2.1. What DNS? 2.2. How does DNS Work? edu com mil. gov arpa. in-addr. ucdavis. Figure 1. Hierarchical Structure DNS Name Space

Transcription

1 AFormal-SpecicationBasedApproachforProtectingtheDomain NameSystemy StevenCheung DepartmentofComputerScience UniversityofCalifornia Davis,CA95616 KarlN.Levitt DepartmentofComputerScience UniversityofCalifornia Davis,CA95616 Abstract Manynetworkapplicationsdependonthesecurity ofthedomainnamesystem(dns).attacksondns cancausedenialofserviceandentityauthenticationto fail.inourapproach,weuseformalspecicationsto characterizednsclientsanddnsnameservers,and todeneasecuritygoal:anameservershouldonly usednsdatathatisconsistentwithdatafromname serversthatmanagethecorrespondingdomains(i.e., authoritativenameservers).toenforcethesecurity goal,weformallyspecifyadnswrapperthatexaminestheincomingandtheoutgoingdnsmessagesof anameservertodetectmessagesthatcouldcauseviolationsofthesecuritygoal,cooperateswiththecorrespondingauthoritativenameserverstodiagnosethose messages,anddropsthemessagesthatareidentied asthreats.basedonthewrapperspecication,weimplementedawrapperprototypeandevaluateditsperformance.ourexperimentsshowthatthewrapperincursreasonableoverheadandiseectiveagainstdns attackssuchascachepoisoningandcertainspoong attacks. 1.Introduction Thispaperpresentsadetection-responseapproach forprotectingthedomainnamesystem(dns).dns managesadistributeddatabasetosupportawidevarietyofnetworkapplicationssuchaselectronicmail, WWW,andremotelogin.Forexample,networkapplicationsrelyonDNStotranslatebetweenhostnames andipaddresses.acompromisetodnsmaycause denialofservice(whenaclientcannotlocatethenetydraft:toappearinworkshopondependabilitydespite MaliciousFaults,NewYork,June2000. workaddressofaserver)andentityauthenticationto fail(whenhostnamesareusedtospecifytrustrelationshipsamonghosts).forexample,ifdnsiscompromisedtocauseaclienttouseincorrectdnsdata,the clientmaybeunabletoobtaintheipaddressofamail serverandthuscannotcommunicatewithit.asanotherexample,ifthednsmappingforwww.cnn.comis compromised,anattackermaybeabletodirectaweb browserlookingforthenewswebsitetoonethatgives outcounterfeitnews.ifthewebbrowserdoesnotauthenticatetheserver,theusermayusethecounterfeit newsasiftheyweregenuine.someapplications(e.g., Unixrlogin)usename-basedauthentication.Attacking DNScouldchangethename-to-addressmapping,and hencemayallowanattacker'smachinetomasquerade asatrustedmachine.thusprotectingdnsissecurity critical. OurapproachforprotectingDNSisdrivenbyformal specications.theuseofformalspecicationsenables reasoning,thusprovidingassuranceforoursolution. Formalmethodshavenotbeenusedinconnectionwith anintrusiondetectionapproach.usingviennadevelopmentmethod(vdm),wedevelopedformalspecicationstocharacterizednsclientsanddnsservers, andtodeneasecuritygoalasaninvariant:adns servershouldonlyusednsdatathatareconsistent withthosedisseminatedbythecorrespondingauthoritativesources.wedesignedadnswrapper,alsocharacterizedbyformalspecications,thatenforcesthesecuritygoal.ourdnswrapperexaminesdnsmessages enteringanddepartingaprotectednameservertodetectthosemessagesthatcouldleadtoviolationsofour securitygoal.ifthewrapperdoesnothaveenough informationtodeterminewhetheradnsmessagerepresentsanattack,itcollaborateswiththenameservers thatmanagetherelevantpartofthednsnamespace. IftheDNSwrappercannotverifythedataoftheDNS

2 server. sageandpreventsitfromreachingtheprotectedname messagetobetrustworthy,thewrapperlogsthemesnerabilities.section4presentsoursystemmodel.sec- aboutdns.)section3describessomeknowndnsvultem.(readersarereferredto[1,13,14]formoredetailtion5presentsadnswrapperthatenforcesoursecuritygoalfordns.basedonthewrapperspecication, Section2reviewsthebasicsofthedomainnamesys- weimplementedawrapperprototype.section6describesourexperimentsforevaluatingtheperformanctacks.section7concludes,comparesourworkwith ofthewrapperimplementationandtheirresults.the overheadsandiseectiveagainstsomeknowndnsat- resultsshowthatthednswrapperincursreasonable relatedwork,andsuggestsfuturework.forthesake ofbrevity,weomittheformalspecicationsfordns clients,dnsservers,andthednswrapperinthispaper.see[7]fordetailsofthiswork. 