DNS Vulnerabilities Spur Security Concerns

Published October 10, 2008

A Russian computer researcher and part-time hacker’s recent discovery of vulnerabilities in the latest Domain Name System (DNS) “patch” has brought renewed urgency to the debate over Internet security and governance.

On August 8, Evgeniy Polyakov posted an announcement on his blog that he had discovered a way to reroute DNS queries.

“The DNS hack I made was just a small exercise to understand details and freshen my DNS protocol knowledge,” said Polyakov. “So it is not really something very cool.”

Hijacking Web Traffic

It’s a serious concern, however. DNS rerouting means a user who enters a domain name into his browser’s address bar ends up at a different site. Savvy hackers can use this technique, known as cache poisoning, to redirect Web traffic, email, and other important network data to systems under their control.

In the Internet security community, the potentially devastating effects of the DNS vulnerability are well known. What is also widely known is that it is nothing new.

“The DNS was never intended to be a security service,” said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Neuman said he and others in the computer security community have been warning about the possibility for 17 years.

“Applications and systems should not consider the names from DNS for any security purpose whatsoever,” Neuman said

Global Web Government?

The vulnerabilities have raised pointed questions about who should be responsible for providing security on the Internet

In 1997 the U.S. Department of Commerce announced its intention to privatize domain name administration. What emerged was a new organization called the Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN was intended to operate as a private-sector nonprofit organization with informed participation by stakeholders worldwide, guided by four strategic principles:

* ensuring stability and security of the Domain Name System;

* promoting competition and choice for users and registrants;

* facilitating bottom-up, transparent policy development; and

* engaging participation of the global stakeholder community.

ICANN’s transitioning of DNS administration from government to private-sector hands has proceeded more slowly than expected. ICANN is midway through a three-year Joint Project Agreement (JPA) with the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to guide the transition.

Potential for Abuse

Earlier this year NTIA hosted a midterm review of the JPA. Numerous parties attended the seminar and provided commentary. Though the vast majority were in favor of privatizing DNS management, confidence in ICANN’s processes and prowess was far less evident.

Exemplifying the prevailing sentiment were the comments of Martin Boyle of Nominet, the Internet registry for .uk domain names.

“Up to now the United States government has been the guardian,” said Boyle. “What is quite fundamental is that we can’t move from … the United States in the role of benign dictator … to what might turn out to be a malign oligarchy.”

Management Issues

In addition to managing an organization of unprecedented mission and accountability, ICANN is attempting to implement a proposed fix to the DNS problem: Domain Name System Security (DNSSEC), a set of extensions that, in theory, authenticate information on the Web. This is no small task, analysts observe.

“A DNSSEC signed root zone would represent the most fundamental change to the DNS infrastructure since it was created,” said Todd Sedmark, communications director at NTIA. “Therefore any changes cannot be taken lightly considering the DNS is a global infrastructure on which the global economy relies.”

Not surprisingly, the proposal for this fundamental change is encountering resistance at every level—financial, cultural, and technical.

“DNSSEC as is will not really solve the problem since it has to be deployed everywhere to take effect,” explained Polyakov. He sees little likelihood of that happening.

“The IT industry does not follow standards pushed by some obscure organization,” Polyakov said. “Only money and business can force some changes. DNSSEC is a major change which requires quite a bit of additional money and other resources with very fuzzy gain.”

Neuman also sees limits to the promise of DNSSEC.

“One fear I have is that once DNSSEC is deployed, we will have the same problem of people assuming they can rely on DNSSEC for security of their connection,” Neuman said. “They cannot.”

Many Problems Remain

Despite widespread skepticism and reluctance, DNSSEC has been implemented in Brazil, Bulgaria, Puerto Rico, and Sweden. The U.S. government is implementing DNSSEC for its .gov domain, in compliance with the Federal Information Security Management Act.

A 2007 Nominet survey found 85 percent of Country Code Names Supporting Organizations that had not yet implemented DNSSEC were planning to do so.

For now, it appears, there may be no other choice.

“DNSSEC has problems,” said Polyakov. “Lots of problems. But standard DNS is a disaster compared to it.”

“These are hard problems,” added Neuman. He said he would like to see the government redirect its efforts in facilitating Internet security.

“They need to be funding more work on fundamental security methods and promoting real understanding of the trust issues involved in large systems, rather than just plugging holes from the latest observed attacks,” Neuman said. “We really need a longer-term view that is less reactive.”

Brien Farley ([email protected]) writes from Genesee, Wisconsin.