Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.

Published byBasil Wood Modified over 9 years ago

Similar presentations

Presentation on theme: "ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities."— Presentation transcript:

1 ITU ccTLD Workshop March 3, 2003 Jim.Reid@nominum.com A Survey of ccTLD DNS Vulnerabilities

2 2 RATIONALE Health-check on DNS infrastructure > Now becoming a critical national resource Attacks on DNS servers becoming more common > October 2002 DDoS attack against the Internet root servers Objective is not to “name and shame” > Get a snapshot of where things stand today > Try to help fix the problems

3 3 THE GOLDEN RULE OF DNS NO SINGLE POINT OF FAILURE > Monocultures are bad… No one hardware and OS platform No one DNS implementation No single network No single ISP/carrier No one location or co-lo facility No single organisation > Avoid procedural and administrative failures

4 4 METHODOLOGY Used a Nominum system at LINX > Checked all ccTLDs Delegation mistakes Zone transfers Recursive name servers DNS software Name server location Found 787 name servers for 243 ccTLDs

5 5 DELEGATION ERRORS Unresolvable names > 18 names (~2.5%) of ccTLD name servers could not be resolved! > ccTLDs are telling the world’s name servers to look for servers that the ccTLD should know can’t be found > Not critical but disconcerting Illegal Names > Using IP addresses instead of host names One ccTLD does this for 3 out if its 4 name servers > 10 name servers listed as CNAMEs, not hostnames Illegal according to the DNS protocol

6 6 MORE DELEGATION ERRORS Disagreement between parent and child The parent zone (i.e. the root) and the child zone (the ccTLD) should agree on the set of name servers for the delegation (TLD) > Not true for 155 ccTLDs: 65% > Mismatches are serious but not critical There’s always an overlap ccTLD’s name servers sometimes a superset of the root > Shouldn’t happen for any important zone in the DNS

7 7 LAME DELEGATIONS Very serious problem Name server that should be authoritative isn’t > In DNS jargon, such servers are lame Causes failed lookups > Lame server gets queried and can’t answer Survey results startling: > 43 ccTLDs had at least one lame server > 2 had all their servers lame > Another 8 had half or more of their servers lame No excuses for this > Caused by administrator error, failure to use checking and reporting tools

8 8 RECURSIVE SERVERS Service queries from end clients and query other name servers > Can be made to query any name server for any name > Will believe what they are told, which may be lies > Will cache those answers and return them to clients An obvious evil for a ccTLD > Also has performance and resource penalties > No need at all for ccTLD servers to enable recursion 371 - 47% - of the ccTLD name servers have recursion enabled > They are vulnerable to cache poisoning attacks

9 9 ZONE TRANSFERS Tried to take a complete copy of the zone from each ccTLD name server Succeeded for 140 ccTLDs > Inconsistent policies Some ccTLD name servers reject zone transfer requests but not all of them Why this is bad: > Resource drain (bandwidth & server) > Privacy/data protection concerns > Helps cybersquatters

10 10 FINGERPRINTING Identified the name server software in use BIND 8 364 Servers 47% BIND 9 268 Servers 34% BIND 4 42 Servers 5% UltraDNS 10 Servers 1.3% 144 using old versions of BIND8 - security concerns? BIND 4 is effectively dead > Some not even running latest (last?) version of BIND4 BIND 8 is “in the departure lounge” > Not under active development

11 11 NAME SERVER CODE DIVERSITY Code diversity in ccTLDs could be better: 1 DNS Implementation - 42 ccTLDs 2 DNS Implementations - 97 ccTLDs 3 DNS Implementations - 88 ccTLDs 4 or more: 16 ccTLDs

12 12 LOCATION ANALYSIS Harder than first thought > Difficult to automate > No tools yet for linking AS numbers to IP netmasks Checked by hand for common address prefixes > => suggest single routing table entries 13 ccTLDs have all their name servers in one net 36 ccTLDs have at least 50% of their name servers in one net Loss of network route => no access to name servers => no access to ccTLD

13 13 FURTHER CONCERNS Agreements with slave server providers > SLAs, response times, monitoring, fault escalation Protection against DDoS attacks > Happens all the time to the root servers > Only a question of time for ccTLD infrastructure Improved monitoring of ccTLD servers > Already done for the root name servers

14 14 CONCLUSIONS High incidence of basic DNS administrative errors is surprising > Shouldn’t happen for important zones like ccTLDs > Easy to prevent: tools & procedures Recursive servers for ccTLDs are very bad > Needless exposure to cache poisoning More work needed on > Monitoring > Service Level Agreements > Defence against Distributed Denial of Service Attacks

Download ppt "ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
An Engineering Approach to Computer Networking

An Engineering Approach to Computer Networking
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.
TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Domain Name System (DNS) largely based on slides from D. Comer.

TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Domain Name System (DNS) largely based on slides from D. Comer.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Similar presentations

Ads by Google