2.OverviewofDNS names.thedatabasehasahierarchicalstructure.a name(e.g.,cs.ucdavis.edu.)hasastructurethatre- Figure1. ectsthehierarchicalnamespace,whichisdepictedin DNSmanagesadistributeddatabaseindexedby 2.1. What DNS? edu com mil gov arpa ucdavis in-addr cs callednameservers.thenameofazoneistheconcatenationofthenodelabelsonthepathfromthetopmost spacethatismanagedtogetherbyasetofmachines, Azoneisacontiguouspartofthedomainname Figure 1. Hierarchical Structure DNS Name Space Thenameserversthatmanageazonearesaidtobe nodeofthezonetotherootofthedomainnamespace. authoritativeforthiszone.everysubtreeofthedomainnamespaceiscalledadomain.thenameofa domainisthesameasthezonenameofthetopmost nodeofthecorrespondingsubtree. verylargedomain,inasinglenameserver,there- informationabouttheentireedudomain,whichisa bydelegation.forinstance,insteadofstoringallthe tributedadministration.thedistributionisachieved OneofthemaindesigngoalsforDNSistohavedissponsibilityofmanagingtheucdavis.edudomainisdelegatedtotheauthoritativenameserversofUCDavis. Theauthoritativenameserversoftheeduzoneare equippedwiththenamesoftheauthoritativename serversoftheucdavis.eduzone.thusiftheeduservers needinformationabouttheucdavis.edudomain,they vice,itinvokestheresolveronitslocalmachine,and anapplicationonamachineneedstousethenameserallyimplementedasasetoflibraryroutines.whenever knowwhichserverstocontact. theresolverinteractswithnameserverstoobtainthe ClientsofDNSarecalledresolvers,whichareusu- informationneeded.themostcommonimplementationsofresolversarecalledstubresolvers(e.g.,bind1 resolversarestubresolvers).stubresolversonlydo answered.mostoftheworkiscarriedoutbyname toservers,andre-sendingthemifthequeriesarenot theminimaljobofassemblingqueries,sendingthem h1.cs.ucdavis.eduneedstheipaddressofh2.cs.foo.edu. nameresolutionorsimplyresolution.supposethehost Theresolverwillqueryalocalnameserverinthe cs.ucdavis.edudomain.therearetwomodesofresolutionindns:iterativeandrecursive.intheiterative mode,whenanameserverreceivesaqueryforwhich itdoesnotknowtheanswer,theserverwillreferthe queriertootherserversthataremorelikelytoknowthe someauthoritativeserversoftherootzone.moreover, therootserversknowtheauthoritativeserversofthe answer.eachserverisinitializedwiththeaddressesof serversknowtheauthoritativeserversofthird-leveldomains,andsoon.thusbyfollowingthetreestructure, thequeriercanget\closer"totheansweraftereachreferral.figure2showstheiterativeresolutionscenario. second-leveldomains(e.g.,edudomain).second-level TheprocessofretrievingdatafromDNSiscalled Forexample,whenarootserverreceivesaniterative queryforthedomainnameh2.cs.foo.edu,itrefersthe queriertotheeduservers.eventually,thequerierwill themostcommonimplementationofdns. locatetheauthoritativeserversofcs.foo.eduandobtain theipaddress.intherecursivemode,aservereither 1BINDstandsforBerkeleyInternetNameDomain,whichis servers How does DNS Work?

3 edu cs cs ucdavis foo root Figure 2. Iterative Name Resolution answersthequeryorndsouttheanswerbycontactingotherserversitselfandthenreturnstheanswerto thequerier. Theaboveresolutionprocessmaybequiteexpensiveintermsofresolutiontimeandthenumberofmessagessent.Tospeeduptheprocess,serversstorethe resultsofthepreviousqueriesintheircaches.consider theaboveexample.ifh1.cs.ucdavis.eduasksitslocal servertoresolvethesamenametwice,theservercan replyimmediatelybasedontheinformationstoredin itscachethesecondtime.also,ifinasubsequentquery h1.cs.ucdavis.eduasksitslocalservertondouttheip addressofh3.cs.foo.edu,thelocalservercanskipafew stepsandcontactacs.foo.eduserverdirectly.ifthe queriergetsananswerfromanauthoritativeserver, theansweriscalledanauthoritativeanswer.otherwise,itiscalledanon-authoritativeanswer.because theremaybechangestothemapping,serversdonot cachedataforever.authoritativeserversattachtimeto-live2(ttl)tagstodata.uponexpiration,aname servershouldremovethedatafromitscache DNS Message Format ADNSmessageconsistsofaheaderandfoursections:question,answer,authority,andadditional.A resourcerecord(rr)isaunitofinformationinthelast 2Thereisnosingle\best"TTLvalueforallresourcerecords. TheTTLvalueofaresourcerecordisbasedonatradeobetweenconsistencyandperformance.AsmallTTLwillincrease theaveragenameresolutiontimebecauseremotenameservers willremovetheresourcerecordearlierandneedtoquerythe correspondingnameserversmoreoften.ifaresourcerecordis changed,asmallttlenablesothernameserverstopurgethe staledataandtousethenewdataearlier.oneshouldreduce thettlbeforetheresourcerecordischanged.acommonttl valueisoneday(e.g.,thecs.ucdavis.eduzone),althoughsome high-levelzones(e.g.,therootzone)useamulti-dayttl. threesections.hereisalistofcommonresourcerecord types[13]: AnArecordcontainsa32-bitIPaddressforthe specieddomainname. ACNAMErecordliststheoriginal(orcanonical)nameofthespecieddomainname.Inother words,acnameresourcerecordmapsanaliasto thecanonicaldomainname. AnHINFOrecordcontainshostinformationsuch astheoperatingsystemused. AnMXrecordcontainsahostnameactingasa mailexchangeforthespecieddomain. AnNSrecordcontainsahostnamethatisanauthoritativenameserverforthespecieddomain. APTRrecordcontainsadomainnamecorrespondingtothespeciedIPaddress. AnSOArecordcontainsinformationfortheentire specieddomainsuchasthedomainadministrator'smailaddress. Theheaderhasaqueryideld,whichisused tofacilitaterequesters'matchingupresponsesto outstandingqueries.thequestionsectioncarries atargetdomainname(qname),aquerytype (QTYPE),andaqueryclass(QCLASS).Forexample,aquerytondtheIPaddressofthehost h2.cs.foo.eduhasqname=h2.cs.foo.edu,qtype=a, andqclass=in(whichstandsfortheinternet).the answersectioncarriesrrsthatdirectlyanswerthe query.theauthoritysectioncarriesrrsthatdescribe otherauthoritativeservers.forinstance,theauthoritysectionmaycontainnsrrstoreferthequerier toothernameserversduringiterativeresolution.the additionalsectioncarriesrrsthatmaybehelpfulin usingtherrsintheothersections.forinstance,the additionalsectionofaresponsemaycontainarrsto providetheipaddressesforthensrrslistedinthe authoritysection. 