Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to.

Slides:



Advertisements
Similar presentations
Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
20101 The Application Layer Domain Name System Chapter 7.
Domain Name System: DNS
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Intro to Computer Networks DNS (Domain Name System) Bob Bradley The University of Tennessee at Martin.
Information-Centric Networks05a-1 Week 5 / Paper 1 On the use and performance of content distribution networks –Balachander Krishnamurthy, Craig Wills,
Domain Name Services Oakton Community College CIS 238.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS and CDNs (Content Distribution Networks) Paul Francis Cornell Computer Science.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Geoff Huston APNIC Labs
DNS: Domain Name System
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Sistem Jaringan dan Komunikasi Data #9. DNS The Internet Directory Service  the Domain Name Service (DNS) provides mapping between host name & IP address.
What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Information-Centric Networks06a-1 Week 6 / Paper 1 Untangling the Web from DNS –Michael Walfish, Hari Balakrishnan and Scott Shenker –Networked Systems.
Deploying a Web Application Presented By: Muhammad Naveed Date:
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Domain Name Registration Presented By: Jessica Bradley David Cunningham John Morrison.
Strong Cache Consistency Support for Domain Name System Xin Chen, Haining Wang, Sansi Ren and Xiaodong Zhang College of William and Mary, Williamsburg,
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
Configuring Name Resolution and Additional Services Lesson 12.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
UNIT 2 LESSON 10 CS PRINCIPLES. UNIT 2 LESSON 10 OBJECTIVES Students will be able to: Describe how a system of DNS servers support IP lookups. Explain.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Information-Centric Networks Section # 3.2: DNS Issues Instructor: George Xylomenos Department: Informatics.
Information-Centric Networks Section # 3.1: DNS Issues Instructor: George Xylomenos Department: Informatics.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Presented by Mark Minasi 1 SESSION CODE: WSV333.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Information-Centric Networks Section # 5.1: Content Distribution Instructor: George Xylomenos Department: Informatics.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Domain Name System The Technology Context Presentation.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Security Issues with Domain Name Systems
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Chapter 19 Domain Name System (DNS)
NET 536 Network Security Lecture 8: DNS Security
Presentation transcript:

Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to many people – perhaps too many things to too many people” –The DNS is essentially a hierarchical distributed database –The goal of DNS is to translate names to addresses –But currently the DNS is used in many other ways –Why is it bad to use the DNS in other ways?

Information-Centric Networks03a-2 DNS use and misuse The DNS is critical for the Web –Every Web page view starts with a DNS transaction Translate server name to IP address Monetized intermediation –A common misuse of the DNS is redirection for profit –You ask for an address and instead get an ad page –Someone makes money out of this redirection DNS is not a directory system –Directory systems approximately answer approximate questions –DNS only exactly answers exact questions –Misusing the DNS this way has a cost for everyone

Information-Centric Networks03a-3 Stupid DNS tricks DNS lookups misused as mapping requests –CDNs use lookups to redirect web browsers –The IP of the source is used to select a content server –Based on server load and proximity to the client What does this mean for DNS? –Caching is prohibited to allow answers to change Normally the TTL of replies is very low –And it may not even lead to good decisions DNS requests can be recursive The source IP may not have much to do with the client Lots of tricks are needed to provide good answers –DNS server load is increased for everyone But it does not affect the CDN operator’s revenue!

Information-Centric Networks03a-4 NXDOMAIN remapping NXDOMAIN is returned for non-existent domains –Due to mistyping or software/hardware failures –These answers can be cached like all other answers –Applications treat NXDOMAIN as an error Error pages, bounced s, server does not exist Returning ad pages instead of NXDOMAIN –Instead of an error, you get a web page The DNS is lying for money –Applications cannot determine that an error occurred Web clients can because a human sees the response –Widespread practice in third party DNS servers –Some ISP block these servers to do this trick themselves!

Information-Centric Networks03a-5 Damage control NXDOMAIN remapping has many implications Cookies use the same origin trust model –You can send a cookie to the domain you got it from –Say that you misspell a server name but not the domain –The ad server may receive your cookie for that domain MX entries can also be redirected –Your will end up in an ad server –In theory MX records are not remapped But there is no foolproof way to do this Standard bad practices –There is even an IETF proposal on how to lie consistently! –It breaks DNSSEC, but who cares?

Information-Centric Networks03a-6 A rescue being thought of The emergence of DNSSEC may stop such problems –DNSSEC allows zone info to be signed and verified Using public key cryptography –Private keys are held by authoritative servers –Public keys are published in DNS DNSSEC can stop DNS lying –NXDOMAIN remapping returns invalid records They do not come from the authoritative servers –Server redirection is not prevented CDNs work with the content publishers –This is not why DNSSEC was designed But it does the trick

Information-Centric Networks03a-7 Directory services Browser autocompletion misuses DNS –As you type, your browsers guesses what you want –This requires DNS queries as you type –Of course they only query for valid looking names They will not look for w, ww, www, But they will look for and One in China, one in Colombia! –Essentially, this is using the DNS as a directory service –If DNS was designed to do this, it would reverse names com.cnn.www rather than the other way around This walks the name tree in the right order –At least this should be made optional We can then argue whether it should be opt-in or opt-out

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.