Modeling DNS Security: Misconfiguration, Availability, and Visualization

Mar 02, 2011

Download: MP4 Video Size: 443.7MB  
Watch on YouTube

Abstract

The Domain Name System (DNS) is one of the components most critical to
Internet functionality. The ubiquity of the DNS necessitates both the
accuracy and availability of responses. While the DNS Security
Extensions (DNSSEC) add authentication to the DNS, they also increase
the complexity of an already complex name resolution system. Many
deployments have suffered from server misconfiguration or maintenance
neglect which increase the likelihood of name resolution failure for a
domain name, even if servers are responsive.

Our research introduces metrics for quantifying DNSSEC availability and
evaluates these metrics on production signed DNS zones to show the
pervasiveness of misconfiguration. We present methodology for
increasing robustness of name resolution in the presence of DNSSEC
misconfiguration. In our survey of production signed zones, we observe
that nearly one-third of the validation errors detected might be
mitigated using the technique proposed in our research.

As part of my talk, I will also demo an online DNS visualization tool
designed to assist administrators in identifying critical issues with
their DNSSEC deployments.

This is joint work with researchers at UC Davis and Intel Corporation.