Quantifying and improving dns availability

The Domain Name System (DNS) is one of the components most critical to Internet functionality. Nearly all Internet applications rely on the DNS for name-to-address translation. The ubiquity of the DNS necessitates both the accuracy and availability of responses. In this dissertation we present a model of DNS name resolution from which the availability of a domain name can be quantified in the context of its deployment. Using this model, DNS administrators will better understand the complex processes required to resolve domain names and quantitatively improve the robustness of their DNS configurations, from a perspective of availability. We begin our analysis by providing relevant background on the DNS. We summarize protocol details surrounding name resolution, protocol and implementation vulnerabilities, and security extensions (DNSSEC). Next we formalize a model for identifying DNS dependencies, based on DNS specification and server implementation. Using this model we introduce metrics to quantify the diversity of the namespace affecting the name resolution of a domain name. We observe that out of the set of zones influencing resolution of a domain name an average of 92% were explicitly configured by DNS administrators. However, certain resolver caching behaviors increase the likelihood that a domain name is influenced by third parties. We further our DNS dependency model to describe DNS availability, a measure of the resolvability of a domain name. We derive a model and metrics for measuring availability and identify weaknesses in deployments. We identify specific misconfigurations that degrade the availability of a domain name and quantify their impact. In our analysis of production DNS data we observe that 14% of domain names exhibit lower redundancy than that which administrators have explicitly configured. We also observe that 6.7% of domain names required queries to more than an optimal number of servers to obtain an answer. Our final analysis pertains to misconfigurations affecting availability in DNSSEC deployments. Because DNSSEC deployment is still new to administrators, many deployments have suffered from server misconfiguration or maintenance neglect which ultimately render a domain name unresolvable, even if servers are responsive. We introduce metrics for improving availability, and we present methodology for increased name resolution robustness in the presence of DNSSEC misconfiguration. In our survey of production signed zones, we observe that 31% of the validation errors detected might be mitigated using the technique proposed in our research. The models and metrics presented in this dissertation can assist DNS administrators in better understanding their DNS deployments and avoiding name resolution failure through proper design and maintenance of DNS.

[1]  David Barr,et al.  Common DNS Operational and Configuration Errors , 1996, RFC.

[2]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[3]  Ben Laurie,et al.  DNS Security (DNSSEC) Hashed Authenticated Denial of Existence , 2008, RFC.

[4]  Jelte Jansen Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC , 2009, RFC.

[5]  Andreas Nilsson A Review of Administrative Tools for DNSSEC - Spring 2010 , 2010 .

[6]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[7]  Xiapu Luo,et al.  WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[8]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2004, IEEE Journal on Selected Areas in Communications.

[9]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[10]  Prasant Mohapatra,et al.  Quality of name resolution in the Domain Name System , 2009, 2009 17th IEEE International Conference on Network Protocols.

[11]  Donald E. Eastlake,et al.  RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) , 2001, RFC.

[12]  Ramaswamy Chandramouli,et al.  Open Issues in Secure DNS Deployment , 2009, IEEE Security & Privacy.

[13]  Xiapu Luo,et al.  Recursive DNS Architectures and Vulnerability Implications , 2009, NDSS.

[14]  Emin Gün Sirer,et al.  The design and implementation of a next generation name service for the internet , 2004, SIGCOMM '04.

[15]  Prasant Mohapatra,et al.  Measuring Availability in the Domain Name System , 2010, 2010 Proceedings IEEE INFOCOM.

[16]  Ellen W. Zegura,et al.  Diversity in DNS performance measures , 2002, IMW '02.

[17]  Craig A. Shue,et al.  Understanding implications of DNS zone provisioning , 2008, IMC '08.

[18]  Lixia Zhang,et al.  Interadministrative Challenges in Managing DNSKEYs , 2009, IEEE Security & Privacy.

[19]  Mike St. Johns,et al.  Automated Updates of DNS Security (DNSSEC) Trust Anchors , 2007, RFC.

[20]  Daniel Massey,et al.  Deploying and Monitoring DNS Security (DNSSEC) , 2009, 2009 Annual Computer Security Applications Conference.

[21]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[22]  Souleymane Oumtanaga,et al.  Deployment of DNSSEC: Problems and outlines , 2008, 2008 Second International Conference on Research Challenges in Information Science.

[23]  Chen-Nee Chuah,et al.  DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks , 2006, 2006 IEEE International Conference on Communications.

[24]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[25]  Srinivasan Seshan,et al.  Availability, usage, and deployment characteristics of the domain name system , 2004, IMC '04.