. NXDOMAIN is important. Some things depend on accurate negative results. 1. Web security, continued • In 2008, Dan Kaminsky found a cross-site scripting vulnerability in Earthlink's search page. • Earthlink customers were vulnerable to HTML or Javascript injection on arbitrary domain names because of NXDOMAIN hijacking.

  16. NXDOMAIN is important. Some things depend on accurate negative results. 2. E-mail (SMTP) • If a MX (mail exchange) lookup returns no results, a SMTP server will fall back to a standard A record lookup.1 • These DNS requests are indistinguishable from, say, web browsers' requests. The request will be redirected to a search page. • SMTP server will attempt to send e-mail to the wrong IP address. 1 See RFC 5321, section 5.1.

  17. Standard Bad Practices In 2009, there was an effort by national cable companies to standardize DNS redirection services.2 The standard outlines an opt-out DNS redirect search engine / malware filter and a "Legally-Mandated DNS Redirect Domain List" for "illegal domains." 2"Recommended Configuration and Use of DNS Redirect by Service Providers"http://tools.ietf.org/html/draft-livingood-dns-redirect-00

  18. Solution: DNSSEC

  19. A Rescue Being Thought of DNSSEC is a set of protocol enhancements for DNS. Allows zones to be signed and verified by public-key encryption and signed using private keys by zone editors. All query responses, including NXDOMAIN, are signed. This prevents man-in-the-middle attacks. But, right now, most resolvers are configured to accept unsigned responses. DNSSEC needs wider adoption.

  20. A Rescue Being Thought of DNSSEC won't prevent CDNs' DNS-based routing schemes as it is possible to have a collection of signed, authortative responses.

  21. Directory Services

  22. Directory Services Some web browsers attempt to auto-complete DNS queries as a user types in the URL bar. If a user types "www.cnn.com":     www.cnn     www.cnn     www.cnn -> .cn is the ccTLD for China, so this is a valid domain.     www.cnn.com     www.cnn.com     www.cnn.com -> .co is the ccTLD for Columbia. This causes unnecessary traffic to www.cn and cnn.co name servers. Domains are not in an ideal format for these directory lookups.      E.g., .com.cnn.www

More Related