CircleID

So this Internet thing, as we discussed in our last article, is broken. I promised to detail some of the specific things that are broken. Implicit trust is the Achilles heel of the Internet.

Here is how the Domain Name System (DNS) works… you, a user, open a browser and type in a URL, www.dnsstuff.com, your browser asks your operating system for the IP address of the URL you typed in. The operating system relies on a small, but important, piece of software called the resolver, the resolver is responsible for resolving host and domain names to IP addresses. In the case of www.dnsstuff.com, the domain is dnsstuff.com, the "host" is www, the resolver is being asked to lookup the IP address of the host www in the domain dnsstuff.com, the first step the resolver takes is to look in a file that is private to your computer, it is called the hosts file, the resolver looks there for the record you are requesting, if it finds it it sends it to the browser, if it does not find it it checks its own private cache of data, does it already have a listing for www.dnsstuff.com, if not the resolver has to ask someone out in the world for more information. Your computer has several explicit settings which allow it to interact with the network; one setting is the DNS servers the resolver is to use when it does not know an answer. So the resolver now asks the DNS server what is the IP address of www.dnsstuff.com. Now, that DNS server does a very similar process as the resolver did. It looks in its cache to see if it already knows about www.dnsstuff.com, if it does and that record has not expired yet, it sends that answer back to the resolver. This is important.

All of the communication between the resolver and the DNS server is in plain text that can be easily seen and changed while in transit, further, the resolver completely trusts the answer that was returned. There is no reason to believe that that answer has not been tampered with, there is no way to verify if it has been tampered with. Here we see the first weakness of DNS. In addition, there are numerous ways to trick the DNS servers in to thinking that a host is at a different IP address than it really is. For example, there are questions that a malicious person could send to a DNS server to cause it to lookup things improperly and store those bad answers in its cache. Then it would send that bad data on to subsequent requestors.

So these are just two of the significant issues with the current DNS system. DNSSEC addresses the verifiability of the data returned during a DNS query. However, there are more issue we will need to address.

Written by Paul Parisi, Chief Technology Officer at DNSstuff.com

Related topics: DNS, DNSSEC, Security