Crypto Signatures Are Key to New DNS Security
August 5, 2010
At the recent Black Hat information security conference, officials of ICANN and VeriSign Inc. (Nasdaq: VRSN) announced a major change to the Domain Name Service (DNS), the Internet’s global address book. Called Domain Name Service Security Extensions (DNSSEC), the modification adds a cryptographic signature to Websites’ addresses that verifies they are genuine.
DNSSEC is an attempt to address a significant security hole in the DNS protocol, which is used to propagate changes in domain and host names across the Internet. When changes are made by an administrator to the IP address that a domain name points to, the DNS protocol pushes those changes from the site’s primary domain name server to other domain name servers.
The vulnerability, uncovered in 2008 by Dan Kaminsky, a security researcher and chief scientist at Recursion Ventures, makes it possible for hackers to “poison” the DNS cache of a domain name server — changing the Internet Protocol (IP) address associated with a domain name on that server. As a result, anyone who uses the affected DNS server gets any Webpage requests or emails to that domain hijacked to an impostor site. An attacker could then use a “spoof” Website to capture users’ login and personal information, intercept emails, and perform any number of other attacks.
Initially, the problem was patched by using an approach called Source Port Randomization, which attempts to hide the interface used for DNS protocol exchanges by using a combination of randomly selected IP and User Datagram Protocol (UDP) ports. That creates billions of possible combinations of ports, making it much harder to find them by guessing randomly. But it is still possible for hackers to use a blunt-force attack to find the right combination and poison the DNS.
DNSSEC is an extension to the code for DNS servers. It puts a cryptographic signature on all information disseminated by the Internet’s DNS “root” servers. In theory, Web browsers, email servers, and other software that communicates across the Internet could be extended with code to check the signature against the address in their DNS cache to verify that they aren’t being maliciously rerouted.
What if someone were able to breach the root servers? Seven trusted individuals (including Dan Kaminsky) have been given smartcards with encrypted keys that can be used to recover the root servers’ signing key. At least five of the trusted individuals — the “chain of trust” — have to be present at a secure location in the US to swipe their smartcards to reset the root DNS.
“The honest truth is that I was not one of the believers,” said Kaminsky at ICANN’s announcement. “I was pretty strongly one of the skeptics. I looked at DNSSEC and I said, ‘This is a heck of a lot of work, and I don’t see the return on investment.’ I was wrong. It turns out this technology is truly significant, not only for fixing my one little flaw, which we put a band-aid on back in the day. Now we’re actually putting the correct engineering fix — a cryptographic signature across all domain name system records.”
DNSSEC is not a general fix for DNS security problems. As Jart Armin points out, it does not provide confidentiality nor protect against DDoS attacks. It also doesn’t address social engineering attacks like phishing that direct people to fake sites that use “lookalike” Web addresses and hostnames.
Still, the more DNSSEC is used, the more effective it will be in preventing attacks resulting from cache poisoning.
DNSSEC has already been deployed on many of the Internet’s root DNS servers. But DNSSEC won’t be rolled out across the entire Internet. It’s only being implemented on the top-level domains under the control of ICANN.
And while the root servers may all soon be running DNSSEC, it will take some time to be fully implemented and will require security updates to a vast number of Internet applications to become truly effective. Until then, you’ll still need to be on the lookout for potential DNS cache poisoning attacks.