Presentation is loading. Please wait.

Presentation is loading. Please wait.

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009.

Published byDominick Pearson Modified over 8 years ago

Similar presentations

Presentation on theme: "What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009."— Presentation transcript:

1 What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009. What DNS Is Not. Queue volume 7, issue 10. http://doi.acm.org/10.1145/1647300.1647302.

2 DNS: An Overview Companion Paper o DNS Complexity - Published in ACM's Queue, Volume 5 Issue 3, April 2007. DNS Complexity o http://eustis.eecs.ucf.edu/~ch552141/p24-vixie.pdf http://eustis.eecs.ucf.edu/~ch552141/p24-vixie.pdf

3 DNS: An Overview GIANT Database DNS translates a domain name into an IP address. Why is this hard? o Billions of IP addresses in use o Billions of daily DNS requests o Constantly changing Human Convenience

4 How Does DNS Work? Example: www.facebook.com Request for IP address sent to your web browser o Cached if you have visited recently If not, a search begins.

5 How Does DNS Work? The search process starts at the root name servers. The root servers refer the resolver to the.COM name servers. Request IP addresses for the Facebook name server Request IP address of www.facebook.com from the Facebook name servers. Web browser caches IP address

6 What DNS is Not: Overview Misuses of DNS o DNS is not a routing protocol o DNS is not a tool to monetize typos o DNS is not a directory system This paper talks about different properties that allow DNS to be misused, the common practices of misuse, and the consequences of misuse.

7 Stupid DNS Tricks

8 DNS is not a routing protocol Content Distribution Networks (CDNs) often use DNS queries as an opportunity to route user requests. o E.g., Akamai, Cisco DistributedDirector Users are routed to an appropriate content server based on their geographic / network proximity and content server load. Problems o This scheme requires limiting caching (i.e., low TTL) and increases load on DNS infrastructure. o Most end-users are using their ISP's recursive name servers. This hides the user's original location and decreases the accuracy of DNS-based routing.

9 NXDOMAIN Remapping

10 Expected Causes of NXDOMAIN: Typo (e.g., www.goglee.com) Broken Link Hardware or Software Error What should happen: Browser catches bad domain name: “Error page” E-mail - “bounced e-mail” NXDOMAIN Remapping

11 What you should see Googler.com

12 What you usually see Bestbuyt.com

13 Many major ISPs' DNS servers (e.g., Comcast) and some public DNS servers (e.g., OpenDNS) redirect users to these spammy search pages. VeriSign example (2006): Added a wild card on top of the.com zone Prevented NXDOMAIN returns. Any non-existent domain, regardless of DNS servers used, was redirected to SiteFinder's website. A Growing Problem

14 NXDOMAIN is important. Some things depend on accurate negative results. 1. Web security o Many sites, like Google, use wildcard cookies so users can maintain sessions over sub domains (Google Docs, Google Sites, etc). o If sdfgaj.google.com. is redirected to a search page, web browsers will send user cookies.

15 NXDOMAIN is important. Some things depend on accurate negative results. 1. Web security, continued o In 2008, Dan Kaminsky found a cross-site scripting vulnerability in Earthlink's search page. o Earthlink customers were vulnerable to HTML or Javascript injection on arbitrary domain names because of NXDOMAIN hijacking.

16 NXDOMAIN is important. Some things depend on accurate negative results. 2. E-mail (SMTP) o If a MX (mail exchange) lookup returns no results, a SMTP server will fall back to a standard A record lookup. 1 o These DNS requests are indistinguishable from, say, web browsers' requests. The request will be redirected to a search page. o SMTP server will attempt to send e-mail to the wrong IP address. 1 See RFC 5321, section 5.1.

17 Standard Bad Practices In 2009, there was an effort by national cable companies to standardize DNS redirection services. 2 The standard outlines an opt-out DNS redirect search engine / malware filter and a "Legally-Mandated DNS Redirect Domain List" for "illegal domains." 2 "Recommended Configuration and Use of DNS Redirect by Service Providers" http://tools.ietf.org/html/draft-livingood-dns-redirect-00 http://tools.ietf.org/html/draft-livingood-dns-redirect-00

18 Solution: DNSSEC

19 A Rescue Being Thought of DNSSEC is a set of protocol enhancements for DNS. Allows zones to be signed and verified by public-key encryption and signed using private keys by zone editors. All query responses, including NXDOMAIN, are signed. This prevents man-in-the-middle attacks. But, right now, most resolvers are configured to accept unsigned responses. DNSSEC needs wider adoption.

20 A Rescue Being Thought of DNSSEC won't prevent CDNs' DNS-based routing schemes as it is possible to have a collection of signed, authortative responses.

21 Directory Services

22 Some web browsers attempt to auto-complete DNS queries as a user types in the URL bar. If a user types "www.cnn.com": www.cnn www.cnn ->.cn is the ccTLD for China, so this is a valid domain. www.cnn.com www.cnn.com ->.co is the ccTLD for Columbia. This causes unnecessary traffic to www.cn and cnn.co name servers. Domains are not in an ideal format for these directory lookups. E.g.,.com.cnn.www

Download ppt "What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009."

Similar presentations

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.

Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
CS 6401 The Domain Name System Outline Domain Name System.

CS 6401 The Domain Name System Outline Domain Name System.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to www.google.com, but don’t know the IP addresswww.google.com Solution.

Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Similar presentations

Ads by Google