What_DNS_is_Notx

Download Report

Transcript What_DNS_is_Notx

What DNS is Not0
Kylie Brown, Jordan Eberst, Danielle Franz
Drew Hanson, Dennis Kilgore,
Charles Newton, Lindsay Romano, Lisa Soros
Paul Vixie. 2009. What DNS Is Not. Queue volume 7, issue 10.
http://doi.acm.org/10.1145/1647300.1647302 .
0
DNS: An Overview
• Companion Paper
o DNS Complexity - Published in ACM's Queue, Volume 5
Issue 3, April 2007.
o http://eustis.eecs.ucf.edu/~ch552141/p24-vixie.pdf
DNS: An Overview
• GIANT Database
• DNS translates a domain name into an IP address.
• Why is this hard?
o Billions of IP addresses in use
o Billions of daily DNS requests
o Constantly changing
• Human Convenience
How Does DNS Work?
• Example: www.facebook.com
• Request for IP address sent to your web browser
o Cached if you have visited recently
• If not, a search begins.
How Does DNS Work?
• The search process starts at the root name servers. The
root servers refer the resolver to the .COM name servers.
• Request IP addresses for the Facebook name server
• Request IP address of www.facebook.com from the
Facebook name servers.
• Web browser caches IP address
What DNS is Not: Overview
• Misuses of DNS
o DNS is not a routing protocol
o DNS is not a tool to monetize typos
o DNS is not a directory system
• This paper talks about different properties that allow DNS to
be misused, the common practices of misuse, and the
consequences of misuse.
Stupid DNS Tricks
DNS is not a routing protocol
• Content Distribution Networks (CDNs) often use DNS
queries as an opportunity to route user requests.
o E.g., Akamai, Cisco DistributedDirector
• Users are routed to an appropriate content server based on
their geographic / network proximity and content server load.
• Problems
o This scheme requires limiting caching (i.e., low TTL) and
increases load on DNS infrastructure.
o
Most end-users are using their ISP's recursive name
servers. This hides the user's original location and
decreases the accuracy of DNS-based routing.
NXDOMAIN Remapping
NXDOMAIN Remapping
Expected Causes of NXDOMAIN:
• Typo (e.g., www.goglee.com)
• Broken Link
• Hardware or Software Error
What should happen:
• Browser catches bad domain name: “Error page”
• E-mail - “bounced e-mail”
What you should see
Googler.com
What you usually see
Bestbuyt.com
A Growing Problem
Many major ISPs' DNS servers (e.g., Comcast) and some
public DNS servers (e.g., OpenDNS) redirect users to
these spammy search pages.
VeriSign example (2006):
Added a wild card on top of the .com zone
Prevented NXDOMAIN returns. Any non-existent domain,
regardless of DNS servers used, was redirected to
SiteFinder's website.
NXDOMAIN is important.
Some things depend on accurate negative results.
1. Web security
o
Many sites, like Google, use wildcard cookies so users
can maintain sessions over sub domains (Google Docs,
Google Sites, etc).
o
If sdfgaj.google.com. is redirected to a search page, web
browsers will send user cookies.
NXDOMAIN is important.
Some things depend on accurate negative results.
1. Web security, continued
o
In 2008, Dan Kaminsky found a cross-site scripting
vulnerability in Earthlink's search page.
o
Earthlink customers were vulnerable to HTML or
Javascript injection on arbitrary domain names because
of NXDOMAIN hijacking.
NXDOMAIN is important.
Some things depend on accurate negative results.
2. E-mail (SMTP)
o If a MX (mail exchange) lookup returns no results, a
SMTP server will fall back to a standard A record
lookup.1
1
o
These DNS requests are indistinguishable from, say,
web browsers' requests. The request will be redirected to
a search page.
o
SMTP server will attempt to send e-mail to the wrong IP
address.
See RFC 5321, section 5.1.
Standard Bad Practices
In 2009, there was an effort by national cable companies to
standardize DNS redirection services.2
The standard outlines an opt-out DNS redirect search engine /
malware filter and a "Legally-Mandated DNS Redirect Domain
List" for "illegal domains."
2
"Recommended Configuration and Use of DNS Redirect by Service
Providers" http://tools.ietf.org/html/draft-livingood-dns-redirect-00
Solution: DNSSEC
A Rescue Being Thought of
DNSSEC is a set of protocol enhancements for DNS.
Allows zones to be signed and verified by public-key encryption
and signed using private keys by zone editors.
All query responses, including NXDOMAIN, are signed. This
prevents man-in-the-middle attacks.
But, right now, most resolvers are configured to accept
unsigned responses. DNSSEC needs wider adoption.
A Rescue Being Thought of
DNSSEC won't prevent CDNs' DNS-based routing schemes as
it is possible to have a collection of signed, authortative
responses.
Directory Services
Directory Services
Some web browsers attempt to auto-complete DNS queries as
a user types in the URL bar. If a user types "www.cnn.com":
www.cnn
www.cnn
www.cnn -> .cn is the ccTLD for China, so this is a valid domain.
www.cnn.com
www.cnn.com
www.cnn.com -> .co is the ccTLD for Columbia.
This causes unnecessary traffic to www.cn and cnn.co name
servers.
Domains are not in an ideal format for these directory lookups.
E.g., .com.cnn.www