Risks of Transitive Trust in the Domain Name System .

Uploaded on:
Presentation. DNS is basic to the InternetDNS building design depends on delegationscontrol for names is assigned to name servers assigned by the name ownerdelegations encourage high versatility and decentralized administrationwhat is the effect on security?. sprintlink.nettelemail.net.
Slide 1

Venugopalan Ramasubramanian Emin G ü n Sirer Cornell University Perils of Transitive Trust in the Domain Name System

Slide 2

Introduction DNS is basic to the Internet DNS engineering depends on assignments control for names is appointed to name servers assigned by the name proprietor designations encourage high adaptability and decentralized organization what is the effect on security?

Slide 3

zoneedit.com com gtld-servers.net nstld.com net Dependencies for www.fbi.gov root www.fbi.gov gov gov.zoneedit.com zoneedit.com fbi.gov dns[,2].sprintip.com ns[3,4,5,6].vericenter.com sprintip.com sprintlink.net telemail.net vericenter.com

Slide 4

Subtle Dependencies in DNS www.fbi.gov 86 servers, 17 spaces, profundity 3 www.cs.cornell.edu cs.rochester.edu  cs.wisc.edu  itd.umich.edu 48 nameservers, 20 areas, profundity 4 DNS conditions are inconspicuous and complex builds danger of space commandeers utilization of storing (TTL) declines affect

Slide 5

fbi.gov sprintip.com dns[,2].sprintip.com ns[3,4,5,6].vericenter.com ns[1,2,3]-auth.sprintlink.net reston-ns[1,3].telemail.net reston-ns[2].telemail.net Servers with Security Loopholes www.fbi.gov www.cs.cornell.edu  [slate,cayuga].cs.rochester.edu source: web frameworks consortium (www.isc.org)

Slide 6

Survey Goals Which space names have substantial conditions and involve high hazard? Which spaces are influenced by servers with known security openings and can be effectively assumed control? Which servers control the biggest segment of the namespace and are in this manner liable to be assaulted?

Slide 7

Survey Methodology 593160 space names (Yahoo and Dmoz.org) 166771 name servers 535036 areas, 196 top-level-areas

Slide 8

All Top 500 Mean 46 68 Max 604 342 Median 26 22 Number of Dependencies Number of Dependencies

Slide 9

All Top 500 Mean 4.3 5.4 Max 27 22 Median 3 Length of Dependency Chains Length of Dependencies

Slide 10

Dependencies by TLDs

Slide 11

All Top 500 Mean 2.4 5 Max 9 Median 2 5 Bottleneck Servers Size of Bottlenecks

Slide 12

Availability versus Defenselessness

Slide 13

Security Flaws in Nameservers Survey of Dilemma source: Internet Systems Consortium (ISC)

Slide 14

Vulnerability to Security Flaws 17% of servers have known escape clauses 45% of names are not absolutely safe security through lack of clarity! over 40% of servers shroud adaptation numbers 19/46 reports for cs.cornell.edu and 18/86 for fbi.gov

Slide 15

All Top 500 Mean 1.7 4.5 Max 9 Median 2 4 Vulnerability in Bottlenecks Size of Safe Bottlenecks

Slide 16

Valuable Nameservers

Slide 17

Valuable Nameservers Top 5 Domains arizona.edu ucla.edu uoregon.edu nyu.edu berkeley.edu

Slide 18

Summary and Discussions Easy to assume control over the Internet distinguish the area you need to assault decide an arrangement of servers that control the space trade off or DoS the bottleneck servers

Slide 19

DNS-SEC Security Standard for DNS in light of open key cryptography and carefully marked declarations Not generally utilized as of now security at designation focuses validated dissents islands of security Does not kill dangers of DoS assaults

Slide 20

CoDoNS Approach Separate name administration from query determination No appointments self-ensuring information for legitimacy Fast, Robust, and Scalable Lookup Service ideal proactive reserving on organized overlays

Slide 21

Conclusions Domain names have unobtrusive conditions name-based assignments Blind appointment of trust to enhance accessibility is counter-gainful High weakness to area captures Critical servers are not very much secured http://www.cs.cornell.edu/individuals/egs/apiary/codons.php

View more...