Home opinion-and-analysis The Linux Distillery Is the second coming of DNS Y2K all over again?

Is the second coming of DNS Y2K all over again?

DNS is the Domain Name System and is the central postmaster of the Internet. Changes are coming to add security, but naysayers would have you believe it is Y2K all over again.

DNS makes the Internet work. You type in www.itwire.com into a web browser and it's DNS which tells your computer the underlying network address of the iTWire web server. Send an e-mail to myfriend@someisp.com and again it's DNS which helps your e-mail wend its way through the tubes that make up the Internet.

This is a good thing but there is a possible crisis coming. For some, May 5th may be the end of the online world. It depends. Let me tell you the story. While I'm at it, I'll help our competition along the way who missed a few salient points.

In short, all Internet-facing servers have a unique IP address and it is DNS which translates the friendly names we know into those addresses. Consider DNS the wise old sage of the Internet who has everyone in his rolodex.

Yet, not everyone on the Internet is as nice as you and I. There are people who would like to intercept DNS requests - imagine if (for instance) your online banking transactions were actually sent to a hostile phishing server, because the DNS request was intercepted and tampered with?

DNSSEC is the next generation of DNS; fundamentally it stands for DNS Security Extensions and, as you might gather, adds security to the DNS protocol.
DNSSEC is designed to protect the Internet from attacks like the one described above, otherwise known as 'man in the middle'.

There are other DNS vulnerabilities like cache poisoning. In this scenario, the bad guys aren't just intercepting one request and sending you elsewhere. Instead, they are seeking to inject bad data into your DNS cache which can affect future DNS lookups made.

It's not hard to make a computer query poisoned records. A spammer might send an e-mail which contains a link to a 1x1 pixel image. To display the image your computer will issue a DNS request to resolve the server hosting the image. Of course, the DNS server that responds will return bad data that influences later DNS requests made and which have nothing to do with the e-mail sent or intercepting specific requests.

This works because your computer doesn't want to be continually issuing DNS requests, nor does your ISP's server or any upstream server. Instead, through a series of caches, results are retained and gradually expire over time in which case they are retrieved anew.

DNSSEC is designed to remove these burdens.

Specifically, DNSSEC adds extra information which combine to provide origin authentication of DNS data, data integrity and authenticated denial of existence. DNSSEC will protect against most threats against the DNS protocol. (It won't offer any support against denial of service - or DoS - attacks, however.)

Now, DNSSEC is not new. In fact, a paper was published in August 2004 evaluating how effective DNSSEC would be against specific vulnerabilities. This is RFC 3833 and is part of the official set of Internet RFCs, the body of documents that prescribe how the Internet works.

What is required of DNS-handling software was dictated the following year, March 2005, in RFC's 4033, 4034 and 4035.

Getting to the thrust and parry of robust debate, our lovable competition iTNews stated today that on May 5th the world's top domain authorities (led by ICANN among others) will complete the first phase of the roll-out of DNSSEC across the 13 root servers - that is, the very top-level DNS servers. Oh my!

Now, their story says that DNSSEC was designed solely to prevent 'man in the middle' attacks, so perhaps Brett Winterford's DNS understanding is somewhat limited.

That's why you should take the comment about 13 root servers with a grain of salt.

The truth is there are many hundreds of root servers at over 130 physical locations in many different countries. These aren't run by any one organisation but by twelve. In fact, ICANN themself - who iTNews refer to - have a bold blog posting 'There are not 13 root servers' dated way back in 2007.

There are networks upon networks of multiple servers all working together to handle the millions of DNS queries which the root servers receive constantly, minute upon minute, hour upon hour. Imagine the grind if the Internet depended on 13 root servers? Imagine the absolute risk if you just had to take down 13 root servers to take down the Internet?

Where the problem comes in, however, is that DNSSEC responses will be larger in size than previous DNS responses because (logically) more information is being carried, namely authentication information.

Just as the Y2K crisis arose from concern older equipment only used two-digit years to record time, so too 'the DNSSEC crisis', if we can call it that, is built on that damnable older equipment again. This time around the fear is that an older router or gateway won't recognise the laden data packets coming its way and will block them.

Our good friends at ITNEWS didn't take maths at school so we'll help them with this point. A DNSSEC response will be 2KB - four times the size of a previous 512 byte DNS response. iTNews note that this may 'potentially' be sent in multiple packets via the TCP protocol. Of course, the default packet size is 1536 bytes so I wouldn't say 2Kb is 'potentially' going to take multiple packets but that it definitely will require two.

What's the upshot? Fundamentally, if your DNS queries wend their way back to you through equipment that rejects the beefier response then you simply can't resolve host names. You will not be able to use any Internet service by name.

The good news is that the protocol isn't new. It's been talked about and written about for most of this decade. You can be certain the big players - Cisco, major ISPs, the like - all have this matter under control in equipment manufactured and installed or upgraded in recent years.

Further, DNSSEC has been rolling out progressively across the mass collection of root name servers for several months now with few, if any, ill effects.

Still, if you have any concerns be sure to test your company, your home, your network using tools like OARC's DNS reply size test server.

Let's knock this problem over before the rest of the world get startled this time.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


David M Williams

joomla site stats

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. Within two years, he returned to his alma mater, the University of Newcastle, as a UNIX systems manager. This was a crucial time for UNIX at the University with the advent of the World-Wide-Web and the decline of VMS. David moved on to a brief stint in consulting, before returning to the University as IT Manager in 1998. In 2001, he joined an international software company as Asia-Pacific troubleshooter, specialising in AIX, HP/UX, Solaris and database systems. Settling down in Newcastle, David then found niche roles delivering hard-core tech to the recruitment industry and presently is the Chief Information Officer for a national resources company where he particularly specialises in mergers and acquisitions and enterprise applications.