The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Mockapetris

DNS Revolutions & Evolutions

Written by Paul Mockapetris
7/10/2008 6 comments
DISCUSS     Email This

June 23rd was the 25th anniversary of the Domain Name System (DNS), and I spent it at the National Science Foundation (NSF) reviewing proposals, several of which were for innovative DNS replacements of varying degrees of merit. In the rough-and-tumble world of the Internet, it's clear that several types of evolution are underway:

Cache poisoning
When you, the user, want to go to a Website, your browser asks a local DNS server for the address and other information about that site, and the local server may have to roam the Internet for the answer. DNS servers are so good at it that nobody ever notices that the DNS name space is really composed of more than 100 million separate patches.

That isn't an accident: The original design of the DNS worked very hard to allow unlimited distribution and caching to improve performance. Security against bad actors wasn't in the design -- just as the Wright brothers' first airplane didn't have reclining seats, bathrooms, or beverage carts. The critics of the time thought there was too much in the original DNS, rather than too little.

What this meant was that if you could created a passable forgery when a DNS server was looking for an answer, it would be believed. Bad guys got to work. If you could watch what a DNS server sends, you could know when it would believe a forgery, as well as how to include the right 16-bit ID field in the fake response (it's in the query). But if you couldn't do that, you could guess when the server was going to need some information, or even ask for it just as you bombarded the server with forged responses, hoping one or another would be believed. Servers with weak random-number generators were particularly predictable and hence vulnerable. But, essentially, the game was that the attacker would get an infrequent opportunity to try an attack on a specific domain.

When an attack succeeds, one can divert mail or Web surfers, steal passwords, and the like.

Dan Kaminsky changed the game early this year, by noticing that it was possible to make continuous, rather than infrequent, attacks against weak DNS implementations. Luckily, he's a good guy, so this resulted in a group of leading DNS software providers, like Nominum Inc. , Microsoft Corp. (Nasdaq: MSFT), and ISC, implementing whatever fixes they needed to resist a new attack. But now the idea is public, and you can be sure the bad guys are comparing the "before" and "after" open-source versions to figure out how the Kaminsky approach works.

What does this mean?

If you haven't updated your DNS code recently, you are vulnerable to the most effective cache poisoning attack ever. Before Kaminsky, DNS wasn't the strongest link in a user's security chain, but it was far from the weakest. This is still true if you are updated, but if not... watch out!

The DNS Security Extensions (DNSSec) is proposed as the ultimate answer here, but after over a decade in the making, it's still cumbersome to deploy.

ICANN
Once upon a time, ICANN thought that adding new top-level domains (TLDs) was too risky, despite the advice from all of the technical community that adding a few was safe. Oddly enough, adding new country codes was safe. One, two, ten, a hundred country codes, but still ICANN worried. Creating a new generic TLD (e.g., .biz, .cat) was a huge effort and expensive, but folks lined up to pay and own a chunk of cyberspace.

Next, we saw an ICANN RFP to get a contractor to write an RFP for ICANN for new TLDs (yes, an RFP to write an RFP). Now, one might think that if ICANN had any core competence, it should lie in managing the addition of new names, but the effort led nowhere.

Learning from the pattern of .com, ICANN realized that its budget would be enhanced if the six-figure cost of requesting a new TLD was just thrown open to those with six-figure checkbooks, regardless of merit. When you get paid by request, why limit requests?

Where will this lead?

Firstly, the consultants and marketeers are busy -- very busy. We'll see all kinds of new "marketectures" out there. If the expected tidal wave of new registrations materializes, ICANN will become the new OPEC for cyberspace oil.

But will all the governments, the U.N., and the like be able to resist staging a hostile takeover? Is it time to short .com, i.e., Verisign?

One thing is certain: The advertisers and marketeers are running TLD evolution now. It should be exciting.

— Paul Mockapetris, Inventor of the Domain Name System (DNS)

Channel: Enterprise IT, Security
Tags: Blogs, IP
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
topstuff
Rank: Cave Painter
Wednesday August 13, 2008 10:50:41 AM
no ratings

Thank you so much for your reply Paul, I will definitely think about & research the information you have provided, and would like to drop you an email in the near future regarding my final thesis proposal.

I can tell you, have have made my day/month/year with your reply :-)

Thanks

Sam
 

Paul Mockapetris
Thinkernetter
Sunday August 10, 2008 6:33:44 PM
no ratings

I think the answer to spam is not something that filters it out perfectly, but a tool that just prioritizes my incoming mail.

 I don't think the DNS is the culprit, but spammers do use any tactic they can, and DNS is in the mix.