3.DNSVulnerabilities Bellovin[3,4],Gavron[10],SchubaandSpaord [15],Vixie[17],andCERTadvisoryCA-98.05[5]discussseveralsecurityproblemsofDNS.Inthefollowing, wedescribetwowell-knownproblemsofdnsthatare relevanttothispaper cachepoisoningandfailureto authenticatednsresponses. Inthecachepoisoningattack,anattackercantrick anameservers1toqueryanothernameservers2.if

4 S2isacompromisednameserver,theattackercanhave S2toreturnaDNSresponsethatcontainsfakedRRs. Otherwise,theattackercanmasqueradeasS2andsend thednsresponsetos1(seebelow).recallthataname servercachestheresultsofpreviousinteractionswith otherserverstoimproveperformance.whens1uses itscontaminatedcachetoresolveaname,itmayuse theincorrectdnsdatasuppliedbytheattacker. Themessageauthenticationmechanismusedby mostimplementationsofdnsisweak:adnsserver (oradnsclient)attachesanidtoaquery,anduses ittomatchwiththeidofthecorrespondingresponse. SupposeaserverS1sendsaquerytoanotherserverS2. IfanattackercanpredictthequeryidusedbyS1,the attackercansendaforgedresponsethathasamatchingqueryidtos1.whens1receivestheresponsethat claimstobefroms2,s1hasnowaytoverifythatthe responseactuallycomesfroms2.ifs2isunavailable whenthequeryissent,theattackercanjustmasqueradeass2andsendtheforgedresponsetos1.ifs2 isoperational,theattackercanmountadenialofserviceattackagainsts2toprevents2fromresponding tos1'squery.also,ifanameserverreceivesmultiple responsesforitsquery,itusestherstresponse.thus evenifs2canreplytos1,theattackercanstillsucceed iftheforgedresponsereachess1befores2'sresponse does. 4.SystemModel Inourmodel,therearetwotypesofprocesses:DNS serversanddnsclients(orresolvers).theseprocesses communicatewitheachotherthroughmessagepassing. Resolversonlycommunicatewithservers;serverscan communicatewithotherserversinadditiontocommunicatingwithresolvers.thesetwotypesofprocesses aredenotedbyserverandresolverrespectively.basically,wemodeldnsclientsanddnsserversasanobjectthatmaintainsaviewondnsdata.theviewmay bechangedonlythroughcommunicatingwithother DNScomponents(i.e.,sendingDNSrequestsandreceivingDNSresponses)orbytimeoutsforDNSdata. WeusetheViennaDevelopmentMethod(VDM)to specifyoursystemmodel,becausevdmprovidesa formallanguageforspecifyingdataandtheassociated operations,andincludesaframeworktoperformre- nementsofdataandoperations.anotherreasonis thatvdmprovidesabasisforperformingformalveri- cation,whichmakesitmoreconvenienttoextendour workinthefuture.mostofthesymbolsusedinvdm arestandardmathematicalsymbols.wewilldescribe thenon-standardorlesscommonlyusedonesaswe needthem.readersarereferredto[11,2]formore detailsonvdm. Inthefollowing,Section4.1presentsourDNSdata model.section4.2denesournotionofaprocess' viewondnsdata.section4.3formalizesthedns conceptofauthority.section4.4discussesourassumptionsaboutdns.section4.5presentsoursecuritygoal fordns DNS Data DNSmessages(oftypeMsg)areeitheraquery(of typequery)oraresponse(oftyperesp). Query[Resp=Msg Query\Resp=; AmessagemoftypeMsgconsistsofthefollowingsections:header,question,answer,authority,andadditional.WedenotethesesectionsofmbyHdr(m), Q(m),Ans(m),Auth(m),andAdd(m)respectively. Theheadersectionincludesaqueryid,anopcode3, atruncatedmessageag4,andaresponsecode5.we denotetheseeldsofmbyid(m),opcode(m),tc(m), andrcode(m)respectively.thequestionsectionconsistsofadomainname,aquerytype,andaqueryclass. Theanswer,theauthority,andtheadditionalsections consistsofresourcerecords(rr).wedenotethesetof resourcerecordsofamessagembyrrof(m).arr consistsofadomainname,atype,aclass,a32-bit TTL(inseconds),andaresourcedataeld.Foraresourcerecordr,wedenotetheseeldsbydname(r), type(r),class(r),ttl(r),andrdata(r)respectively. DNSmanagesadistributeddatabase.Thedatabase isindexedbyatuple(dname,type,class)oftypeidx. Therangeofthedatabaseisasetofresourcerecords, abbreviatedasrr.todenotethisdatabasetypein VDM,weuseamaptypeDbMap:Idxm?!RR?set. AmaptypeT=Dm?!RhasdomainDandrangeR. ThedomainandtherangeofTaredenotedbydom(T) andrng(t)respectively.amapoftypetisasetthat relatessingleitemsindtosingleitemsinr. RRType=fA;PTR;NS;CNAME;MX;SOA; =HINFO;:::g RRClass=fIN;:::g TTL =f0:::232?1g 3TheopcodeofaDNSmessagedistinguishesbetweendifferenttypesofqueries standardqueriesandinversequeries.a standardquerylooksfortheresourcedatagivenadomainname. Aninversequerylooksforthedomainnamegivenresourcedata. 4ThetruncatedmessageagindicateswhethertheDNSmessageistruncated.Messagetruncationoccurswhenthemessage lengthisgreaterthanthatallowedonthetransmissionmedium. 5Theresponsecodeeldisusedtoindicateerrorsand exceptions.

