This is a paper I wrote for a freshman level English class at Gonzaga, while at the time I don't know if I fully understood the topic I still hope its a good read. Please let me know what you think.
- Larkin
The internet plays a vital role in the modern world and in the everyday lives of people across the whole globe. In fact for many people, their daily lives would grind to a halt without the internet, as both communication and commerce would be disrupted. In spite of the fact that the internet is such an integral part of the modern life style, it is strange, shocking even, that most people are blind to the internal workings and the vulnerabilities of the World Wide Web. The Domain Name System (DNS) is the driving force behind the internet; when a user types a web address into an internet browser, DNS is the system that takes over and locates the web page requested. Therefore DNS is where the users internet experience begins and ends. As a system, DNS is both incredibly simple and very robust, but this duality has created vulnerabilities in the very system itself. To counter the existing flaws in DNS, a new security measure known as Domain Name System Security Extensions (DNSSEC) was created. DNSSEC is a massive security upgrade for DNS that aims to address all of the existing problems in one fell swoop. DNSSEC has many critics within the computer science and security communities. However these complaints are not without reason, as many computer scientists are affronted by changes in DNS and consider these to be potentially problematic for the entire internet system. In the end it is clear that the current DNS is a robust yet critically flawed system. The adoption of DNSSEC is a necessary step in the evolution of the World Wide Web that is vital given that our society has become increasingly reliant on interconnectivity mediated by the internet.
To understand the issue behind the existing flaws in DNS one must first understand how the system works. Domain Name System is often described as the phonebook of the internet. Every website has both a physical address, known as an IP address (72.14.213.147 is the IP address for Google), and a public address (www.google.com). DNS takes the public address, typed into an internet browser, and sends out a query to a DNS server stack in which the server asks for the physical address of the requested website (see Fig 1.). The DNS server then takes the request and asks a root server for the general location of the website of interest (see Fig 2.). The root server responds with a zone for the desired website (see Fig 3.). The internet is so massive that the millions of websites that comprise it are sorted into thousands of zones. Servers use zones to identify different parts of the World Wide Web, dividing the work load for servers into a manageable size. Zoning allows DNS to accomplish this massive search in a short period of time. After the root server redirects the original DNS server to a zone nameserver, the zone nameserver finds the proper zone for the requested website and responds with an address for the webserver. The request is then sent from the DNS server to the webserver (see Fig 4.). The webserver responds to the request with the physical location of the website, or IP address. Finally, the DNS server connects the user with the appropriate web page. All of this happens within a few milliseconds, a truly amazing feat of engineering considering the millions of potential web sites that exist.
However DNS as a system has a glaring flaw. In 2008 a computer scientist named Dan Kaminsky, a security analyst and white hat (friendly) hacker, discovered a serious flaw in DNS that would rock the computer science world and bring about the creation of DNSSEC.It was the ultimate hack. He was looking at an error coded into the heart of the Internet's infrastructure. This was not a security hole in Windows or a software bug in a Cisco router. This would allow him to reassign any Web address, reroute anyone's email, take over banking sites, or simply scramble the entire global system. (Secret Geek pg2)Kaminsky discovered an exploit that could be used to bypass most of the system. By giving answers to his own queries Kaminsky fooled the DNS server into giving him access to areas of the internet that are normally secure. All Kaminsky had to do was guess the port that DNS was going to use to send and receive the information for his query and match his queries and responses to that port. This technique, referred to as an exploit, had a 1 in 64,000 shot of working. For a modern computer this number is negligible, as given the speed of modern computers a match would typically be found in less than ten seconds (Guide to Kaminsky). Kaminsky reported his finding to Paul Vixie, a DNS founder, who then gathered together DNS experts and computer programmers from around the world at an emergency meeting to find a solution to the problem. The issue was so sensitive that discussion of the exploit was only done in person or over hard lines. The computer A-team produced a patch (in the most literal sense of the word) to cover up the problem. The patch simply randomized ports for entry and exit on the DNS servers, thereby increasing the odds of the exploit working from 1 in 64,000 to 1 in 4 billion. A week after the patch was applied to the DNS servers, the exploit (now patched) was used multiple times around the world. The websites of the Church of Scientology, Bank of America, and VeriSign were all broken into using this exploit. The exploit, known as the Kaminsky bug, remains essentially unpatched precisely because the exploit attacks such a basic part of the DNS system.
