Domain Name System and Cyber Security Vulnerability

Monday, October 11, 2010

Jon Stout

98180f2c2934cab169b73cb01b6d7587

DNS- At the Heart of the Internet

It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.

In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google).

As the internet grew number strings became cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.

To simplify this process, a solution was developed based on a flat file that paired each IP address with a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.

By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today—a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network.

Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.

DNS is effective and works in the background of search activity. Internet users expect that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box.

Many commercial companies developed brand strategies based on this in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a .com or .net extension. The Federal government adopted a .gov or .mil extension.

DNS Brand Implications

The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.

An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry.

Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.

Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches.

Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success.

But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.

DNS is inherently Insecure

The original design of the Domain Name System (DNS) did not include robust security features; instead it was designed to be a scalable and open distributed system with backwards compatibility and attempts to add security were rudimentary and did not keep pace with the skills of malicious hackers.

Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood nor appreciated.

In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.

Consequently, any commercial company that uses the Internet for sales, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.

As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem—whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates).

Enterprises and ISPs must protect their users and networks—sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism.

The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet.

Many Internet security mechanisms, including host access control and defenses against spam and phishing, implicitly or explicitly depend on the integrity of the DNS infrastructure and DNS Servers.

DNS Servers

DNS servers running the software known as BIND for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain, is one of the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims it to be so.

Presently, BIND is the   standard DNS server. It is a free product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9.

BIND4 and BIND8 are now obsolete. BIND9 is a ground-up rewrite of BIND featuring complete Domain Name System Security Extensions (DNSSEC) support in addition to other features and enhancements. But even with the rewrite many consider BIND vulnerable.

The Internet Systems Consortium has also started development of a new version, BIND 10. Its first release was in April 2010, and is expected to be a five-year project to completion.

BIND 4 and BIND 8 have had a large number of serious security vulnerabilities over the years and as such their use is now strongly discouraged. While BIND 9 was a complete rewrite, it has still experienced several vulnerabilities.

Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on http://www.kb.cert.org/vuls/

Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service

The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.

Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses.

Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, DNS protocol is intrinsically vulnerable to cache poisoning.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is focused on making a computer resource unavailable to its intended users. A DDoS  consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks.

Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.

Internet Protocol Version 6 (IPv6)

The Internet is rapidly running out of capacity and solutions in the form of expanded Internet Protocols for this problem may create additional vulnerability. A phenomenon known as IPv4 address exhaustion results and Internet space disappears.

Internet Protocol Version 6 (IPv6) is designed to succeed Internet Protocol version 4 (IPv4), the first publicly used Internet Protocol in operation since 1981. IPv6 is an Internet Layer protocol for packet-switched Internet working.

The main driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. In effect, without new protocols, the Internet will run out of capacity.

IPv6 has a significantly larger address space than IPv4 based the use of a 128-bit address. The present IPv4 uses 32 bits.

This expansion provides flexibility in allocating addresses and routing traffic and eliminates the primary need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.

IPv6 protocol expansion also opens new vulnerability for malicious cyber attacks as more and more users and applications gain access to the Internet.

DNSSEC

Some analysts believe that the Domain Name System Security Extensions (DNSSEC) provides an effective and comprehensive solution for DNS vulnerability issues.  This is not the case however.

DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware but it does not guarantee secure data.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical to the information on the authoritative DNS server.

DNSSEC does not provide confidentiality of data and DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks .

It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by several difficulties not the least of which is the lack of universal deployment and overcoming the perceived complexity of deployment.

Some of these problems are in the process of being resolved, and deployment in various domains is in progress. This may take an extended period of time however and during the process DNS continues to be vulnerable.

Progress in implementing DNSSEC has been slow particularly in the Federal Government. Although the Office of Management and Budget mandated that all government agencies will adopt DNSSEC by December 2009, nine months after the deadline for federal agencies to implement DNSSEC only 30-40% of agencies have complied.

Government Network Solutions

Today’s complex government networks must deliver the utmost security and reliability to protect against potential national security threats. A poorly architected DNS service infrastructure poses one of the greatest security vulnerabilities for any government network.

Likewise, choosing the wrong DNS solution can turn an otherwise well-architected service infrastructure into a compromised system capable of undermining data integrity and network stability.

Security against cyber attack is mandatory for government networks. More than any other networks, government networks demand the highest level of monitoring and visibility, security fortification, alerting and blocking to ensure appropriate corrective action. Without this protection, National Security and other nationwide infrastructure can be compromised.

Government Networks Have Unique Needs but Face Cumbersome Solutions

Until recently, federal cyber security efforts have been fragmented and cumbersome. Greater attention was paid to time consuming reporting requirements in order to meet standards.

Although standards are important for establishing a baseline of security and meeting standards in order to reduce cyber attack damage, overly restrictive reporting requirements diminish their effectiveness.

In many ways, for government organizations, the information superhighway has become a virtual minefield. Government networks face this new global problem as much, if not more than other networks.

Not only do they have to support their users’ performing the tasks necessary to complete their missions with uninterrupted Internet access, but they also have to ensure that this access remains uncompromised. Network administrators must continuously balance the need for open access for critical users against the need to keep the network secure.

When a user at a government organization goes to a Website (on multiple types of networks), they need to know that the content they receive is exactly what they were expecting.

And just like subscribers on a Service Provider network, they need to be protected from known and suspected sites used to break into computers. The critically of very large networks and the drive to interconnect agencies make many federal networks particularly vulnerable.

All of this has to be done with the highest possible level of performance and availability. Government organizations also need to be absolutely certain that they can comply with DNSSEC and IPv6 mandates.

The government recognizes is addressing the needs of cyber security. Recent step include the creation of Cyber Command for DOD and Intelligence Agencies, a streamlining by the Office of Management and Budget of reporting requirements and an elevation of cyber security to a priority effort by the administration.

However, progress has been slow. Officials from key federal agencies, including the departments of Defense, Homeland Security and the Office of Management and Budget say they're moving too slowly to implement most of the 24 recommendations President Barack Obama outlined in his May 2009 cyber policy review

Since 2003 Aspiration Software LLC has provided Cyber Security services to the Intelligence Community and the Department of Defense.

Possibly Related Articles:
15038
Vulnerabilities
Hardware
DNSSEC DNS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.