What DNS is Not 0
description
Transcript of What DNS is Not 0
What DNS is Not0
Kylie Brown, Jordan Eberst, Danielle FranzDrew Hanson, Dennis Kilgore,
Charles Newton, Lindsay Romano, Lisa Soros
0 Paul Vixie. 2009. What DNS Is Not. Queue volume 7, issue 10. http://doi.acm.org/10.1145/1647300.1647302 .
DNS: An Overview
• Companion Papero DNS Complexity - Published in ACM's Queue, Volume 5
Issue 3, April 2007.o http://eustis.eecs.ucf.edu/~ch552141/p24-vixie.pdf
DNS: An Overview
• GIANT Database• DNS translates a domain name into an IP address.• Why is this hard?
o Billions of IP addresses in useo Billions of daily DNS requestso Constantly changing
• Human Convenience
How Does DNS Work?
• Example: www.facebook.com• Request for IP address sent to your web browser
o Cached if you have visited recently• If not, a search begins.
How Does DNS Work?
• The search process starts at the root name servers. The root servers refer the resolver to the .COM name servers.
• Request IP addresses for the Facebook name server• Request IP address of www.facebook.com from the
Facebook name servers.• Web browser caches IP address
What DNS is Not: Overview
• Misuses of DNSo DNS is not a routing protocolo DNS is not a tool to monetize typoso DNS is not a directory system
• This paper talks about different properties that allow DNS to be misused, the common practices of misuse, and the consequences of misuse.
Stupid DNS Tricks
DNS is not a routing protocol
• Content Distribution Networks (CDNs) often use DNS queries as an opportunity to route user requests.o E.g., Akamai, Cisco DistributedDirector
• Users are routed to an appropriate content server based on their geographic / network proximity and content server load.
• Problemso This scheme requires limiting caching (i.e., low TTL) and
increases load on DNS infrastructure.
o Most end-users are using their ISP's recursive name servers. This hides the user's original location and decreases the accuracy of DNS-based routing.
NXDOMAIN Remapping
Expected Causes of NXDOMAIN:• Typo (e.g., www.goglee.com)• Broken Link• Hardware or Software Error
What should happen:• Browser catches bad domain name: “Error page” • E-mail - “bounced e-mail”
NXDOMAIN Remapping
What you should see
Googler.com
What you usually see
Bestbuyt.com
Many major ISPs' DNS servers (e.g., Comcast) and some public DNS servers (e.g., OpenDNS) redirect users to these spammy search pages.
VeriSign example (2006):Added a wild card on top of the .com zonePrevented NXDOMAIN returns. Any non-existent domain, regardless of DNS servers used, was redirected to SiteFinder's website.
A Growing Problem
NXDOMAIN is important.
Some things depend on accurate negative results.
1. Web security
o Many sites, like Google, use wildcard cookies so users can maintain sessions over sub domains (Google Docs, Google Sites, etc).
o If sdfgaj.google.com. is redirected to a search page, web browsers will send user cookies.
NXDOMAIN is important.
Some things depend on accurate negative results.
1. Web security, continued
o In 2008, Dan Kaminsky found a cross-site scripting vulnerability in Earthlink's search page.
o Earthlink customers were vulnerable to HTML or Javascript injection on arbitrary domain names because of NXDOMAIN hijacking.
NXDOMAIN is important.
Some things depend on accurate negative results.
2. E-mail (SMTP)o If a MX (mail exchange) lookup returns no results, a
SMTP server will fall back to a standard A record lookup.1
o These DNS requests are indistinguishable from, say, web browsers' requests. The request will be redirected to a search page.
o SMTP server will attempt to send e-mail to the wrong IP address.
1 See RFC 5321, section 5.1.
Standard Bad Practices
In 2009, there was an effort by national cable companies to standardize DNS redirection services.2
The standard outlines an opt-out DNS redirect search engine / malware filter and a "Legally-Mandated DNS Redirect Domain List" for "illegal domains."
2 "Recommended Configuration and Use of DNS Redirect by Service Providers" http://tools.ietf.org/html/draft-livingood-dns-redirect-00
Solution: DNSSEC
A Rescue Being Thought of
DNSSEC is a set of protocol enhancements for DNS. Allows zones to be signed and verified by public-key encryption and signed using private keys by zone editors. All query responses, including NXDOMAIN, are signed. This prevents man-in-the-middle attacks. But, right now, most resolvers are configured to accept unsigned responses. DNSSEC needs wider adoption.
A Rescue Being Thought of
DNSSEC won't prevent CDNs' DNS-based routing schemes as it is possible to have a collection of signed, authortative responses.
Directory Services
Directory Services
Some web browsers attempt to auto-complete DNS queries as a user types in the URL bar. If a user types "www.cnn.com": www.cnn www.cnn www.cnn -> .cn is the ccTLD for China, so this is a valid domain. www.cnn.com www.cnn.com www.cnn.com -> .co is the ccTLD for Columbia.
This causes unnecessary traffic to www.cn and cnn.co name servers. Domains are not in an ideal format for these directory lookups. E.g., .com.cnn.www