DNSSEC has been cited as the only effective method to effectively patch DNS and the Kaminsky exploit. DNSSEC complicates the simple system employed by DNS, one of the reasons many computer scientists are skeptical of its adoption as a new standard for the internet. DNSSEC works by attaching keys to every piece of data sent and received by the DNS server. The only way the data can be matched up with an appropriate address is to match up the key with the appropriate encryption; both keys and encryptions are randomly generated and unique to each connection. Using this matched encryption method, the Kaminsky exploit becomes obsolete. The fake responses needed to trick the DNS server are not accepted because they do not match the encryption key on the original query. The encryption is assigned by the DNS server and only the DNS and root servers possess the encryption keys associated with the individual packets. This means the DNS server cant be tricked by query answers supplied by an end user because they have no way of knowing the encryption key. The likelihood that the key can be randomly guessed is far too massive to be done in the short time required, even by computer standards. DNSSEC also prevents almost all other forms of DNS break-ins and data sniffing, creating a more secure internet experience.
Despite the obvious benefits of DNSSEC, there are critics who do not believe that this is an acceptable solution to the Kaminsky exploit. The complexity of DNSSEC has some computer scientists worried that DNSSEC adoption would lead to the creation and discovery of more complex exploits and bugs. The problem with DNSSEC is it requires a server to keep massive caches of keys and encryption data in its memory, putting an even greater load on the DNS server, the nameserver, and the root server. This load increases the bandwidth needed for all internet traffic and increases the CPU usage of all internet servers, resulting in longer load times as more cycles are spent on fewer requests for IP addresses. For authoritative DNS name servers, the performance impact of DNSSEC will come from increased memory and CPU usage on name servers, and an increase in bandwidth usage by DNS. (DNSEC Impact) DNSSEC would need to be adopted by all major servers in order to be effective on a meaningful level. As such an effective adoption of DNSSEC would cause a slowdown of the entire internet causing a few milliseconds of lag time on a global level. A few milliseconds of lag time between a client and a server on a global level may seem like a small price to pay for the increased security offered by DNSSEC, but when programs are constantly updating their memory to accommodate the encryption devices, a small increase in lag would certainly be noticeable and would also affect the code base for thousands of programs. That is to say the coding of some computer programs would need to be altered to accommodate the changes required by DNSSEC. The counterargument for this position lies in Moores law which states that data density in computers doubles every 18 months. Moores law characterizes the changes in computational speed that have held true since 1965 in which the computational power of the worlds most powerful computer chips will double every eighteen months. Due to these changes in speed, hardware for computers tends to evolve very rapidly. This is important because the decrease in computer speed caused by implementation of DNSSEC would be essentially negated by improvements made in hardware in less than 18 months. The only remaining argument is that of DNSSEC complexity. However DNSSEC as a system has been implemented on smaller scale systems to no ill effects. Bugs and exploits due to complex system designs have yet to appear on any DNSSEC servers.
The adoption of DNSSEC is vital to a world that has become so reliant on internet connectivity. When the essential back bone of a vital worldwide communication resource is compromised, steps must be taken to secure the vulnerabilities of the DNS and thus ensure the security of the internet. The robust and simple nature of the Domain Name System make it the perfect program to run such a complex opperation, however it is clear that the security of the system is threatened by exploits inherent in DNS. As stated by renowned DNS security expert and BIND9 creator Paul Vixie Time to live is not and never has been a security measure, and should not be treated as such. We need a better solution than giant numbers. DNSSEC is such a solution. The drawbacks are slight, given the massive security upgrade, and will easily be overcome in a few years time by the increase in computer speed. The upgrade to DNSSEC is a necessary step in the evolution of the World Wide Web. As the internet is further integrated into the everyday lives of millions of people, protecting the internet, and therefore ourselves, has never been more important. It has never been a question of if somebody will break in, attacks on our network are inevitable so now we must plan accordingly (Luke Timmins Network Engineering Lead Bungie Studios) (Diagrams from http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html) Works CitedDavis, Joshua. "Secret Geek A-Team Hacks Back, Defends Worldwide Web." Wired.com. June-July 2008. Web. 05 Apr. 2011. ."Domain Name System Security Extensions." Wikipedia, the Free Encyclopedia. 11 Mar. 2011. Web. 05 Apr. 2011. .Friedl, Steve. "An Illustrated Guide to the Kaminsky DNS Vulnerability." Steve Friedl's Home Page. 08 July 2008. Web. 05 Apr. 2011. .Hubert, Bert. "The Role of DNS and DNSSEC in Information Security." Ds9a.nl. 2003. Web. 05 Apr. 2011. .Kaminsky, Danial. "Its the End of the Cache as We Know It." Black Hat 2008. Las Vegas. 30 Aug. 2008. Lecture.NIST. "DNSSEC and Its Impact on DNS Performance." Secure Naming Infrastructure Pilot. 16 Sept. 2008. Web. 05 Apr. 2011. .Timmins, Luke, Luke Smith, and Brian Gerard. "Bungie Podcast." Audio blog post. Bungie.net. Bungie Studios, Dec. 2009. Web. 26 Mar. 2011. .
http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
Log in to comment