what dns is not 0 kylie brown, jordan eberst, danielle franz drew hanson, dennis kilgore, charles...
TRANSCRIPT
![Page 1: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/1.jpg)
What DNS is Not0
Kylie Brown, Jordan Eberst, Danielle FranzDrew Hanson, Dennis Kilgore,
Charles Newton, Lindsay Romano, Lisa Soros
0 Paul Vixie. 2009. What DNS Is Not. Queue volume 7, issue 10. http://doi.acm.org/10.1145/1647300.1647302 .
![Page 2: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/2.jpg)
DNS: An Overview
• Companion Papero DNS Complexity - Published in ACM's Queue, Volume 5
Issue 3, April 2007.o http://eustis.eecs.ucf.edu/~ch552141/p24-vixie.pdf
![Page 3: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/3.jpg)
DNS: An Overview
• GIANT Database• DNS translates a domain name into an IP address.• Why is this hard?
o Billions of IP addresses in useo Billions of daily DNS requestso Constantly changing
• Human Convenience
![Page 4: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/4.jpg)
How Does DNS Work?
• Example: www.facebook.com• Request for IP address sent to your web browser
o Cached if you have visited recently• If not, a search begins.
![Page 5: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/5.jpg)
How Does DNS Work?
• The search process starts at the root name servers. The root servers refer the resolver to the .COM name servers.
• Request IP addresses for the Facebook name server• Request IP address of www.facebook.com from the
Facebook name servers.• Web browser caches IP address
![Page 6: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/6.jpg)
What DNS is Not: Overview
• Misuses of DNSo DNS is not a routing protocolo DNS is not a tool to monetize typoso DNS is not a directory system
• This paper talks about different properties that allow DNS to be misused, the common practices of misuse, and the consequences of misuse.
![Page 7: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/7.jpg)
Stupid DNS Tricks
![Page 8: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/8.jpg)
DNS is not a routing protocol
• Content Distribution Networks (CDNs) often use DNS queries as an opportunity to route user requests.o E.g., Akamai, Cisco DistributedDirector
• Users are routed to an appropriate content server based on their geographic / network proximity and content server load.
• Problemso This scheme requires limiting caching (i.e., low TTL) and
increases load on DNS infrastructure.
o Most end-users are using their ISP's recursive name servers. This hides the user's original location and decreases the accuracy of DNS-based routing.
![Page 9: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/9.jpg)
NXDOMAIN Remapping
![Page 10: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/10.jpg)
Expected Causes of NXDOMAIN:• Typo (e.g., www.goglee.com)• Broken Link• Hardware or Software Error
What should happen:• Browser catches bad domain name: “Error page” • E-mail - “bounced e-mail”
NXDOMAIN Remapping
![Page 11: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/11.jpg)
What you should see
Googler.com
![Page 12: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/12.jpg)
What you usually see
Bestbuyt.com
![Page 13: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/13.jpg)
Many major ISPs' DNS servers (e.g., Comcast) and some public DNS servers (e.g., OpenDNS) redirect users to these spammy search pages.
VeriSign example (2006):Added a wild card on top of the .com zonePrevented NXDOMAIN returns. Any non-existent domain, regardless of DNS servers used, was redirected to SiteFinder's website.
A Growing Problem
![Page 14: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/14.jpg)
NXDOMAIN is important.
Some things depend on accurate negative results.
1. Web security
o Many sites, like Google, use wildcard cookies so users can maintain sessions over sub domains (Google Docs, Google Sites, etc).
o If sdfgaj.google.com. is redirected to a search page, web browsers will send user cookies.
![Page 15: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/15.jpg)
NXDOMAIN is important.
Some things depend on accurate negative results.
1. Web security, continued
o In 2008, Dan Kaminsky found a cross-site scripting vulnerability in Earthlink's search page.
o Earthlink customers were vulnerable to HTML or Javascript injection on arbitrary domain names because of NXDOMAIN hijacking.
![Page 16: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/16.jpg)
NXDOMAIN is important.
Some things depend on accurate negative results.
2. E-mail (SMTP)o If a MX (mail exchange) lookup returns no results, a
SMTP server will fall back to a standard A record lookup.1
o These DNS requests are indistinguishable from, say, web browsers' requests. The request will be redirected to a search page.
o SMTP server will attempt to send e-mail to the wrong IP address.
1 See RFC 5321, section 5.1.
![Page 17: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/17.jpg)
Standard Bad Practices
In 2009, there was an effort by national cable companies to standardize DNS redirection services.2
The standard outlines an opt-out DNS redirect search engine / malware filter and a "Legally-Mandated DNS Redirect Domain List" for "illegal domains."
2 "Recommended Configuration and Use of DNS Redirect by Service Providers" http://tools.ietf.org/html/draft-livingood-dns-redirect-00
![Page 18: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/18.jpg)
Solution: DNSSEC
![Page 19: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/19.jpg)
A Rescue Being Thought of
DNSSEC is a set of protocol enhancements for DNS. Allows zones to be signed and verified by public-key encryption and signed using private keys by zone editors. All query responses, including NXDOMAIN, are signed. This prevents man-in-the-middle attacks. But, right now, most resolvers are configured to accept unsigned responses. DNSSEC needs wider adoption.
![Page 20: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/20.jpg)
A Rescue Being Thought of
DNSSEC won't prevent CDNs' DNS-based routing schemes as it is possible to have a collection of signed, authortative responses.
![Page 21: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/21.jpg)
Directory Services
![Page 22: What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e5f5503460f94b59a25/html5/thumbnails/22.jpg)
Directory Services
Some web browsers attempt to auto-complete DNS queries as a user types in the URL bar. If a user types "www.cnn.com": www.cnn www.cnn www.cnn -> .cn is the ccTLD for China, so this is a valid domain. www.cnn.com www.cnn.com www.cnn.com -> .co is the ccTLD for Columbia.
This causes unnecessary traffic to www.cn and cnn.co name servers. Domains are not in an ideal format for these directory lookups. E.g., .com.cnn.www