Paul Mockapetris
Thinkernetter
Sunday August 10, 2008 6:29:59 PM
no ratings

 The access problem has two parts:

The problem isn't so much getting access to the tecnology discussions,it's figuring out what's relevant and extracting the concepts.  So you start with the RFCs and IDs (produced by the IETF), and perhaps look at the mailing lists for DNSSec, Namedroppers, bind, etc.  The lists come and go and some are more relevant than others.  Try and make sure you aren't revisiting obsoletematerial unless you are researching history.

The politics are significant as well, and here there's a lot of "Cui Bono" that's necessary.  Anyway, you can go to ICANN and CircleID.com, and start out there.  There's a DNSSec.org as well.

 As for what to work on, here's some thoughts I have, but never seem to have time to work on:

 - Doe the X.509 and SSL world provide ideas on how DNSSec should/will be organized and how the industry will evolve?

 - As far as I can tell, every computer in the Internet has ideas of legitimate reasons for modifying FDNS data in flight.  For example to kill gambling sites in ISP's DNSes, blackilsts that increase surfing speed by clipping ads, etc, etc.  What's the right set of goals and policies for the real world.

- Wouldn't we be better off by just making DNSsec general and adding confidentiality, etc?  How to adapt to the real world.

Drop me an email if you want to chat more.

topstuff
Rank: Cave Painter
Sunday August 10, 2008 1:37:00 PM
no ratings

Hi Paul!

 I am undertaking a Masters in eForensics & Enteprise security (Australia).

I have acouple of questions around focussing my research topic (DNS Security / General (lack-of) Internet Security).

1. How do I (public) get a view (as you mentioned) of DNS replacement proposals?

2. As a young masters student, any particular topic (around IT security domain) you would like to see some research on?!

 

Hope the above isnt too vague, any advice would be greatly appreciated.

 

Thanks

Sam

p.s. Thanks for DNS!!!!!!

Alfred.Portengen
Rank: Cave Painter
Thursday July 24, 2008 1:19:35 AM
no ratings
No, but it creates an attack vector to sustain the amount of spam-bots. (just an example). All sorts of nasties are possible here.
DontHateCuzImRIGHT
Rank: Cyborg
Friday July 11, 2008 11:40:03 AM
no ratings

Very Interesting stuff! I saw the PC World article the oither day:

DNS Hole Prompts Patching Effort by IT Vendors

...is this why the SPAM issue is so bad?

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Mockapetris
Paul Mockapetris
Having spent several years as a researcher at the University of Southern California and the University of California at Irvine, I can appreciate the research community’s outlook on where the Internet is headed.
5
of
Mary E. Shacklett
Watch Your Business Secrets on Multi-Tenant Clouds
11|26|12   |   1:56   |   1 comment

Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Second Shooter
Terrorists Attack Our Refrigerators!
2|28|13   |   2:22   |   No comments

50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
Wisdom of the Big Chair
IT Losing the Security Battle
1|7|13   |   3:15   |   No comments

ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
Mary E. Shacklett
Financial Services Policies Lag Tech Advances
12|4|12   |   2:18   |   6 comments

Regulations haven't kept up with advances in mobile devices and credit cards.
Wisdom of the Big Chair
FBI Turns Attention to Mobile Security
10|30|12   |   3:45   |   8 comments

The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Mitch Wagner
A Humbling Lesson From Libya on Why IT Matters
9|17|12   |   3:09   |   5 comments

Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
Second Shooter
The Real Problem With Cloud Security
8|17|12   |   2:12   |   7 comments

All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Mary E. Shacklett
IT Puts Public Cloud in the Silo
5|23|12   |   2:06   |   5 comments

Enterprises are using public clouds, but until better security and IT tools come along, there won't be fullscale integration with IT infrastructure.
Kim Davis
Google-Oracle Jury Reaches an Indecision
5|8|12   |   2:24   |   3 comments

The jury in the Google-Oracle copyright case made up its mind to... not make up its mind.
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   3 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Smartphone Influx Stresses IT Help Desks
Paul Korzeniowski
The smartphone market reached a significant milestone, a breakthrough that may cause vendors to celebrate but could strain the capabilities of IT service desks.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Yahoo Needs to Break Tumblr in Order to Fix It
Joe Stanganelli
As Mitch Wagner discussed today, Yahoo is acquiring Tumblr. The big Internet debate at the moment is whether Tumblr will be good or bad for Yahoo. Regardless of their stances on the future of Yahoo itself, many claim that Yahoo will somehow ruin Tumblr.
CLICK FOR MORE