DNSSEC Reference

CircleID has a comprehensive article on DNSSEC (The DNS Security Extensions): “A Fundamental Look at DNSSEC, Deployment, and DNS Security Extensions” that is worth reading.

Fun With Anycast (An Oldie But A Goodie)

From Three Practical Ways to Improve Your Network by Kevin Miller.

I never got a chance to try this (specifically the Anycast‘d DNS Services) at my old job at a network service provider.

The network infrastructure lead was kind of an asshole. He didn’t want to do a DNS upgrade project, but he didn’t want me to either.

After three thwarted attempts I gave up.

My understanding is the non-anycast parts of the projects (earlier phases) are taking place now (involving the very cool DNS Management software from Men and Mice). My current employer needs a DNS tuneup, so maybe I will get a second try at this.

Other Links: 1, 2, 3, 4

Old Article – Whither DNS?

From CicleID – Whither DNS?

But the most notable thing about DNS is its receding importance.

and then

Firstly, we’re spending more and more time finding things via search. I bookmark things much less than I used to. I don’t type domain names in very often. The standard approach is to Google the approximately right term. If the Google link was a hard-wired IP address or some other naming/indirection system, nobody would really care. AOLers have been bypassing DNS with keywords for years.

DNS is also getting stiff competition from other namespaces. We don’t use DNS to locate people; increasingly we use handles from private IM services like MSN, Skype, AOL, etc.

We don’t use DNS to locate ideas. We’ve gone tag-mad instead.

We don’t use DNS to locate places. We just cut’n’paste the URL from Google Maps or Mapquest.

The author seems to be making the mistake thinking that the usefulness of applications like Skye, Google, and MapQuest implies that DNS (part of the internet infrastructure along with communications networks, shared standards, routing protocols, etc.) is not important.

IP is built on layers. Higher layer applications depend upon proper functioning of lower layer application. This is something the author seems to have forgotten about.

The production of good quality peanuts is still important even though there are many brands of peanut butter to choose from.

Moving Closer to Real-World DNSSEC Implementations for DNS

SecuriTeam Blog reports that the ISC (which maintains BIND, a common DNS implementation), is setting up Registry called DLV to allow DNSEC to be rolled out now (not waiting for a Root and TLD servers getting signed).This would certainly hope with cache poisoning. I wonder how quickly organizations will make use of this.

DNS is not very sexy and generally does not get much attention in organizations – as long as it works!

A Survey of DNS Security: Most Vulnerable and Valuable Assets

Via digg:

"It is well-known that nameservers in the Domain Name System are vulnerable to a wide range of attacks. We recently performed a large scale survey to answer some basic questions about the legacy DNS"

read more

The article approached DNS security from an interesting point of view. It considered the total number of DNS servers involved in a query to get a sense of the scope.

While an organization might use DNS best practices to correctly configure their own immediate DNS servers, that is not sufficient.

Maybe it is time to consider an alternative Simple Internet Name Service (SINS). It might be a good idea for the National Science Foundation to kickstart the idea by announcing a contest with prizes for the top three results. The body of submissions would make a nice starting point for a future SINS.

DNS DDOS Mitigation Update

I posted on the DNS DDOS attacks here and here.

I realize I left out one of the prudent steps all organizations should enforce as part of their Network Security Policy:

  • Only allow your internal clients to talk to your own DNS servers. This negates the situation were they are bot'd and used as part of a DNS DDOS.
  • If you have IT support people who may need to do direct DNS queries against other DNS servers on the internet as part of a troubleshooting function, either only allow them explicitly, or set up a test/support machine that allows unfettered DNS queries (but requires explicit access authorization..
  • Audit this policy and exceptions to it on a semi-annual basis.

Also, via DIGG, here is an additional article on DNS DDOS.

DNS DDOS attack with Splainy Diagrams

A few days ago, I posted on the recent DNS based DDOS attacks going on.

Nirlog goes all splainy and shows how the attack happens with nicely done graphics.

DNS-based Distributed Denial of Service attacks

CNET has a post on recent DNS-based DDOS Attacks:

"In this new kind of attack, an assailant would typically use a botnet to send a large number of queries to open DNS servers. These queries will be "spoofed" to look like they come from the target of the flooding, and the DNS server will reply to that network address.

Using DNS servers to do their dirty work offers key benefits to attackers. It hides their systems, making it harder for the victim to find the original source of the attack. But more important, reflecting an attack through a DNS server also allows the assault to be amplified, delivering a larger amount of malicious traffic to the target."

The internet community can mitigate these types of attacks three ways:

  • DNS Servers accessible by the internet as a whole, should be configured for non-recursive lookups. In plain speak, the DNS server hosting domain example.com only answers requests about example.com from the internet at large and nothing else. For reference, see this best practice DNS/Bind template that allows recursive lookups for local sources while being non-recursive for the internet at large. Enterprises should also consider hosting their DNS domains at a DNS service provider like UltraDNS and have local DNS servers only for their own internal use.
  • At the perimeter of ISP and enterprise networks, egress filters should only allow outbound traffic that has valid source IP information from said Enterprise or ISP. For reference, see this best practice Cisco Router template.
  • Companies that are victims of DNS-based DDOS, should pursue tort action (in a class with other victims) against those Enterprises/ISP that were not properly configured thus allowing the attack. When InfoSec Lawfare (reduction of InfoSec based economic externalities) begins in earnst, organizations and individuals will have the proper economic incentives for information security.

Update: A brief example note of an ongoing DNS DDOS Attack via the ISC Incident Handler.

Update 26 March 2006: I commented on a like article is being discussed on Digg

Update 27 March 2006: More Examples: Via SlashDot, Slashdot again, and Netcraft.