RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007
RASD - Weaver/Witmer - CS622 Overview We designed and implemented a scalable system to secure DNS traffic on a local network We designed and implemented a scalable system to secure DNS traffic on a local network
RASD - Weaver/Witmer - CS622 System Design Goals 1. Create trusted channels for name record information exchange 2. Rapid server-side push updates for cached client name records
RASD - Weaver/Witmer - CS622 Data Exchange Format DNS traffic is UDP DNS traffic is UDP Keep UDP on the client Keep UDP on the client Client/Server communication is XML over SSL Client/Server communication is XML over SSL
RASD - Weaver/Witmer - CS622 Client Software Listen and respond to local DNS queries, with caching Listen and respond to local DNS queries, with caching Listen for server-pushed name record updates Listen for server-pushed name record updates
RASD - Weaver/Witmer - CS622 Server Software Listen for client DNS queries and respond, with caching Listen for client DNS queries and respond, with caching Wait for name record updates, and push to registered clients Wait for name record updates, and push to registered clients
RASD - Weaver/Witmer - CS622 Prototype Results HostnameRASD Lookup Time (s)Windows Client Lookup Time (s) homestead.com flickr.com ncf.com stockmarketenews.com petroflexna.com pnanet.com nia.com agilent.com peyamner.com yahoo.com flbb.com blogspot.com AVERAGE
RASD - Weaver/Witmer - CS622 Prototype Results Domain NameRASD Average (s)WinClient Average (s) google.com compusa.com agilent.com amazon.com yahoo.com Average Time for 10 DNS Queries
RASD - Weaver/Witmer - CS622 Further Research Extended DNS handling Extended DNS handling RASD Server discovery RASD Server discovery Automatic Client Installation Automatic Client Installation SCOLD Environment testing SCOLD Environment testing Standardized entry caching Standardized entry caching
RASD - Weaver/Witmer - CS622 Conclusion The architecture is valid The architecture is valid The implementation needs extension and refactoring The implementation needs extension and refactoring Numerous options for further research Numerous options for further research
RASD - Weaver/Witmer - CS622 References [1] A. Friedlander, A. Mankin, WD Maughan, and S. Crocker. "DNSSEC: A Protocol Towards Securing the Internet Infrastructure". Communications of the ACM. Vol. 50, Num. 6. pp June [1] A. Friedlander, A. Mankin, WD Maughan, and S. Crocker. "DNSSEC: A Protocol Towards Securing the Internet Infrastructure". Communications of the ACM. Vol. 50, Num. 6. pp June [2] G. Ateniese and S. Mangard. "A New Approach to DNS Security (DNSSEC)". Proceedings of the 8th ACM conference on Computer and Communications Security. pp [2] G. Ateniese and S. Mangard. "A New Approach to DNS Security (DNSSEC)". Proceedings of the 8th ACM conference on Computer and Communications Security. pp [3] C.E. Chow, Y. Cai, D. Wilkinson, and G. Godavari. "Secure Collective Defense System". Global Telecommunications Conference (GLOBECOM '04). Volume 4. pp December [3] C.E. Chow, Y. Cai, D. Wilkinson, and G. Godavari. "Secure Collective Defense System". Global Telecommunications Conference (GLOBECOM '04). Volume 4. pp December [4] Website: “DNS Tester”. [4] Website: “DNS Tester”. [5] Website: “Dig DNS Query Tool“. [5] Website: “Dig DNS Query Tool“.