Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing DNS From The Roots Up

Posted by ryuzaki0 on from the if-it'll-stop-reports-of-hacked-dns-records dept.

jeffy124 writes: "This article at ComputerWorld tells the story of how ICANN would like to replace the root DNS systems with secured servers. Lars-Johan Liman, one of the root operators, spoke about the concept at ICANN's annual meeting today. He discussed how the world's current redundant DNS system is vulnerable to DDOS attacks and yet-to-be-discovered root holes in bind that can ultimately undermine the entire Internet by taking away the name-IP mappings that are relied upon by just about everyone."

5 of 354 comments (clear)

  1. Why still running on BIND? by kc8apf · · Score: 5, Interesting

    I have yet to find the great reason of why everyone uses BIND. I've been working on my own DNS server just for kicks. The protocol itself is trivial. It can be handled so easily, but yet, if you look at BIND's source code, you can't tell what is going on at all. So, why does everyone continue to use it? Or better question, why hasn't someone written a better alternative?

    --
    kc8apf
    1. Re:Why still running on BIND? by fanatic · · Score: 5, Interesting

      Already available is djbdns, written by D. J. Bernstein with security as a design goal. In fact, he offers rewards to anyone who can find a vulnerability.

      --
      "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  2. register.com's nameservers by po_boy · · Score: 4, Interesting
    from the article:

    Vendors at the conference offered their own security solutions. Register.com Inc. in New York, for example, has created its own propriety DNS software. The company continues to deploy BIND as well as its own software because diversity improves security, said Jordyn Buchanan, who worked on the team that developed the system.

    Is there anyone here knowledgeable about this who can comment on a few things?
    • Can I get the source to that in any way?
    • Does it use a SQL database backend?
    • Any chance of licensing it out even without the source?
    • Does it support dynamic updates?
    • Anything else cool about it?
    • Are you hiring?

    I'd love to see (more closely) another implementation of the DNS system other than the 3 or so commonly found.
  3. djbdns and opennic by SuperDuG · · Score: 5, Interesting
    djbdns states "I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns." ... and no one has claimed the $500 yet.

    Also OpenNIC is an ICANN indepent root system ... why not just use them instead of ICANN?

    --
    Ignore the "p2p is theft" trolls, they're just uninformed
  4. Security, reliability and the like by Jordy · · Score: 4, Interesting

    Reading this article, I have to start wondering if maybe I'm misunderstanding the problem.

    The actual root servers are only queried for the top-level domains and while they have rather massive databases, the types of queries they get is limited.

    Now, I'm going to assume that given all the money collected for domains, there somewhere exists a nice pot of money available for running root DNS servers. If there isn't then something is seriously wrong with the administration of DNS.

    Segmentation of the actual root servers from the world by utilizing a front-end dns cache that would rewrite the actual DNS queries would solve a lot of problems.

    First, rewriting queries would allow an amazing amount of sanity checking to be done on the query itself and should prevent exploiting the back-end root servers directly.

    Second, as front-end dns caches can be extremely simple and require almost no configuration, the OS installation can be absolutely minimal excluding even shells. You could go as far as to use an OS that allowed you to revoke system privledges such as certain syscalls (fork, exec, open, etc aren't all that necessary once everything is running) and even make the caching DNS server run as init (though you must have something to bring up networking interfaces.)

    Physical segmentation is obviously important as well so a private backbone strung between all core root servers and a seperate interface on each front end cache to access them would help quite a bit.

    Of course then comes the issue of DoS attacks which again should be rather easy to solve considering what we are talking about. Just buy a lot of front-end cache systems. You would think given how important root servers are and how much money domain revenues generate, buying a thousand or even ten thousand machines and sticking them in every major network access point wouldn't be all that big of a deal.

    Now you still have to deal with the fact that most DNS servers still have a static list of root server IPs. Thankfully, the simple DNS queries that hit root servers can be done with a single UDP packet request and response (until you have to work up the hierarchy) making them prime targets for one of the many clustering solutions out there from simple IP sharing virtual servers to routing protocol tricks.

    Of course, I may be oversimplifying the problem.

    --
    The world is neither black nor white nor good nor evil, only many shades of CowboyNeal.