Presentation is loading. Please wait.

Presentation is loading. Please wait.

Name Collisions in the Domain Name System Burt Kaliski, Verisign USTelecom Webinar April 17, 2014.

Published byJulian Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "Name Collisions in the Domain Name System Burt Kaliski, Verisign USTelecom Webinar April 17, 2014."— Presentation transcript:

1 Name Collisions in the Domain Name System Burt Kaliski, Verisign USTelecom Webinar April 17, 2014

2 Verisign Public Agenda Name Collision Problem Timeline Mitigating Name Collisions Remediation: ICANN’s Guidance to IT Professionals Constraints: ICANN’s “Alternate Path” of SLD Blocking Notification: JAS Global Advisors’ “Controlled Interruption” Next Steps 2

3 Verisign Public Installed System ….SLD.TLD Up to ~1400 (or more!) new gTLDs! 3 Key TLD = top-level domain (e.g., “.com”, “.de”, “.net”) New gTLD = new generic TLD SLD = second-level domain (e.g., “example” in “example.com”) NXDOMAIN = “non-existent domain” error message Global DNS without TLD NXDOMAIN expected Name Collision Problem for Domain Name System (DNS Queries)

4 Verisign Public Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name Up to ~1400 (or more!) new gTLDs! Root Causes: Best Practice: “.” not required at end of domain name “Private” TLDs (e.g., “.corp”), Shortened Internal Domain Names Search List Processing Mobile Computing 4 Name Collision Problem for Domain Name System (DNS Queries)

5 Verisign Public Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 5 Potential Risks Installed System Breaks Internal Information Leaks (beyond root) Cyberattacks Exploit Collision Name Collision Problem for Domain Name System (DNS Queries)

6 Verisign Public Mitigating Name Collisions 6 Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (1) Remediate Installed System (4) Hybrid Approach (2) Constrain Global DNS (3) “Notify” System Operators Internally Generated Query  collides with  Externally Assigned Name Up to ~1400 (or more!) new gTLDs!

7 Verisign Public Timeline Nov. 2010: ICANN’s Security and Stability Advisory Committee (SSAC) warns of potential name collision risks June 2011: ICANN launches New gTLD Program Mar. 2013: Verisign Labs publishes first in series of research reports analyzing name collision risk Aug. 2013: ICANN publishes report on name collision risk Oct. 2013: ICANN defines name collision risk management strategy Oct. 2013: First new gTLDs delegated Dec. 2013: ICANN publishes guidance to IT professionals Feb. 2014: JAS Global Advisors publishes Phase One Report on name collision risk management under contract to ICANN Mar. 2014: Verisign Labs holds name collisions research workshop, namecollisions.net namecollisions.net Apr. 2014: Comments due on Phase One Report Jun. 2014: Phase Two Report expected 7

8 Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (4) Hybrid Approach (2) Constrain Global DNS (3) “Notify” System Operators Internally Generated Query  collides with  Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 8 (1) Remediate Installed System

9 Verisign Public Remediation: ICANN’s Guidance to IT Professionals Change Installed System to Avoid Potential Name Collisions Basic steps Replace private TLDs, shortened internal domain names with fully qualified global domain names Turn off search lists at shared DNS resolvers Update application, device configurations Train users and administrators Revoke certificates with private TLDs Monitor, monitor, monitor … Reference: Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013.Guide to Name Collision Identification and Mitigation for IT Professionals. 9

10 Verisign Public A Good Remediation:.CBA Case Study 10

11 Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (4) Hybrid Approach (3) “Notify” System Operators Internally Generated Query  collides with  Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 11 (2) Constrain Global DNS (1) Remediate Installed System

12 Verisign Public Constraints: ICANN’s “Alternate Path” of SLD Blocking Restrict SLD Registrations to Avoid Potential Name Collisions Basic steps Don’t delegate “.corp”, “.home” for now Block from registration any SLD that received queries in certain “Day-in-the-Life” annual data sets Assume some imply at-risk queries from installed systems All but 25 applied-for new gTLDs eligible This is until full name collision management framework is completed Reference: NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013.NGPC Resolution for Addressing the Consequences of Name Collisions. 12

13 Verisign Public Challenging Constraints: SLD Variability How to block a moving target? 25 applied-for new gTLDs declared ineligible for SLD blocking by ICANN due to high variability 13

14 Verisign Public How Much Does Blocking Help? Potentially at-risk queries observed for a newly delegated gTLD, without and with required SLD blocking 14

15 Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (4) Hybrid Approach Internally Generated Query  collides with  Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 15 (1) Remediate Installed System (3) “Notify” System Operators (2) Constrain Global DNS

16 Verisign Public Notification: JAS Global Advisors’ “Controlled Interruption” Flag Impending Change in Global DNS to Users, System Administrators to Prompt Remediation Basic steps Don’t delegate “.corp”, “.home”, “.mail” for now Return a special IP address (e.g., 127.0.53.53) for a period of time before regular delegations begin “Blocked” SLDs only for new gTLDs on “alternate path” Every SLD for other new gTLDs (“wildcard” record) Idea: At-risk queries will fail safely to internal IP address; applications may break, but users, system administrators will notice “interruption” Reference: Mitigating the Risk of DNS Namespace Collisions: Phase One Report JAS Global Advisors, February 24, 2014.Mitigating the Risk of DNS Namespace Collisions: Phase One Report 16

17 Verisign Public Verisign Comments on Controlled Interruption IssueRecommendation 1. Name collision framework not yet provided Wait until Phase Two Report available and publicly reviewed before implementing 2. Controlled Interruption untested, may not be effective e.g., non-blocked SLDs for “alternate path” gTLDs; WPAD and related protocols Verify that these cases are covered, based on analysis in full name collision framework 3. Controlled interruption may break systems not at risk e.g., if SLD is in use internally, but won’t be registered If SLD won’t be registered, give gTLD operator option not to interrupt it 4. Risk management requires feedback Collect traffic during interruption period for analysis by research community to assess, improve effectiveness Reference: Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name-collision-26feb14 discussion thread, March 31, 2014.Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report 17

18 Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query  collides with  Externally Assigned Name 18 (3) “Notify” System Operators (1) Remediate Installed System (4) Hybrid Approach (2) Constrain Global DNS Up to ~1400 more choices!