5 Idx::dname:DName type:rrtype class:rrclass RR::dname:DName type:rrtype class:rrclass ttl :TTL rdata:rdata DbMap=Idxm?!RR-set DbrepresentsthedatamanagedbyDNS. SubDomaincapturesthedomain-subdomainrelationships.Givenadomaind,thesetofallthesub-domains ofdisrepresentedbysubdomain(d).azonecontains thedomainnamesandtheassociateddataofadomain,exceptthosethatbelongtoadelegateddomain. Azoneisacontiguouspartofthedomainnamespace thatismanagedtogetherbyasetofnameservers.a zonemayhaveasetofdelegatedsubzones,represented bythefunctionsubzone.(invdm,afunctionspecicationconsistsoftwoparts.therstpartdenes theargumenttypesandtheresulttype,whichareseparatedbythesymbol\!".thesecondpartgivesthe functiondenition.)forazonez,zonedata(z)containsallresourcerecordswhosedomainnamesbelong tozonez,thezonecutdata,andthegluedata.the zonecutdatadescribethecutsaroundthebottomof zonez:inparticularthensresourcerecordsofthe nameserversforthedelegatedzonesofz.ifthereare nameserversforthedelegatedzonesresidingbelowthe zonecut,thegluedatacontaintheaddressesofthese servers. Db:DbMap SubDomain:Domainm?!Domain?set ZoneData:Zonem?!DbMap SubZone:Zone!Zone?set 8z2ZoneSubZone(z)4 fczj9rr2rngzonedata(z)type(rr)=ns^ dname(rr)6=z^cz=dname(rr)g 4.2. View Everyprocessmaintainsitsviewofthedatabase. Theviewofaserverscanbepartitionedintotheauthoritypart(denotedbyViewauth(s))andthecache part(denotedbyviewcache(s)),wheretheformertakes precedenceoverthelatter.themapoverwriteoperatorytakestwomapoperandsandreturnsamapthat containsalltheelementsinthesecondoperandand thoseintherstoperandwhosedomaindoesnotappearinthedomainofthesecondoperand.foraserver thatisnotauthoritativeforanypartofthedatabase andforaresolver,thecorrespondingviewauthis;. Viewauth:Processm?!DbMap Viewcache:Processm?!DbMap View:Process!DbMap 8p2ProcessView(p) AuthorityViewcache(p)yViewauth(p) Someserversaresaidtobeauthoritativefora zone;theirviewsonthezonedatadenethem. AuthServermapsazonetothelistofauthoritative servers.authanswerdenesthemappingfromanindextotheauthoritativeanswer,denedbytheviewof theanauthoritativeserverontheindex.authoritative returnstrueifandonlyifeveryresourcerecordinthe inputresourcerecordsetisauthoritative. AuthServer:Zonem?!Server?set AuthAnswer:Idx!RR?set 8i2dom(Db)AuthAnswer(i)= letz2zone^p2process^ i2domzonedata(z)^p2authserver(z)in Viewauth(p)(i) Authoritative:RR?set!Boolean 8rrs2RR?setAuthoritative(rrs)= 8rr2rrsrr2 AuthAnswer((dname(rr);type(rr);class(rr)) 4.4. Assumptions Inthissection,weexplicitlylistourassumptionsfor DNS.Theyconcernwithhownameserversprioritize RRsets,theaccuracyofauthoritativeDNSdata,the eectofchangesondnsdata,theaccuracyofdelegationdata,andthepowerofattackersoneavesdropping DNSpackets. Assumption1ProtectedserversdonotaddanRRto theviewcacheofaprocessifanrrthatcorrespondsto thesameindexalreadyexistsintheviewcache.moreover,protectedserverspreferauthoritativedataover cachedata. Bothofthemholdfor\good"servers(i.e.,servers thatbehaveaccordingtothednsrfc[13,14]). Someserverimplementationsrankdatafromdierent sourcesatdierentcredibilitylevels.moreover,data fromahighercredibilitylevelcanpreemptdatafrom alowercredibilitylevel.wedonotmodeldatacredibilitylevelsinourworkforthesakeofsimplicity.becauseourdnswrapperonlyallowsauthoritativedata toreachaprotectednameserver,thissimplication doesnotaectthevalidityofourresults.

6 Assumption2Datafromanauthoritativeserverare correct. Forexample,ifaserverisauthoritativeforamachine handtheserversaystheipaddressofhisi,thenwe believethattheipaddressofhisi. Assumption3WhenaserverattachesaTTLwith tsecondstoaresourcerecordforwhichtheserveris authoritative,theresourcerecordwillbevalidforthe nexttseconds. WestatethisassumptionbecausethereisnorevocationmechanisminDNS.Withoutthisassumption,one cannotdeterminethevalidityofdnsdataassoon astheyleavetheirauthoritativeservers.weargue thatthisassumptionisreasonable.whenaresource recordneedstobechanged,thettlofthisresource recordisusuallydecreasedbeforethechangeoverso thatincorrect/stalerecordswilltimeoutshortlyafter thechangeover. Assumption4Foreveryzone,thedelegationdata andthegluedataofitschildzonescorrespondtothe NSRRsandtheARRsofthenameserversofthechild zones. Anexampleviolationofthisassumptioniscalledlame delegation.lamedelegationiscausedbyoperational errors:asystemadministratorchangesthename serversforazonewithoutchangingthecorresponding delegationinformationintheparentzoneornotifying thesystemadministratoroftheparentzoneaboutthe change. Assumption5Attackerscannoteavesdroponthe DNSpacketssentbetweenourprotectedserversand thelegitimatenameservers. Thisisalimitweplaceontheattackers;ifattackers canmonitorthecommunication,ourschememayfail tocopewithspoongattacks.inthefuture,whenthe useofthednssecurityextensions[8](dnssec) whichemploysdigitalsignaturestoauthenticatedns data iswidespread,wemaydropthisassumption.an implicationofthisassumptionisthatbyrandomizingthequeryidused,theprobabilitythatanattacker canforgearesponsewhoseidmatchestherandomized queryidissmall.thusattemptsforsendingforgedresponsesbyguessingthequeryidusedcanbedetected bythewrapper Our Goal Ourgoalistoensurethattheviewofaprotected nameserveragreeswiththoseofthecorrespondingauthoritativenameservers.thisgoalisspeciedusingavdmdatainvariant.adatainvariantofa datatypespeciesthepredicatesthatmustholdtrue duringtheexecutionofasystem.ournameserver specication,whichreectstheminimalfunctionalities ofdnsserversamongexistingimplementations,does notsatisfythisdatainvariantbecauseitallowsnonauthoritativednsdatatobeusedbyanameserver. Thusforanameservers,Authoritative(rngView(s)) maynothold.inthenextsection,wewillpresent oursolution asecuritywrapperforprotectingname servers.ourdnswrapperltersoutdnsmessages containingresourcerecordsthatcannotbeveriedas authoritative.therefore,aprotectednameserverthat satisesthedatainvariantcanbeconstructedbycomposinganameserverandourdnswrapper. statednsof protectedns:server?set invmk-dns(protectedns)4 end8s2protectednsauthoritative(rngview(s)) 5.OurDNSWrapper Weusesecuritywrapper(orsimplywrapper)torefer toapieceofsoftwarethatencapsulatesacomponent, suchasanameserver,toimproveitssecurity.using wrapperstoenhancethesecurityofexistingsoftware isnotanewidea.relatedworkincludestcpwrapper [16]andTIS'genericsoftwarewrappers[9].However, ourworkisdierentinthatitaddressesproblemsthat arednsspecicanditinvolvestheuseofformalspecications. Considerawrapperw.WrapperwchecksDNSresponsepacketsgoingtoanameserverandensuresthat theyareauthenticated6andtheyagreewithauthoritativeanswers.ifaresourcerecordintheresponsedoes notcomefromanauthoritativeserver,wrapperwlocatesanauthoritativeserverandqueriesthatserver fortheauthoritativeanswer.tolocateanauthoritativeserverforazone,sayz,thewrapperstartswith aserver,says,thatisknowntobeanauthoritative 6Dataauthenticationcheckscanbeperformedbymatchingthequeryid'sofqueriestothoseofresponses,orbyusingDNSSEC.However,thequeryidgenerationprocessusedin someimplementationsofnameserversisquitepredictable.beforednsseciswidelydeployed,weneedameanstoprotect thesenameserversfromspoongattacks.

7 serverforanancestorzoneofz,andqueriesservers forauthoritativeserversofthechildzonethatiseither anancestorzoneofzorzitself.thesearchisperformedbytraversingthedomainnametree,onezone atatime,untilanauthoritativeserverforthedns databeingveriedislocated.recallthatthezonedata maintainedbyaserverincludethenameserverdataof thedelegatedzones.moreover,thezonedata,includingthezonecutdataandthegluedata,takeprecedenceoverrrsobtainedfromoutsidesources.thus thedelegationdataisimmunefromcachepoisoningattacks.ourschemeexploitsthisfacttosecurelylocate theauthoritativeservers. Letnsdenotethenameserverprotectedbywrapper w.ourwrapperconsistsoftwomainparts:wrappersq forprocessingqueries,andwrappersrforprocessingresponses.(thesubscriptsstandsfor\server".) Wrapperwprocessesqueriesgeneratedbynsbefore theyaresentout,andprocessesqueriesdestinedfor ns.wrapperwalsoprocessesresponsesdestinedfor ns;thosethatareacceptedbywwillbeforwardedto ns.whennssendsaquery,wrapperwgeneratesarandomqueryidandusesittoreplacetheoriginalquery id(usedbyns).weuseatranslationtabletotrack themappingbetweentherandomqueryid'susedbyw andtheoriginalqueryid'susedbyns. Wrappersqprocessesqueriesthatinvolvens.These queriescanbepartitionedintotwotypes.therst typecorrespondstothequeriesthataresenttons.the secondtypecorrespondstothequeriesthataregeneratedbyns.thesetwotypesofqueriesaretreated dierently.forthersttype,wrapperwchecksthe queriestodeterminewhethertheyarewell-formed (e.g.,theanswer,theauthority,andtheadditionalsectionsforastandardqueryshouldbeempty).forthe secondtype,thewrappergeneratesarandomqueryid, replacesthequeryidusedintheoriginalquerybythis randomlygeneratedqueryid,andupdatesthelocal queryidtranslationtable. Wrappersrprocessesresponsesthatarereceived bythewrapper.wrappersrhastwocomponents: Wrappersr1andWrappersr2.Wrappersr1screens outforgedresponsemessages.inotherwords,response authenticationishardened.wrappersr2veriesthe responsemessagestoensurethattheyagreewithauthoritativeanswers,andcopeswithcachepoisoning attacks.therearetwotypesofresponsesreceivedby awrapper:responsesforqueriesgeneratedbytheprotectednameserverns,andresponsesforqueriesgeneratedbythewrapperitself(formessagediagnosispurposes).whenaresponseforaquerygeneratedbyns isreceived,thewrapperusesthequeryidtranslation tabletorestorethequeryid(totheoneusedbyns) beforepassingtheresponsetowrappersr2. 6.Experiments 6.1. Overview Weconductedexperimentstoevaluatetheresponse time(i.e.,theelapsedtimebetweensendingaquery toanameserverandreceivingaresponsefromit)ofa wrappednameserver,andtoevaluatethefalsepositive rate,thefalsenegativerate,andthecomputational overhead(i.e.,cputimeused)ofourwrapper. BasedontheDNSwrapperspecication,weimplementedaprototypeoftheDNSwrapperforBINDrelease4.9.5,whichwasthelatestreleaseforBINDwhen westartedourimplementation.thednswrapper waswritteninc.wemodiedthebindnameserver sourcecodetoinvokethednswrapperuponreceivingqueriesandresponsesanduponsendingqueriesto othernameservers. Inthissection,wedescribetwosetsofexperiments andtheirresults.inexperimenta,weexaminedthe responsetime,thefalsepositiverate,andthecomputationaloverheadofourwrapperusingatraceofdns queriesreceivedbyanameserverinanoperationalsetting.inexperimentb,weexaminedthefalsenegative rateofourwrapperwithrespecttofourattacks:three cachepoisoningattacksandonespoongattack General Experimental Setup Intheseexperiments,ournameservers(BIND4.9.5) listenedtoport4000insteadofport53(thedefacto standardportnumberfornameservers)fordns queriestopreventqueriesoutsideourexperimentsfrom aectingourresults. Ineveryrunofourexperiments,westartedafresh copyofournameserverbecausenameserversmaintain acachefordnsinformationobtainedthroughinteractingwithothernameservers.thebehaviorofaname servercanbequitedierentdependingonwhetherthe DNSinformationqueriedcanbefoundinthecache. Restartingnameserverscanavoidinterferencebetween consecutiverunsoftheexperiment. WeusedamodiedversionofnslookupastheDNS clientinourexperiments.(see[1]foragoodtutorial onnslookup.)wechosenslookupbecauseitisaconvenienttoolforgeneratingdnsqueriesanddisplayingdnsresponses.moreover,nslookupcanbeeasily conguredtouseaspeciednameserverportnumber andtoqueryaspeciednameserver.ourmodied nslookupusesunixgethrtime()systemcallstorecord

8 thetimewhenaqueryissentandwhenthecorrespondingresponseisreceived.unlessotherwisespecied,we willusenslookuptorefertothismodiedversionof nslookup. Ourexperimentswereperformedonalightlyloaded SunSPARC-5runningSolaris2.5.1.Weranourname serversandnslookuponthesamemachinetoeliminate thenetworklatencyforthecommunicationbetween them,thusreducingtheinuenceofthelocalareanetworkloadontheexperimentalresults. Becausewedidnothavecontroloverexternalname servers,andtheinter-networklinksbetweenourname serverandexternalnameservers,weperformedexperimentamultipletimesandcalculatedtheaverage responsetime Experiment A 6.3.1DataSet ThedatasetforExperimentAconsistedofatraceof 1340DNSqueriesreceivedbyanameserverina\real world"setting.togatherthetraceofdnsqueries, wemodiedanameservertologalldnsqueriesit receivedandranitfortwodays.wealsomodiedthe localbindresolvercongurationletodirectalldns queriestothisnameserver.intheresolvercongurationle,thesearchlistwasconsistedofcs.ucdavis.edu., ucdavis.edu.,anducop.edu.whenabindresolveris invokedtoresolvearelativedomainname adomain namethatdoesnothaveatrailingdot itappends thedomainnamesintheorderspeciedinthesearch listandattempttoresolvethemuntilapositiveresponseisreceived.ifnoneofthemresultsinasuccessfulresolution,theresolverthengeneratesaquery fortherelativedomainnameitself.forexample,when thebindresolverisinvokedfordomainnamedn,itattemptstoresolvefordn.cs.ucdavis.edu.,dn.ucdavis.edu., dn.ucop.edu.,anddninthatorderuntilasuccessfulresolutionisobtained ExperimentalProcedure 1.Startawrappednameserver. 2.Runnslookuptoquerythewrappednameserver forresolvingthe1340dnsqueriessequentially. 3.RecordthetotalsystemCPUtimeandthetotal usercputimeused. 4.Terminatethewrappednameserver. 5.Repeattheaboveprocedureusinganunmodied nameserverinsteadofawrappednameserver ExperimentalResults Table1showsthestatisticsrelatedtoresponsetimes recordedbynslookupbasedon33runsofthisexperiment.themeanresponsetimeforthewrappedserver was0.12secondperquery,andthatfortheunmodi- edserverwas0.08secondperquery.weexaminedthe tracesegmentsthatcorrespondto\steep"increasesin theresponsetimes(e.g.,400th-600thquery),wefound thattheycouldbeexplainedbydnsqueriesgeneratedbywebsurngsessions,whichinvolvedmostly remoteanddistinctdomainnames.specically,the tracesegmentforthe400th-600thqueryincluded43 remoteanddistinctdomainnames.theaveragetotal responsetimesforthose43queriesfortheunmodied serverandthewrappedserverwere28.29secondsand 47.54secondsrespectively,whichaccountedfor83% and88%ofthetotalresponsetimesforthatinterval respectively. Table2showstheCPUtimesusedbytheunmodiedserverandthewrappedserver.Theguresshow thattheaveragecputimesusedareasmallfraction (8%fortheunmodiedserverand7%forthewrapped server)ofthetotalresponsetime.thustheresponse timeoverheadofthewrapperreportedintable1was largelyduetowaitingfortheresponsemessagesin themessagediagnosisprocess.theaveragetotalcpu timeincreasedfrom9.33secondsto11.29seconds(i.e., a21%increase). Thenumberoffalsepositivesrangedfrom2-10per run,withthemeanbeing5.85andthestandarddeviationbeing1.89.amongthefalsepositives,80%of themwerecausedbynameserverbehaviorsthatviolateournameserverspecicationortoaviolationof ourassumptions.forexample,falsepositivescaused bymiscongurationsofnameserversareinthiscategory.theremaining20%ofthefalsepositiveswere generatedwhenthewrappergaveupondiagnosing adnsmessageaftertheamountofresourcesspent (e.g.,thenumberofdnsqueriesissued)hadreached athreshold.thethresholdisusedtoensurethatthe amountofresourcesusedforverifyingamessageis bounded,thusprotectingthewrapperfromproblems likedenialofserviceattacks Experiment B ThemaingoalofExperimentBistoexaminethe detectionrateofmaliciousattacksofawrappedname server(i.e.,falsenegativerate).weinvestigatedthe followingfourtypesofattacks: Sendingincorrectresourcerecordsforaremotedomainnametothetarget:Thisisaccomplishedby

9 #queries 200UnmodiedNameServer Mean Min MaxStdDev 3.62WrappedNameServer Mean Min MaxStdDev 4.66 Table Cumulative Response Time (in Sec.) for the Two-day trace Data Set System TypeMeanMinMaxStdDevMeanMinMaxStdDev UserUnmodiedNameServer WrappedNameServer Table 2. System and Times Used (in Sec.) for the Two-day Trace Data Set. usingacnameresourcerecordintheanswersectionofaresponsemessagetointroduce(inthe thenincludingincorrectresourcerecordsforthis resourcedataeld)anarbitrarydomainnamefor whichthetargetserverisnotauthoritative,and Sendingincorrectresourcerecordsthatconict remotedomainnameintheadditionalsectionof withthezonedataforwhichthetargetisauthoritative:inparticular,theattackerusesacname theresponsemessage. highprobability. queryid'sforoutgoingqueries.thusattackerswhodo nothaveaccesstothosequerieswillhavetoguessthe queryid'susedfortheirforgedresponsemessages.as 6.4.1DataSet aresult,theirforgedmessageswillbedetectedwith Sendingresourcerecordsthatcorrespondtoanonexistingdomainnamethatlivesinthetarget server'szone. inthedomainforwhichamaliciousnameserveris resourcerecordtolinktoanaresourcerecordfor whichthetargetisauthoritative. InExperimentB,wemodiedthedatasetusedin ExperimentAbyinsertingtwoqueriesthatcorrespond toeachofthefourtypesofattacksatrandomlocations Sendingaresponsewithaguessedqueryid:In thisattack,onequeriesthetargetservertotrigger authoritativebutdonottriggeranattack. Thesequeriescorrespondtodierentdomainnames inthetwo-daytrace.moreover,wealsoinsertedfour queriesatrandomlocationsinthetraceascontrols. ittosendaquerytotheattacker,whomrecords theattackeraddsonetothequeryidusedinthe Insteadofusingthequeryidofthesecondquery, thequeryidused.asecondqueryisthenissued 6.4.2ExperimentalProcedure rstqueryandusestheresultasthequeryidin itssecondresponse. totriggerthetargettoquerytheattackeragain. 1.Startamaliciousnameserverforanewsubdomaindns.cs.ucdavis.edu.Whenthatmalicious Therstthreetypesofattackscorrespondtosending incorrectdnsdatatoanameserver(i.e.,cachepoisoningattacks).thefourthtypeofattackscorrespondsto 2.Startawrappednameserver. 3.RunnslookupwiththemodiedtraceofDNS queryidorapredictedqueryid. orsendoutresponsemessageswithanincorrect willeitherreturnincorrectdnsresourcerecords main,dependingonthedomainnamesqueried,it namesthatresideinthedns.cs.ucdavis.edu.do- nameserverisaskedtoresolveforcertaindomain masqueradingattacks.ourwrapperusedrandomized queriesasinputandsendthequeriessequentially

10 tothewrappednameserver. 4.Terminatethewrappednameserver. 5.Terminatethemaliciousnameserver. 6.Repeattheaboveprocedureusinganunmodied nameserverinsteadofawrappednameserver ExperimentalResults Werantheexperimentvetimes.Inallveruns,all eightattacks(i.e.,twofromeachofthefourattack types)werereportedcorrectlybythewrappedname server,andnoneoftheresponsemessagescorrespondingtothecontrolqueriesweremisclassiedasattacks. Whenweappliedthesefourtypesofattackstoan unmodiednameserver,thersttypeofattackssucceededinplantingincorrectdnsdataintothecache ofthetargetserver.forthesecondandthethirdtype, theunmodiednameserverdidnotcachetheincorrect DNSdatafordomainnamesthatbelongtoitsauthoritativedomain.However,thenameserverdidforward theentireresponsemessagereceived,includingthose incorrectresourcerecordsforwhichthenameserver wasauthoritative,toitsclient.thatdidnotmake muchdierenceforourexperimentsbecausetheclient usedwasnslookup,whichdidnotperformcaching. However,iftheclientwasanothernameserverthat wasnotauthoritativeforthoseincorrectdnsdata, thecacheoftheclientwouldbecorrupted.thissituationmayoccurwhentheclientisacaching-only server7thatusesanothernameserverasaforwarder8. Thefourthtypeofattackssucceededforanunmodied nameserver.itwasbecausethequeryidusedbythe unmodiednameserverwaspredictable:thequeryid usedinsuccessivequeriesalwaysdieredbyone. 7.ConclusionsandFutureWork Thispaperpresentsadetection-responseapproach forprotectingdns.ourapproachconsistsofthefollowingsteps.first,wedeneasecuritygoal name serversonlyusednsdatathatareconsistentwith thecorrespondingauthoritativedata.second,wedeclarethethreats,namelycachepoisoningandspoofingattacks.third,wedevelopadnsmodel,which includesformalcharacterizationsofdnsclientsand 7Acaching-onlyserverisanameserverthatisnotauthoritativeforanydomain. 8Aforwarderisanameservertowhichothernameservers forwardtheirrecursivequeries.aforwarderisusefulforbuilding alargecacheforremotednsdata,especiallywhencommunicationbetweenlocalmachinesandremotemachinesisslowor restricted. DNSservers.Fourth,wedesignaDNSwrapperwith theobjectivethatthecompositionofthespecication foraprotectednameserverandthatforthewrapper satisesoursecuritygoalfordns.ifthednswrapperreceivesadnsmessagethatmaycauseviolations ofthesecuritygoal,thewrapperdropsthemessage insteadofforwardingittotheprotectednameserver. Fifth,weusetheformalspecicationforthewrapper toguideourimplementationofawrapperprototype. Tocountercachepoisoning,Vixie[17]presents enhancementstobind.briey,bindversion4.9.3 checkstheinputresourcerecordsmorecarefullybeforecachingthem.moreover,itimplementsacredibilitylevelschemeinwhichresourcerecordsfromamore crediblesourcetakeprecedenceoverthosefromaless credibleone.cheswickandbellovin[6]presentadesignforadnsproxy(dnsproxy).intheirdesign,the domainnamespaceispartitionedintoregionscalled realms.arealmisservedbyasetofservers.dependingonthequerynameofadnsrequest,dnsproxyforwardstherequesttotheserversresponsibleforthecorrespondingrealm.certainresourcerecordsinresponse messages thosethatdonotrefertorealmtowhich thequerynamebelongs,andthosethatsatisfyaset oflteringrules areremovedtoprotectthequeriers. EastlakeandKaufman[8]presentsecurityextensions todns(dnssec)thatusesdigitalsignaturestosupportdataauthenticationfordnsdata.indnssec, newresourcerecordtypesareintroducedforpublic keysanddigitalsignatures.security-awareservers andsecurity-awareresolverscanusezonekeys,which areeitherstaticallyconguredorlearnedbychaining throughzones,toverifytheoriginsofresourcerecords. ComparedtothepriorworkforprotectingDNS,our DNSwrapperhasthefollowingadvantages: Providesassurancebyemployingformalspecications(writteninVDM)tocharacterizeDNScomponents,tostatethesecuritygoal,andtocharacterizeoursolution. Eectiveagainstcachepoisoningattacksandcertainspoongattacks(i.e.,queryidguessing)when theassumptionsinsection4.4aremet. CompatiblewithexistingDNSimplementations. DoesnotrequirechangesfortheDNSprotocol. Incursreasonableperformanceoverhead. Canbedeployedlocally;doesnotdependon changestootherremotednscomponents. InNovember1998,acompanycalledMen&Mice surveyedthestatusofnameserversontheinternet

11 [12].Among4184randomlypickedcomzones,1344of them(i.e.,32:1%)werefoundtobevulnerabletocache poisoningattacks.inotherwords,thenameserversof thosezonescouldbecompromisedandgaveoutincorrectinformationaboutotherdomains,includingits delegateddomains.wenotethattheeectivenessof ourdnswrapperisnotaectedbyattacksagainst externalnameserversaslongasourassumptionsare met. Thereareseveraldirectionsforfutureresearch. Tofurtherraisetheassurancelevelofourwrapper, onemayperformacompleteformalverication fromspecicationtoimplementation.thevdm specicationsdevelopedcanbeusedasthebasis forconductingtheformalverication. ResultsfromExperimentAshowa0.437%false positiverateforthednswrapper.becausethe majorityofthesefalsepositiveswerecausedby miscongurationsofexternalnameservers,anontrivialmodicationforthednswrappermaybe neededtosignicantlyreducethefalsepositive rate. WehavenotdiscussedprotectingDNSresolvers. Ifthecommunicationpathbetweenaresolverand itstrustedlocalnameserverissecure,andthe nameserverisprotectedbythednswrapper,the DNSdatareceivedbytheresolveris\safe"becauseawrappednameserveronlyusesDNSdata thatareconsistentwiththecorrespondingauthoritativeanswers.futureresearchmaybeconducted toprotectdnsresolverswhentheresolver-server communicationpathisinsecure.apossibilityis toadaptthednswrappertoprotectresolvers. Onemayapplyourapproachtoprotectothernetworkservicesandprivilegedprocesses. 8.Acknowledgments ThisworkwassupportedbyDARPAundergrant ARMY/DAAH References [1]P.Albitz,andC.Liu,\DNSandBIND."O'Reilly andassociates,inc.,1992. [2]D.Andrews,andD.Ince,\PracticalFormalMethodswithVDM."McGraw-Hill,1991. [3]S.M.Bellovin,\SecurityProblemsintheTCP/IP ProtocolSuite."ComputerCommunicationsReview,Vol.19,No.2,April1989,pp [4]S.Bellovin,\UsingtheDomainNameSystemfor SystemBreak-ins."Proc.ofthe5thUNIXSecurity Symposium,June5-7,1995,pp [5]CERTCoordinationCenter,\MultipleVulnerabilitiesinBIND."CERTAdvisoryCA-98:05, April8,1998. [6]B.Cheswick,andS.Bellovin,\ADNSFilterand SwitchforPacket-lteringGateways."Proc.ofthe 6thUNIXSecuritySymposium,July22-25,1996, pp [7]S.Cheung,\AnIntrusionToleranceApproachfor ProtectingNetworkInfrastructures."Ph.D.Dissertation,UniversityofCalifornia,Davis,September1999. [8]D.Eastlake,3rd,andC.Kaufman,\Domain NameSystemSecurityExtensions."RFC2065, January1997. [9]T.Fraser,L.Badger,andM.Feldman,\HardeningCOTSSoftwarewithGenericSoftwareWrappers."Proceedingsofthe1999IEEESymposium onsecurityandprivacy,oakland,california, May5-7,1999,pp [10]E.Gavron,\ASecurityProblemandProposed CorrectionwithWidelyDeployedDNSSoftware." RFC1535,October1993. [11]C.B.Jones,\SystematicSoftwareDevelopment usingvdm."prentice-hall,1990. [12]MenandMice,\DomainHealthSurvey." [13]P.Mockapetris,\DomainNames{Conceptsand Facilities."RFC1034,November1987. [14]P.Mockapetris,\DomainNames{ImplementationandSpecication."RFC1035,November [15]C.L.Schuba,andE.H.Spaord,\Addressing WeaknessesintheDomainNameSystemProtocol."TechnicalReport,DepartmentofComputer Sciences,PurdueUniversity,1994. [16]W.Venema,\TCPWrapper:NetworkMonitoring,AccessControl,andBoobyTraps."Proc. ofthe3rdunixsecuritysymposium,september 1992,pp [17]P.Vixie,\DNSandBINDSecurityIssues."Proc. ofthe5thunixsecuritysymposium,june5-7, 1995,pp