The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Mockapetris

DNS Revolutions & Evolutions

Written by Paul Mockapetris
7/10/2008 6 comments
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

June 23rd was the 25th anniversary of the Domain Name System (DNS), and I spent it at the National Science Foundation (NSF) reviewing proposals, several of which were for innovative DNS replacements of varying degrees of merit. In the rough-and-tumble world of the Internet, it's clear that several types of evolution are underway:

Cache poisoning
When you, the user, want to go to a Website, your browser asks a local DNS server for the address and other information about that site, and the local server may have to roam the Internet for the answer. DNS servers are so good at it that nobody ever notices that the DNS name space is really composed of more than 100 million separate patches.

That isn't an accident: The original design of the DNS worked very hard to allow unlimited distribution and caching to improve performance. Security against bad actors wasn't in the design -- just as the Wright brothers' first airplane didn't have reclining seats, bathrooms, or beverage carts. The critics of the time thought there was too much in the original DNS, rather than too little.

What this meant was that if you could created a passable forgery when a DNS server was looking for an answer, it would be believed. Bad guys got to work. If you could watch what a DNS server sends, you could know when it would believe a forgery, as well as how to include the right 16-bit ID field in the fake response (it's in the query). But if you couldn't do that, you could guess when the server was going to need some information, or even ask for it just as you bombarded the server with forged responses, hoping one or another would be believed. Servers with weak random-number generators were particularly predictable and hence vulnerable. But, essentially, the game was that the attacker would get an infrequent opportunity to try an attack on a specific domain.

When an attack succeeds, one can divert mail or Web surfers, steal passwords, and the like.

Dan Kaminsky changed the game early this year, by noticing that it was possible to make continuous, rather than infrequent, attacks against weak DNS implementations. Luckily, he's a good guy, so this resulted in a group of leading DNS software providers, like Nominum Inc. , Microsoft Corp. (Nasdaq: MSFT), and ISC, implementing whatever fixes they needed to resist a new attack. But now the idea is public, and you can be sure the bad guys are comparing the "before" and "after" open-source versions to figure out how the Kaminsky approach works.

What does this mean?

If you haven't updated your DNS code recently, you are vulnerable to the most effective cache poisoning attack ever. Before Kaminsky, DNS wasn't the strongest link in a user's security chain, but it was far from the weakest. This is still true if you are updated, but if not... watch out!

The DNS Security Extensions (DNSSec) is proposed as the ultimate answer here, but after over a decade in the making, it's still cumbersome to deploy.

ICANN
Once upon a time, ICANN thought that adding new top-level domains (TLDs) was too risky, despite the advice from all of the technical community that adding a few was safe. Oddly enough, adding new country codes was safe. One, two, ten, a hundred country codes, but still ICANN worried. Creating a new generic TLD (e.g., .biz, .cat) was a huge effort and expensive, but folks lined up to pay and own a chunk of cyberspace.

Next, we saw an ICANN RFP to get a contractor to write an RFP for ICANN for new TLDs (yes, an RFP to write an RFP). Now, one might think that if ICANN had any core competence, it should lie in managing the addition of new names, but the effort led nowhere.

Learning from the pattern of .com, ICANN realized that its budget would be enhanced if the six-figure cost of requesting a new TLD was just thrown open to those with six-figure checkbooks, regardless of merit. When you get paid by request, why limit requests?

Where will this lead?

Firstly, the consultants and marketeers are busy -- very busy. We'll see all kinds of new "marketectures" out there. If the expected tidal wave of new registrations materializes, ICANN will become the new OPEC for cyberspace oil.

But will all the governments, the U.N., and the like be able to resist staging a hostile takeover? Is it time to short .com, i.e., Verisign?

One thing is certain: The advertisers and marketeers are running TLD evolution now. It should be exciting.

— Paul Mockapetris, Inventor of the Domain Name System (DNS)

Channel: Enterprise IT, Security
Tags: Blogs, IP
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
topstuff
Rank: Cave Painter
Wednesday August 13, 2008 10:50:41 AM
no ratings

Thank you so much for your reply Paul, I will definitely think about & research the information you have provided, and would like to drop you an email in the near future regarding my final thesis proposal.

I can tell you, have have made my day/month/year with your reply :-)

Thanks

Sam
 

Paul Mockapetris
Thinkernetter
Sunday August 10, 2008 6:33:44 PM
no ratings

I think the answer to spam is not something that filters it out perfectly, but a tool that just prioritizes my incoming mail.

 I don't think the DNS is the culprit, but spammers do use any tactic they can, and DNS is in the mix.

Paul Mockapetris
Thinkernetter
Sunday August 10, 2008 6:29:59 PM
no ratings

 The access problem has two parts:

The problem isn't so much getting access to the tecnology discussions,it's figuring out what's relevant and extracting the concepts.  So you start with the RFCs and IDs (produced by the IETF), and perhaps look at the mailing lists for DNSSec, Namedroppers, bind, etc.  The lists come and go and some are more relevant than others.  Try and make sure you aren't revisiting obsoletematerial unless you are researching history.

The politics are significant as well, and here there's a lot of "Cui Bono" that's necessary.  Anyway, you can go to ICANN and CircleID.com, and start out there.  There's a DNSSec.org as well.

 As for what to work on, here's some thoughts I have, but never seem to have time to work on:

 - Doe the X.509 and SSL world provide ideas on how DNSSec should/will be organized and how the industry will evolve?

 - As far as I can tell, every computer in the Internet has ideas of legitimate reasons for modifying FDNS data in flight.  For example to kill gambling sites in ISP's DNSes, blackilsts that increase surfing speed by clipping ads, etc, etc.  What's the right set of goals and policies for the real world.

