Secure and Proactive DNS

People

• Giuseppe Ateniese
• Aniello Del Sorbo
• Reza Curtmola

Introduction

The Domain Name System (DNS) is a hierarchically distributed database that provides several useful services, such as translating between human readable host names and Internet Protocol (IP) addresses. Due to the importance of the information served by DNS, there is a strong need for securing communication within the DNS system. 

The current insecure DNS does not prevent attackers from modifying or injecting DNS messages. Users accessing hosts on the Internet rely on the correct translation of host names to IP addresses by the DNS system. A typical attack, referred to as DNS spoofing, allows an attacker to manipulate DNS answers on their way to the users. If an attacker makes changes in the DNS tables of a single server, those changes will propagate across the Internet.

Consider an user who wants to access the CNN news web page. A compromised DNS server can redirect the user to a malicious machine which hosts something different from the content of the CNN web page. So, even if the CNN web server is secure and highly protected, the attacker just needs to compromise either the user's local DNS server or the DNS server responsible for the CNN domain (or any other server upstream).

In response to the above concerns, DNS Security (DNSSEC) has been proposed by the Internet Engineering Task Force (IETF) working group on DNS Extensions (dnsext).

Our Approach to DNS Security

We are looking into DNS security using symmetric-key cryptography. Symmetric-key algorithms are extremely fast and make use of relatively short keys. For more details look at the paper A New Approach to DNS Security (DNSSEC) below.

We are also investigating the use of Proactive Security (a technique which calls for the distribution of trust amongst servers and guarantees uninterrupted security as long as not too many servers are broken into at the same time) to enhance DNS security. Instead of having one server which stores the private key we will have a group of secure servers which share the private key. This will make more difficult for an attacker to compromise the system as he/she will have to break into several servers simultaneously. Period refreshments of the private key will render the past information useless for the attacker. 

Future Directions

• What if we plan to add more servers to enhance security or maybe remove servers for maintenance? Is it possible to dynamically redistribute the shares of the private key? There are schemes which enable this kind of dynamic redistribution of shares but none of them are very practical considering the fact that a DNS server may handle millions of requests per day. 
• We also want to explore the notion of cost-driven security (where a cost is assigned to each attack based on its type and effectiveness considering the characteristics of the hosts under attack). For more details look at the presentation presented at the IEEE - NASA Security in Storage Workshop.  

Research Funding

This project, Secure and Proactive DNS , is being funded by NSF (2002-2005).

Related Projects

• Fault-Tolerant Mesh of Trust Applied to DNSSEC
• Topolgy Based Domain Search (TBDS)
• LADON
• COCA: Cornell Online Certification Authority

Implementation

References

DNS Security

• Paul Albitz, and Cricket Liu. DNS and BIND. Published by O' Reilly, 4th Edition.
• D. Eastlake. RFC 2137 - Secure Domain Name System Dynamic Updates. April 1997.
• G. Ateniese, and S. Mangard. A New Approach to DNS Security (DNSSEC) . In Eighth ACM Conference on Computer and Communications Security (ACM CCS-8), Philadelphia, Pennsylvania, USA, November 5-8, 2001.

Proactive Security and Threshold Cryptography

• R. Ostrovsky, and M. Yung. How to withstand mobile virus attacks. ACM Symposium on Principles of Distributed Computing, 1991
• R. Canetti, R. Gennaro, A. Herzburg, and Dalit Naor. Proactive Security: Long-term protection against break-ins. July 1997
• Yvo Desmedt's Page on Threshold Cryptography 

Last Updated: February 6, 2004