DNSSEC Reference

CircleID has a comprehensive article on DNSSEC (The DNS Security Extensions): “A Fundamental Look at DNSSEC, Deployment, and DNS Security Extensions” that is worth reading.


Fun With Anycast (An Oldie But A Goodie)

From Three Practical Ways to Improve Your Network by Kevin Miller.

I never got a chance to try this (specifically the Anycast‘d DNS Services) at my old job at a network service provider.

The network infrastructure lead was kind of an asshole. He didn’t want to do a DNS upgrade project, but he didn’t want me to either.

After three thwarted attempts I gave up.

My understanding is the non-anycast parts of the projects (earlier phases) are taking place now (involving the very cool DNS Management software from Men and Mice). My current employer needs a DNS tuneup, so maybe I will get a second try at this.

Other Links: 1, 2, 3, 4

Old Article – Whither DNS?

From CicleID – Whither DNS?

But the most notable thing about DNS is its receding importance.

and then

Firstly, we’re spending more and more time finding things via search. I bookmark things much less than I used to. I don’t type domain names in very often. The standard approach is to Google the approximately right term. If the Google link was a hard-wired IP address or some other naming/indirection system, nobody would really care. AOLers have been bypassing DNS with keywords for years.

DNS is also getting stiff competition from other namespaces. We don’t use DNS to locate people; increasingly we use handles from private IM services like MSN, Skype, AOL, etc.

We don’t use DNS to locate ideas. We’ve gone tag-mad instead.

We don’t use DNS to locate places. We just cut’n’paste the URL from Google Maps or Mapquest.

The author seems to be making the mistake thinking that the usefulness of applications like Skye, Google, and MapQuest implies that DNS (part of the internet infrastructure along with communications networks, shared standards, routing protocols, etc.) is not important.

IP is built on layers. Higher layer applications depend upon proper functioning of lower layer application. This is something the author seems to have forgotten about.

The production of good quality peanuts is still important even though there are many brands of peanut butter to choose from.

Moving Closer to Real-World DNSSEC Implementations for DNS

SecuriTeam Blog reports that the ISC (which maintains BIND, a common DNS implementation), is setting up Registry called DLV to allow DNSEC to be rolled out now (not waiting for a Root and TLD servers getting signed).This would certainly hope with cache poisoning. I wonder how quickly organizations will make use of this.

DNS is not very sexy and generally does not get much attention in organizations – as long as it works!

A Survey of DNS Security: Most Vulnerable and Valuable Assets

Via digg:

"It is well-known that nameservers in the Domain Name System are vulnerable to a wide range of attacks. We recently performed a large scale survey to answer some basic questions about the legacy DNS"

read more

The article approached DNS security from an interesting point of view. It considered the total number of DNS servers involved in a query to get a sense of the scope.

While an organization might use DNS best practices to correctly configure their own immediate DNS servers, that is not sufficient.

Maybe it is time to consider an alternative Simple Internet Name Service (SINS). It might be a good idea for the National Science Foundation to kickstart the idea by announcing a contest with prizes for the top three results. The body of submissions would make a nice starting point for a future SINS.

DNS DDOS Mitigation Update

I posted on the DNS DDOS attacks here and here.

I realize I left out one of the prudent steps all organizations should enforce as part of their Network Security Policy:

  • Only allow your internal clients to talk to your own DNS servers. This negates the situation were they are bot'd and used as part of a DNS DDOS.
  • If you have IT support people who may need to do direct DNS queries against other DNS servers on the internet as part of a troubleshooting function, either only allow them explicitly, or set up a test/support machine that allows unfettered DNS queries (but requires explicit access authorization..
  • Audit this policy and exceptions to it on a semi-annual basis.

Also, via DIGG, here is an additional article on DNS DDOS.

DNS DDOS attack with Splainy Diagrams

A few days ago, I posted on the recent DNS based DDOS attacks going on.

Nirlog goes all splainy and shows how the attack happens with nicely done graphics.