Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting.

Published byDominic Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting."— Presentation transcript:

1 Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting

2 Redirection of DNS Responses @ TLDs Issue –Wildcarding of DNS records at TLDs –Provides “valid” address and routing even when domain names do not exist Consequences –Breaks core DNS systems & legacy applications –Erodes trust relationships –Creates new opportunities for malicious attacks, without ability of affected parties to mitigate problem Reference Document: SAC041SAC041 2

3 SSAC Advice: Clear & Significant danger to security & stability of the DNS 3

4 ICANN Board Resolution (June ‘09): Take all available steps with appropriate entities to prohibit such use Prohibit redirection/synthesis for all TLDs (gTLD & ccTLD, including IDN TLDs) Revise new gTLD Guidebook Consult with ccTLD community/GAC for new ccTLDs Revise existing gTLD agreements Add appropriate guidelines to existing ccTLD arrangements 4 Reference Document: SAC041SAC041

5 Architectural Violation Redirection at the TLD level violates fundamental Internet engineering principles –DNS Protocol is neutral about what protocols to answer –Redirection assumes HTTP protocol (web browsing) All future protocols dependent on DNS affected by redirection –Unacceptable invasion of protocol boundaries For example, HTTP could use DNS even though HTTP is a recent invention, due to clear layering 5

6 Most basic Internet tools break Systems that test for “existence” of a host fail Spam filters stop working (all forged addresses now appear to be real) URL link checkers will fail (all links appear to be valid) Systems that believe a host name is valid break Mail to a mis-typed address will not bounce anymore And, the mail is delivered to a different address, without any notification or choice by the e-mail sender –Search engines won’t be able to function as normal And other software, applications, and equipment that depends upon the DNS “working” will break 6

7 Every Internet Application Is Affected Requires Testing of Impact & Side-Effects on: –Every mail server, mail agent –Every instant message program and agent –Every VOIP server, proxy and user agent –Every parental control system –Every anti-virus system –Every license management system –Every software update system i.e., Every Application On The Internet 7

8 Data Privacy Laws May Be Violated Misspelling of domain would cause redirection to a different zone instead of a failed connection In cross-border situtations, this can cause violation of privacy Wildcard operator may now become liable for privacy breaches under law 8

9 Negative impact on e-commerce HTTPS requests get spurious results https://www.does-not-exist.tld/ Server is provided critical information about security capabilities of client browser, cryptography, data compression etc. – now sent to an unknown source Browser may call site invalid because IP address/domain name of SSL certificate does not match request 9

10 Negative impact on SMTP (EMail) Negative impact on the clarity and promptness of error reports returned to sending users –No one will know what happened to the message, and it may take some time before anyone notices that it has disappeared, if anyone notices at all –The recipient party suddenly has access to a mail message that was in no way intended for them, which is quite harmful from an integrity perspective Wastes resources at mail operators (handling millions of mails per day) –System resources are wasted on the sending mail server to keep track of the message and its status, to issue repeated DNS queries, to make repeated attempts to deliver it, etc. Impacts the ability of mail servers to reject mail from illegitimate mail addresses (Helps Spammers) –Spam usually sent from non-existent mail domains; adding wildcards stops checks of non-existent domains – i.e., helps spammers 10

11 Negative Impact on DNS Resolver Search Lists DNS Resolver Search List allows users to specify partial domain names, where resolver auto-completes domain name Adopted widely in commercial software—search lists are implemented in all Microsoft and UNIX systems User with a computer in the zone would have in their resolver’s search list Allows users to type in http://internal to reach http://internal.local.tldhttp://internal http://internal.local.tld 11

12 Impact on IDN TLDs IDN TLD are deployed in, but are represented on the DNS in ASCII Wildcards for IDN TLD can cause unexpected behavior: –Localization of content breaks User may request a web page in and gets a different page in, with no control 12

13 Redirection in.KR Name Total.kr Responses : 1.52 billion – Normal.kr Queries : 1.45 billion (96.73%) –.kr DNS Redirection : 2.5 million (0.17%) Total.kr Redirection : 2.5 million Hangul.kr Domain Name : 1.7 million (67%) 13 Solves IE6 Problem: - IE6 or earlier ver. users can use Hangul.kr domain name without plug- ins - Garbage traffic by using wild character(*) in.kr Zone, causes system overload http://sel.icann.org/meetings/.../presentation-kr-dns-redirection-28oct09-en.pdf

14 QUESTIONS? Reference document s (need to complete) http://www.icann.org/committees/security/ssac-report-09jul04.pdf http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html http://www.icann.org/committees/security/sac041.pdf http://sel.icann.org/meetings/.../presentation-kr-dns-redirection- 28oct09-en.pdf 14

Download ppt "Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting."

Similar presentations

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.
PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.

PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.
Reinventing Email using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)

Reinventing using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)
® Microsoft Office 2010 Browser and Email Basics.

® Microsoft Office 2010 Browser and Basics.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Layer 7- Application Layer

Layer 7- Application Layer
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
0 EMAIL 5000 Series DATA MANAGEMENT. 1 Why Email? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Similar presentations

Ads by Google