19 Verisign Public Next Steps Phase One Report comment period open through April 21, 2014 Phase Two Report expected in June – completes name collision management framework ICANN to expand outreach to users, system administrators Research community analyzing mitigation techniques, proposing long-term improvements 19

20 Verisign Public For Further Reading SAC045: Invalid Top Level Domain Queries at the Root Level of the Domain Name System. ICANN Security and Stability Advisory Committee, November 15, 2010. SAC045: Invalid Top Level Domain Queries at the Root Level of the Domain Name System. SAC057: SSAC Advisory on Internal Name Certificates. ICANN Security and Stability Advisory Committee, March 15, 2013. SAC057: SSAC Advisory on Internal Name Certificates. New gTLD Security and Stability Considerations. Verisign Labs Technical Report #1130007. Version 2.2, March 28, 2013. New gTLD Security and Stability Considerations. Danny McPherson. Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. Between the Dots, May 9, 2013.Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. 20

21 Verisign Public For Further Reading Name Collision in the DNS. Interisle Consulting Group. Version 1.5, August 2, 2013. Name Collision in the DNS. New gTLD Collision Risk Mitigation. ICANN, August 5, 2013. New gTLD Collision Risk Mitigation. New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Verisign Labs Technical Report #1130008. Version 1.1, August 27, 2013. New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Patrick S. Kane, Thomas C. Indelicarto, and Danny McPherson. Letter to ICANN Board of Directors re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study. September 15, 2013.Letter to ICANN Board of Directors re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study. New gTLD Collision Occurrence Management. ICANN, October 4, 2013. New gTLD Collision Occurrence Management. 21

22 Verisign Public For Further Reading NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013. NGPC Resolution for Addressing the Consequences of Name Collisions. Burt Kaliski. Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose. Between the Dots, November 8, 2013.Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose. Burt Kaliski. Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis. Between the Dots, November 13, 2013.Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis. Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013. Guide to Name Collision Identification and Mitigation for IT Professionals. Mitigating the Risk of DNS Namespace Collisions: Phase One Report. JAS Global Advisors, February 24, 2014. Mitigating the Risk of DNS Namespace Collisions: Phase One Report. 22

23 Verisign Public For Further Reading Burt Kaliski. Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated. Between the Dots, February 26, 2014.Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated. Jeff Schmidt. Mitigating the Risk of DNS Name Space Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.Mitigating the Risk of DNS Name Space Collisions. Andrew Simpson. Detecting Search Lists in Authoritative DNS. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.Detecting Search Lists in Authoritative DNS. 23

24 Verisign Public For Further Reading Matthew Thomas, Yannis Labrou, and Andrew Simpson. The Effectiveness of Block Lists to Prevent Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.The Effectiveness of Block Lists to Prevent Collisions. Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name- collision-26feb14 discussion thread, March 31, 2014. Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report 24

25 © 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Download ppt "Name Collisions in the Domain Name System Burt Kaliski, Verisign USTelecom Webinar April 17, 2014."

Similar presentations

Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.

Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.
The ICANN Experiment CainetCainet 2000 8-3-00 Andrew McLaughlin.

The ICANN Experiment CainetCainet Andrew McLaughlin.
Global Registry Services 1 INTERNATIONALIZED Domain Names Testbed presented to ITU/WIPO Joint Symposium Geneva 6-7 Dec. 2001 An Overview On VeriSign Global.

Global Registry Services 1 INTERNATIONALIZED Domain Names Testbed presented to ITU/WIPO Joint Symposium Geneva 6-7 Dec An Overview On VeriSign Global.
Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.

Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.
Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.

Governmental Advisory Committee New gTLD Program Briefing 19 June 2010.
Text DNS Name Collision Risk Mitigation Francisco Arias Director, Technical Services GDD, ICANN DNS-OARC - 12 October 2014.

Text DNS Name Collision Risk Mitigation Francisco Arias Director, Technical Services GDD, ICANN DNS-OARC - 12 October 2014.
Cairo 2 November 2008 1. Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.

Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.

New gTLD Basics. 2  Overview about domain names, gTLD timeline and the New gTLD Program  Why is ICANN doing this; potential impact of this initiative.
New gTLD Program Moscow, 31 May 2011 RU-CENTER Tim Cole Chief Registrar Liaison ICANN.

New gTLD Program Moscow, 31 May 2011 RU-CENTER Tim Cole Chief Registrar Liaison ICANN.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
New gTLD Program Status [DD Month 20YY] [Presenter Name] [Title]

New gTLD Program Status [DD Month 20YY] [Presenter Name] [Title]
#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.

#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
ICANN and the Internet Ecosystem. 2  A network of interactions among organisms, and between organisms and their environment.  The Internet is an ecosystem.

ICANN and the Internet Ecosystem. 2  A network of interactions among organisms, and between organisms and their environment.  The Internet is an ecosystem.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
2011 – 2014 ICANN Strategic Plan Development Stakeholder Review 4 November 2010.

2011 – 2014 ICANN Strategic Plan Development Stakeholder Review 4 November 2010.

Similar presentations

Ads by Google