The Macrosite for News, Analysis and Opinion about the Future of the Internet
Paul Mockapetris

DNS Revolutions & Evolutions

Written by Paul Mockapetris
7/10/2008 6 comments
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

June 23rd was the 25th anniversary of the Domain Name System (DNS), and I spent it at the National Science Foundation (NSF) reviewing proposals, several of which were for innovative DNS replacements of varying degrees of merit. In the rough-and-tumble world of the Internet, it's clear that several types of evolution are underway:

Cache poisoning
When you, the user, want to go to a Website, your browser asks a local DNS server for the address and other information about that site, and the local server may have to roam the Internet for the answer. DNS servers are so good at it that nobody ever notices that the DNS name space is really composed of more than 100 million separate patches.

That isn't an accident: The original design of the DNS worked very hard to allow unlimited distribution and caching to improve performance. Security against bad actors wasn't in the design -- just as the Wright brothers' first airplane didn't have reclining seats, bathrooms, or beverage carts. The critics of the time thought there was too much in the original DNS, rather than too little.

What this meant was that if you could created a passable forgery when a DNS server was looking for an answer, it would be believed. Bad guys got to work. If you could watch what a DNS server sends, you could know when it would believe a forgery, as well as how to include the right 16-bit ID field in the fake response (it's in the query). But if you couldn't do that, you could guess when the server was going to need some information, or even ask for it just as you bombarded the server with forged responses, hoping one or another would be believed. Servers with weak random-number generators were particularly predictable and hence vulnerable. But, essentially, the game was that the attacker would get an infrequent opportunity to try an attack on a specific domain.

When an attack succeeds, one can divert mail or Web surfers, steal passwords, and the like.

Dan Kaminsky changed the game early this year, by noticing that it was possible to make continuous, rather than infrequent, attacks against weak DNS implementations. Luckily, he's a good guy, so this resulted in a group of leading DNS software providers, like Nominum Inc. , Microsoft Corp. (Nasdaq: MSFT), and ISC, implementing whatever fixes they needed to resist a new attack. But now the idea is public, and you can be sure the bad guys are comparing the "before" and "after" open-source versions to figure out how the Kaminsky approach works.

What does this mean?

If you haven't updated your DNS code recently, you are vulnerable to the most effective cache poisoning attack ever. Before Kaminsky, DNS wasn't the strongest link in a user's security chain, but it was far from the weakest. This is still true if you are updated, but if not... watch out!

The DNS Security Extensions (DNSSec) is proposed as the ultimate answer here, but after over a decade in the making, it's still cumbersome to deploy.

ICANN
Once upon a time, ICANN thought that adding new top-level domains (TLDs) was too risky, despite the advice from all of the technical community that adding a few was safe. Oddly enough, adding new country codes was safe. One, two, ten, a hundred country codes, but still ICANN worried. Creating a new generic TLD (e.g., .biz, .cat) was a huge effort and expensive, but folks lined up to pay and own a chunk of cyberspace.

Next, we saw an ICANN RFP to get a contractor to write an RFP for ICANN for new TLDs (yes, an RFP to write an RFP). Now, one might think that if ICANN had any core competence, it should lie in managing the addition of new names, but the effort led nowhere.

Learning from the pattern of .com, ICANN realized that its budget would be enhanced if the six-figure cost of requesting a new TLD was just thrown open to those with six-figure checkbooks, regardless of merit. When you get paid by request, why limit requests?

Where will this lead?

Firstly, the consultants and marketeers are busy -- very busy. We'll see all kinds of new "marketectures" out there. If the expected tidal wave of new registrations materializes, ICANN will become the new OPEC for cyberspace oil.

But will all the governments, the U.N., and the like be able to resist staging a hostile takeover? Is it time to short .com, i.e., Verisign?

One thing is certain: The advertisers and marketeers are running TLD evolution now. It should be exciting.

