Managing Network Security

Why Can't We Do DNS Right?

by Fred Cohen



Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


What's The Problem Here?

Domain Name Service (DNS) is the service that translated IP addresses (like 204.7.229.1) into names (like all.net) and names to IP addresses. It is at the core of the functioning of the Internet, it is one of the most critical services for allowing humans to deal with computers, and yet year after year, more and more flaws are found in DNS servers.

Now I don't want you to get a misimpression. DNS is a really simple service at its core. In order to make a functioning DNS all you have to do is listen for incoming requests (What's the host name for 204.7.229.1?) and provide answers (all.net). Here's a real example...

It looks so simple, and yet for some reason we cannot do it right in the Internet. Here's the proof:


Oops!

There is no hocus pocus going on in this example. These are real results that you would get if you tried these same things from your computer. So where's the real all.net? Well...

The first problem we face seems to be that anybody who runs a server in the Internet can provide any service they want. If they choose to provide false information and others choose to depend on them, so be it. The people who provide the translation from 204.7.229.1 to all.net are legitimate ISPs who have been in business for a long time. They are not trying to lie or cheat. But if you want to lie or cheat in your DNS servers, it's easy to do and not really possible to stop.

Of course you have the alternative of using DNS servers that you trust, at least for domains that you care about - at least sort of. The problems are myriad, but basically, the DNS tree starts at a set of 'root' servers that are maintained by relatively trusted parties most of the time. Every once in a while somebody takes over them and the whole Internet gets screwed up, but we'll ignore that minor inconvenience. As you work your way up the DNS tree, anybody who owns or gets control over DNS records becomes part of the web of trust that you depend on for proper association of names with computers.


Who Are You Trusting?

Since you don't have any idea of who is involved - and there are at least tens of thousands of people involved at any given time - you are, in effect, trusting this large global collection of people to give you correct answers. A wrong answer means that you may go to the wrong site, and they may capture your traffic, forward it on to the 'legitimate' site, intercept your encyrpted information, alter the orders you place, feed you wrong information, make things seem less reliable or slower than they really are, and so forth.

Of course all of this can be trivially avoided by simply remembering IP addresses instead of names. Instead of going to all.net, just remember 207.222.214.225. Of course when it changes to some other IP address, it's very convenient to use the name, and people are not really as good at remembering snappy IP addresses as snappy names, and you can have lots of names covered by one IP address, and... OK. I admit it. Even computer geeks like me find host names useful.

So we all trust systems and people that are not worthy of that trust and sort of hope that most things work out allright most of the time. After all, most folks are good folks, and most of it works most of the time. Sort of...


But Why Are They So Vulnerable?

It's one thing to place trust in people who may or may not be worthy, but it is something very different to use software for globally critical network functions when that software has holes so big that bad guys can drive superuser accessing buffer overruns through them. If there is a most critical software function in the Internet, it is the DNS function. If we cannot secure this against remote attacks, then we may as well hang it all up.

Of course I think we can secure the DNS system to a reasonable extent. In fact, I know we can, because I asked a few of the Sandia College Cyber Defenders to build me a trivial - let's even call it stupid - DNS service. In a few days they were able to build me a DNS that is so simple that it can be made secure against all of the sorts of attacks that would allow you to remotely corrupt its data or use it to break into a computer from the Internet. It also answers tha most important DNS questions quickly and reliably, and it is free and freely available to anybody who wants to use it.

Now I know that, just like my secure get-only web server, most people will not use this technology and we will continue to build low-security DNS servers which provide some added but non-critical services at the risk of global network-wide insecurity. It's a tradeoff I see all the time and I imagine I will continue to see it for as long as I bother to look. Still...


I Have a Dream!

Call me a dreamer, but I imagine that some day in a galaxy far far away, somebody who runs one of the root servers will decide that instead of adding encryption and massive complexity and additional layers of untrsutworthy software to the already overburdened systems that form the improperly trusted core of the Internet, will decide to actually build the system with the minimum required software and verify it very carefully.

Call me a dreamer, but I imagine that some day people will choose quality over time to market, and careful design over the joy of reprogramming the same things again and again and again and still not getting them to work right.

Call me a dreamer - or don't - but please call me and voice your views on why, with all of the so-called brilliance that we have in our society, we cannot write a program that does a simple table lookup and does it right every time.


About The Author:

Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates in Livermore California, and educating defenders over-the-Internet on all aspects of information protection as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting /