An emerging technology promises to improve the security of the Internet’s infrastructure by preventing hackers from hijacking Web traffic and redirecting it to bogus sites.
The new security mechanism, dubbed DNSSEC, plugs a hole in the Internet’s Domain Name System (DNS) that hackers have exploited to spoof Web sites. DNSSEC prevents these attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
“DNSSEC is going to be a huge advancement for security on the ‘Net,” said Mark Kosters, vice-president of research at Network Solutions Inc.
DNSSEC is now available in open source software called BIND 9 that was released last September, and will be bundled in upcoming releases of operating systems from Sun Microsystems Inc., Hewlett-Packard Co., Red Hat Inc. and others.
Early adopters of DNSSEC will likely include government agencies, financial services firms and business-to-business exchanges, which all need to ensure the authenticity of the content on their Web sites. For example, the U.S. military plans to roll out DNSSEC on the “.mil” domain sometime this year.
Experts say DNSSEC requires more powerful hardware and a significant increase in management time than earlier versions of the BIND software running on most DNS servers. Indeed, the extra effort required to set up and manage DNSSEC may slow down the adoption rate.
DNSSEC “is a no-brainer if it can be easily done,” said Rohi Sukhia, CEO of Tradeloop Corp.’s tradeloop.com, a Web site offering spare parts and used equipment to computer dealers. “If it requires us to make a change on our DNS server, that’s no big deal. But if it requires us to go out to our customers and change something on their systems, it’s not going to happen.”
How fast Web sites adopt DNSSEC depends on how scared they are of spoofing attacks.
DNSSEC “sounds like a good idea, but it’s hard for me to assess the likelihood of this threat,” said Michael Saltzman, vice-president of network operations at gig.com, an on-line music distribution service. “In the pantheon of threats, viruses and more direct packet attacks rate a higher frequency. Those are the ones we worry about more.”
Most spoofing attacks are designed to embarrass Web site operators. But security experts worry that as more money changes hands over the Web, spoofing will take on a more sinister tone.
“I think we’re going to start to see more and more dollar-related crimes tied to DNS and the fact that DNS as it sits today is completely and totally spoofable,” said Russ Mundy, manager of network security research at Network Associates Inc. Labs.
The most famous Web site spoofing incident happened in 1997, when a Washington state computer consultant named Eugene Kashpureff redirected traffic from Network Solutions’ InterNIC Web site to his own AlterNIC site for several days. Kashpureff later pleaded guilty to computer fraud and received two years probation.
“Cryptographic authentication is the only real answer to these threats,” said Steve Bellovin, a network security researcher at AT&T Labs who first wrote about the potential for Web site spoofing in 1991. With DNSSEC, “when you get back an answer from DNS, you can verify that it’s from someone who is authorized to give you back an answer.”
When an end user types a domain name into his browser, his local DNS server sends a query through the Internet’s distributed hierarchical DNS to look up the matching IP address for that domain name. For DNSSEC to work most effectively, the end user’s local DNS server and the Web site’s DNS server must support DNSSEC, along with the Internet’s root and top-level domain servers.
When all of these pieces are in place, the Web site’s DNS server uses public-key encryption to send out a digital signature to the local DNS server to verify the authenticity of the Web site. Once the authenticity is confirmed, the end user can access the Web site.
BIND 9 is the first production software to support all the features of DNSSEC. Distributed by the Internet Software Consortium, BIND 9 is a complete rewrite of the open source code used to run most DNS servers. In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones. The DNSSEC portion of BIND 9 was funded by the Defense Information Systems Agency (DISA), which awarded a US$2 million contract to the Internet Software Consortium and NAI Labs to develop an operational version of DNSSEC.
“DNS servers are critical to the health and well-being of all [Defense Department] data communications as well as that of our allies and trading partners,” a DISA statement reads. “DNS has had some well-publicized security issues over the last several years, and DNSSEC was developed . . . to address these.”
DISA has been testing DNSSEC for more than a year and is now working on guidelines for Defense Department organizations to implement DNSSEC.
But DISA will not wait for BIND 9 to be fully tested to migrate to DNSSEC; instead the military plans to install BIND 8 with DNSSEC bolted on top.
Like the U.S. Department of Defense, most large companies run their own domain name zones and can upgrade their DNS servers to support DNSSEC at any time. The upgrade will be easier when BIND 9 comes bundled with commercial Unix and Linux operating systems, which is expected to happen next year.
Although DNSSEC is free with BIND 9, network managers should plan on spending more money on their DNS servers and delegating more resources to DNS administration. DNSSEC places additional processing and memory requirements on DNS servers, and it consumes more network bandwidth. It also requires more setup and maintenance time.
“Network administrators don’t touch their DNS servers,” said Ravi Iyer, Solaris product line manager at Sun, which helped fund BIND 9’s development. Iyer recently visited one of the Baby Bells and found an old Sun system sitting in an electric closet that was running the company’s entire DNS infrastructure. It hadn’t been touched in three and a half years, he said.
With DNSSEC, “there will be a lot more touching in terms of managing the [public and private] keys involved,” Iyer said. “Hopefully over time, we’ll make it easier and easier to use.”
New management tools will help, with IPWorks planning to offer a DNSSEC-compliant version of its IP address management software sometime next year. Other companies, such as Nominum and UltraDNS, plan to announce outsourced DNSSEC services.
“Because DNSSEC adds another level of complexity to DNS, and users have to deal with the whole issue of digital signatures . . . it will be far, far easier for companies that have limited resources to outsource this,” said David Conrad, chief technology officer at Nominum, which wrote BIND 9 under a contract with the Internet Software Consortium.
Similar to many new Internet technologies, DNSSEC suffers from a chicken-and-egg problem. Web site operators and end users won’t fully benefit from DNSSEC until it’s widely deployed across the Internet. Until then, end users can’t differentiate between Web sites that ought to be authenticated and aren’t because of a spoofing problem, and sites that simply don’t support DNSSEC.
In addition, the Internet Corporation for Assigned Names and Numbers (ICANN) has yet to determine how and when it is going to upgrade the Internet’s root and top-level domain servers to support DNSSEC.
“The hardest part of this migration is going to be the political part on ICANN’s behalf,” Network Solutions’ Kosters predicted. “For DNSSEC to truly work, it needs to be a top-down validation scheme . . . . It’ll be better if first the root is signed, then the .com is signed and then the domain name is signed.”
