DNS- At the Heart of the Internet
It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.
In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 188.8.131.52- a listed IP address for Google). As the internet grew number strings became more cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.
To simplify this process, a solution was developed based on a data solution (flat file) that related each IP address to a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.
By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today-a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network. Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.
DNS is very effective and works in the background of search activity. Internet users are assured that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box. Many commercial companies developed brand strategies based on this functionality in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a.com or.net extension. The Federal government adopted a.gov or.mil extension.
DNS Brand Implications
The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.
An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry. Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.
Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches. Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success. But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.
DNS is inherently Insecure
The original design of the Domain Name System (DNS) did not include robust security features; instead it was designed to be a scalable distributed system and attempts to add security, while maintaining backwards compatibility were rudimentary and did not keep pace with the skills of malicious hackers. As a result cyber attacks created Internet chaos.
Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood. In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.
Consequently, any commercial company that uses the Internet for sales, e-commerce, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.
It became very evident that enterprises and ISPs must protect their users and networks-sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism. One of the most vulnerable, critical areas was DNS. Cyber attacks are expected to increase and have a bigger impact as the Internet grows.
The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet. Many Internet security mechanisms, including host access control and defenses against spam and phishing, heavily depend on the integrity of the DNS infrastructure and DNS Servers.
DNS servers running the software known as BIND (for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain), is one of the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims it to be so.
Presently, BIND is the de facto standard DNS server. It is a free software product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now considered technically obsolete. BIND9 is a ground-up rewrite of BIND featuring complete Domain Name System Security Extensions (DNSSEC) support in addition to other features and enhancements. But even with the rewrite BIND, in all versions, remains vulnerable.
A new version, BIND 10 is under development but the effectiveness of it its security features are untested. Its first release was in April 2010, and is expected to be a five-year project to complete its feature set.
Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers at no cost, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on http://www.kb.cert.org/vuls/
Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service
The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.
Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses. Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, the DNS protocol is intrinsically vulnerable to cache poisoning. Cache poisoning allows the perpetrator to gain access to proprietary information like bank records and social security numbers.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is focused on making computer resources unavailable to its intended users. A DDoS consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks. Of particular concern are DoS or DDoS attacks on large government networks like the Department of Defense or Veteran’s administration networks.
One way of compromising the network for a DDoS attack is through the vulnerabilities of CNS.
Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.
Internet Protocol Version 6 (IPv6)
It was inevitable that the Internet capacity would be exhausted and it is near that point now.
The Internet is rapidly running out of capacity and solutions in the form of expanded Internet Protocols for this problem may create additional vulnerability. A phenomenon known as IPv4 address exhaustion results and Internet space disappears.
A new Internet Protocol, Version 6 (IPv6), is a replacement for Internet Protocol version 4 (IPv4), as the primary Internet Protocol in operation since 1981. The driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. In effect, without new protocols, the Internet will run out of capacity.
IPv6 has a significantly larger address space than IPv4. IPv6 uses a 128-bit address while the present IPv4 uses 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the growing need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.
IPv6 protocol expansion however, also opens new vulnerabilities for malicious cyber attacks as more and more users and applications gain access to the Internet.
Some analysts believe that the Domain Name System Security Extensions (DNSSEC) provides an effective and comprehensive solution for DNS vulnerability issues. This is not the case however.
DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This helps combat attacks such as pharming, cache poisoning, DDoS and DNS redirection that are used to commit fraud, identity theft and the distribution of malware but does not guarantee secure data in the system.
It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by several procedural difficulties not the least of which is the lack of universal deployment and overcoming the perceived complexity of deployment.
Some of these problems are in the process of being resolved, and deployment in various domains is in progress. This may take an extended period of time however and during the process DNS continues to be vulnerable.
Even with the technical limitations, progress in implementing DNSSEC has been slow particularly in the Federal Government. Although the Federal Office of Management and Budget mandated that all government agencies will adopt DNSSEC by December 2009, nine months after the deadline for federal agencies to implement DNSSEC, only 30-40% of agencies have complied.
Government Network Solutions
Today’s complex government networks must deliver the utmost security and reliability to protect against potential national security threats. A poorly architected DNS service infrastructure poses one of the greatest security vulnerabilities for any government network.
Likewise, choosing the wrong DNS solution can turn an otherwise well-architected service infrastructure into a compromised system capable of undermining data integrity and network stability.
Security against cyber attack is mandatory for government networks. More than any other networks, government networks demand the highest level of monitoring and visibility, security fortification, alerting and blocking to ensure appropriate corrective action. Without this protection, National Security and other nationwide infrastructure can be compromised.
Government Networks Have Unique Needs but Face Cumbersome Solutions
Until recently, federal cyber security efforts have been fragmented and cumbersome. Greater attention was paid to time consuming reporting requirements in order to meet standards. Although standards are important for establishing a baseline of security and meeting standards in order to reduce cyber attack damage, overly restrictive reporting requirements diminish their effectiveness.
In many ways, for government organizations, the information superhighway has become a virtual minefield. Government networks face this new global problem as much, if not more than other networks.
Not only do they have to support their users’ performing the tasks necessary to complete their missions with uninterrupted Internet access, but they also have to ensure that this access remains uncompromised. Network administrators must continuously balance the need for open access for critical users against the need to keep the network secure.
When a user at a government organization goes to a Website (on multiple types of networks), they need to know that the content they receive is exactly what they were expecting. And just like subscribers on a Service Provider network, they need to be protected from known and suspected sites used to break into computers. The critically of very large networks and the drive to interconnect agencies make many federal networks particularly vulnerable.
All of this has to be done with the highest possible level of performance and availability. Government organizations also need to be absolutely certain that they can comply with DNSSEC and IPv6 mandates.
The government recognizes is addressing the needs of cyber security. Recent step include the creation of Cyber Command for DOD and Intelligence Agencies, a streamlining by the Office of Management and Budget of reporting requirements and an elevation of cyber security to a priority effort by the administration.
However, progress has been slow. Officials from key federal agencies, including the departments of Defense, Homeland Security and the Office of Management and Budget say they’re moving too slowly to implement most of the 24 recommendations President Barack Obama outlined in his May 2009 cyber policy review.