— Paul Mockapetris, Inventor of the Domain Name System (DNS)

Channel: Enterprise IT, Security
Tags: Blogs, IP
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
topstuff
Rank: Cave Painter
Wednesday August 13, 2008 10:50:41 AM
no ratings

Thank you so much for your reply Paul, I will definitely think about & research the information you have provided, and would like to drop you an email in the near future regarding my final thesis proposal.

I can tell you, have have made my day/month/year with your reply :-)

Thanks

Sam
 

Paul Mockapetris
Thinkernetter
Sunday August 10, 2008 6:33:44 PM
no ratings

I think the answer to spam is not something that filters it out perfectly, but a tool that just prioritizes my incoming mail.

 I don't think the DNS is the culprit, but spammers do use any tactic they can, and DNS is in the mix.

Paul Mockapetris
Thinkernetter
Sunday August 10, 2008 6:29:59 PM
no ratings

 The access problem has two parts:

The problem isn't so much getting access to the tecnology discussions,it's figuring out what's relevant and extracting the concepts.  So you start with the RFCs and IDs (produced by the IETF), and perhaps look at the mailing lists for DNSSec, Namedroppers, bind, etc.  The lists come and go and some are more relevant than others.  Try and make sure you aren't revisiting obsoletematerial unless you are researching history.

The politics are significant as well, and here there's a lot of "Cui Bono" that's necessary.  Anyway, you can go to ICANN and CircleID.com, and start out there.  There's a DNSSec.org as well.

 As for what to work on, here's some thoughts I have, but never seem to have time to work on:

 - Doe the X.509 and SSL world provide ideas on how DNSSec should/will be organized and how the industry will evolve?

 - As far as I can tell, every computer in the Internet has ideas of legitimate reasons for modifying FDNS data in flight.  For example to kill gambling sites in ISP's DNSes, blackilsts that increase surfing speed by clipping ads, etc, etc.  What's the right set of goals and policies for the real world.

- Wouldn't we be better off by just making DNSsec general and adding confidentiality, etc?  How to adapt to the real world.

Drop me an email if you want to chat more.

topstuff
Rank: Cave Painter
Sunday August 10, 2008 1:37:00 PM
no ratings

Hi Paul!

 I am undertaking a Masters in eForensics & Enteprise security (Australia).

I have acouple of questions around focussing my research topic (DNS Security / General (lack-of) Internet Security).

1. How do I (public) get a view (as you mentioned) of DNS replacement proposals?

2. As a young masters student, any particular topic (around IT security domain) you would like to see some research on?!

 

Hope the above isnt too vague, any advice would be greatly appreciated.

 

Thanks

Sam

p.s. Thanks for DNS!!!!!!

Alfred.Portengen
Rank: Cave Painter
Thursday July 24, 2008 1:19:35 AM
no ratings
No, but it creates an attack vector to sustain the amount of spam-bots. (just an example). All sorts of nasties are possible here.
DontHateCuzImRIGHT
Rank: Cyborg
Friday July 11, 2008 11:40:03 AM
no ratings

Very Interesting stuff! I saw the PC World article the oither day:

DNS Hole Prompts Patching Effort by IT Vendors

...is this why the SPAM issue is so bad?

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Paul Mockapetris
Paul Mockapetris
Having spent several years as a researcher at the University of Southern California and the University of California at Irvine, I can appreciate the research community’s outlook on where the Internet is headed.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Dec 1st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   11/20/2009   Post a comment
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year?  Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Copyright © 2009 United Business Media Limited - All rights reserved.      About Us  |  Privacy Policy and Terms of Use  |  Contact Us
CMP Media LLC
Internet Evolution – not for thickies
To Cloud or Not to Cloud: IT Vendors Ponder the Question
Gordon Haff
Arms merchant or army? That's a fundamental question for vendors in the cloud computing space. Do they just sell their tooling to any and all comers, who then become the actual purveyors of hosted infrastructure, developer platforms, and software? Or do they offer their own cloud-based services, perhaps even keeping much of their technology in-house for competitive advantage?
CLICK FOR MORE
Groups Join Fight to Keep Big Brother Offline
Don Reisinger
Much has been made over the possibility of the U.S. government spying on Web users. There is a fear that through advanced technology, loopholes in federal regulations, and sheer gall, government officials will engage in acts that put the U.S. citizenry at risk. But whether or not the government is actually engaging in any activities online that puts its intentions into question is up for debate.
CLICK FOR MORE
Banks Cooperate for Better Risk Analytics
Mary E. Shacklett
With the value of toxic assets on the rise, large U.S. and European banks face many challenges on the road to recovery. Sharing key information may help these firms effectively track the way forward.
CLICK FOR MORE
How to Score, Not Bore, With Web Newsletter Graphics
Dan Cypra
A picture is worth a thousand words, or so the old saying goes. So understanding how to use images in e-newsletters effectively is quite important. Here are a few tips to ensure that your images in email newsletters work to your advantage.
CLICK FOR MORE
Sweeney Blog
Microsoft's Relevance in the Windows 7 Era
11|13|09   |   2:17   |   3 comments

The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Jart Armin
Methods From the Dark Side: RFI Attacks
11|6|09   |   2:22   |   No comments

Exploring methods from the 'Dark Side' of the Internet – in this case 'Remote File Inclusion.'
The Incredible Hultquist
Web 2.0 – Just Being There Isn't Enough
11|3|09   |   2:15   |   9 comments

As enterprises leap into the Web 2.0 world of blogging, commenting, and social networking, just 'being there' won't deliver ROI. You may want a 'Web Evangelist' to systematically harvest the feedback in order to polish your product or service.
Jart Armin
Technology From the Dark Side: Scareware
10|23|09   |   2:22   |   4 comments

Jart highlights some of the techniques coming out of the 'Dark Side' of the Internet – in this case, 'Scareware.'
The Incredible Hultquist
Social Networks & Hiring Pitfalls
10|16|09   |   2:16   |   5 comments

More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
The Incredible Hultquist
Pass on Password Changes
10|12|09   |   1.54   |   24 comments

Password change policies are obsolete and ultimately counter-productive, increasing security risks and eroding the bottom line at large enterprises.
Singer at C-Level
Smart Grid Opportunities
11|20|09   |   2:49   |   No comments

Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
Reiter's Block
Is the BlackBerry 9700 'Bold' Enough?
11|17|09   |   3:07   |   4 comments

The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
what.the.ferraro
Facebook Lacks Social Skills
11|20|09   |   1:53   |   No comments

Facebook's 'Suggestions' for users demonstrate how little social networking sites understand about true social relationships.
Singer at C-Level
Smart Grid Opportunities
11|20|09   |   2:49   |   No comments

Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
Tom Nolle
Total Telephony Transcends Telepresence
11|20|09   |   2:11   |   2 comments

The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
what.the.ferraro
ThinkerNet Wins Min's Award for Best Blogs!
11|19|09   |   1:13   |   4 comments

ThinkerNet wins the Min's award for 'Best Blogs' – Internet Evolution's fifth award this year!
Full Nelson
SanFran.gov
11|19|09   |   8:51   |   No comments

Fritz has an exclusive talk with the mayor and CTO of San Francisco about that city's latest e-government efforts.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Singer at C-Level
Connecting Stakeholders: Part 3
Part 3 of 3   |   See complete series
11|18|09   |   2:09   |   No comments

Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
what.the.ferraro
Dogster.com More Popular Than Gov 2.0
11|17|09   |   2:05   |   1 comment

A lot of attention is being paid to launching Gov 2.0 Websites, but these sites aren't attracting a lot of visitors.
Reiter's Block
Is the BlackBerry 9700 'Bold' Enough?
11|17|09   |   3:07   |   4 comments

The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
TechWeb The Global Leader In Technology Media