- Wouldn't we be better off by just making DNSsec general and adding confidentiality, etc?  How to adapt to the real world.

Drop me an email if you want to chat more.

topstuff
Rank: Cave Painter
Sunday August 10, 2008 1:37:00 PM
no ratings

Hi Paul!

 I am undertaking a Masters in eForensics & Enteprise security (Australia).

I have acouple of questions around focussing my research topic (DNS Security / General (lack-of) Internet Security).

1. How do I (public) get a view (as you mentioned) of DNS replacement proposals?

2. As a young masters student, any particular topic (around IT security domain) you would like to see some research on?!

 

Hope the above isnt too vague, any advice would be greatly appreciated.

 

Thanks

Sam

p.s. Thanks for DNS!!!!!!

Alfred.Portengen
Rank: Cave Painter
Thursday July 24, 2008 1:19:35 AM
no ratings
No, but it creates an attack vector to sustain the amount of spam-bots. (just an example). All sorts of nasties are possible here.
DontHateCuzImRIGHT
Rank: Cyborg
Friday July 11, 2008 11:40:03 AM
no ratings

Very Interesting stuff! I saw the PC World article the oither day:

DNS Hole Prompts Patching Effort by IT Vendors

...is this why the SPAM issue is so bad?

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Mockapetris
Paul Mockapetris
Having spent several years as a researcher at the University of Southern California and the University of California at Irvine, I can appreciate the research community’s outlook on where the Internet is headed.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Feb 23rd
2pm EST
Thu
Mar 4th
3pm EST
Tue
Mar 9th
an IBM information resource
sponsored content
big blue blog
Todd Watson
IBM is announcing today the first of its Power7 processor-based systems and the Power7 processor itself at an event in NYC.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.

READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!

REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
CMP Media LLC
Internet Evolution – not for thickies
Congress Hits the Snooze Button With China
Ira Winkler
In his
recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.

CLICK FOR MORE
John Soat
E-Discovery Limits Are Set. Maybe

11|30|09   |   3:04   |   4 comments


E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Sweeney Blog
Microsoft's Relevance in the Windows 7 Era

11|13|09   |   2:17   |   3 comments


The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Jart Armin
Methods From the Dark Side: RFI Attacks

11|6|09   |   2:22   |   No comments


Exploring methods from the 'Dark Side' of the Internet – in this case 'Remote File Inclusion.'
The Incredible Hultquist
Web 2.0 – Just Being There Isn't Enough

11|3|09   |   2:15   |   9 comments


As enterprises leap into the Web 2.0 world of blogging, commenting, and social networking, just 'being there' won't deliver ROI. You may want a 'Web Evangelist' to systematically harvest the feedback in order to polish your product or service.
Jart Armin
Technology From the Dark Side: Scareware

10|23|09   |   2:22   |   4 comments


Jart highlights some of the techniques coming out of the 'Dark Side' of the Internet – in this case, 'Scareware.'
The Incredible Hultquist
Social Networks & Hiring Pitfalls

10|16|09   |   2:16   |   5 comments


More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
The Incredible Hultquist
Pass on Password Changes

10|12|09   |   1.54   |   24 comments


Password change policies are obsolete and ultimately counter-productive, increasing security risks and eroding the bottom line at large enterprises.
Singer at C-Level
Goldilocks & the Data Center

2|4|10   |   3:39   |   2 comments


What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Rob Salkowitz
The Use & Abuse of BI

2|1|10   |   2:19   |   4 comments


Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Full Nelson
Unified Collaboration Telepresence: Part 2

1|27|10   |   2:41   |   No comments


There are a few practical and affordable tools to help get people collaborating within enterprises. In Part 2, the Fritzoid talks about three of them.
Tom Nolle
Everything New Is Old Again

2|9|10   |   2:13   |   No comments


Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
what.the.ferraro
Email Marketing Gets Desperate

2|8|10   |   2:31   |   3 comments


Promotional emails will use just about anything timely to get people to buy things. Seriously, anything.
Steve Saunders' Outernet
America, Truck Yeah!

2|8|10   |   1:42   |   5 comments


Steve likes his new Dodge Ram 1500, but hates Chrysler's Web non-sales strategy. Rant on, li'l buddy.
what.the.ferraro
Twits Go Wild for Resignation Tweet

2|5|10   |   1:48   |   4 comments


Jonathan Schwartz is the first Fortune 200 CEO to resign via Tweet. Can he walk on water, too?
Full Nelson
Go With the FLO, Part 2

Part 2 of 2   |  
See complete series
2|5|10   |   2:17   |   3 comments


Fritz and his sweater continue their review of Qualcomm's FLO TV.
Singer at C-Level
Goldilocks & the Data Center

2|4|10   |   3:39   |   2 comments


What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Full Nelson
Go With the FLO, Part 1

Part of 2   |  
See complete series
2|4|10   |   2:39   |   1 comment


Qualcomm's FLO TV gizmo streams live TV shows. Tragically, they include the O'Reilly Factor
Eurotrash
High & Dry in Barcelona

2|3|10   |   1:08   |   No comments


Ray’s heading to Barcelona for the Mobile World Congress, and he’s not happy about it, the miserable git.
Sweeney Blog
No Sex, Please... It's the Super Bowl

2|3|10   |   2:24   |   2 comments


The Super Bowl ads that CBS rejected are turning up online, generating lots of attention but zero revenue for the broadcaster.
Cirque Du Solez
Books Come Alive

2|2|10   |   2:02   |   3 comments


Ray Kurzweil's Blio and Apple's iPad tablet will make it easier than ever to have books "read" to us, says Dr. Kim, who believes that talking tablets will become interwoven into our consciousness as we "merge" with the increasingly elegant machines we hold in our hands.