▶ 12.3 Names on the Internet
When we type an email address or the name of a website, part of the text includes a name with dots, usually suffixed by “.com” or “.edu” or a two-letter abbreviated country name. These are called domain names. They are part of an organized collection of names that are unique on the internet. The names form a hierarchy, as shown in FIGURE 12.9.
FIGURE 12.9 Domain name hierarchy.
We use domain names most often to identify host computers that provide specific services, particularly web servers and email services. In practice, each name stands for the numerical IP address of the named host.
The domain name system (DNS) looks up a domain name and retrieves information about it. Application software uses it like a telephone book; we supply a domain name and the DNS retrieves the host’s numerical IP address. DNS is an essential part of the internet; nobody remembers the numerical IP address of Google or Amazon or Microsoft, but everyone knows their domain names. TCP/IP protocols require numerical addresses to open connections, and DNS retrieves the forgettable IP addresses associated with the memorable domain names.
The Name Space
All domain names include a top-level domain (TLD). These are abbreviations that more or less reflect the location or purpose of the organization that owns the name. TABLE 12.1 lists the abbreviations for several common TLDs.
TABLE 12.1 Common Top-Level Domain Abbreviations |
|||
|---|---|---|---|
|
There were originally two types of TLDs: generic names and country codes. The generic names are not supposed to be associated with specific countries, although the military and government TLDs in Table 12.1 are controlled by the U.S. government. Today, there are hundreds, if not thousands, of generic TLDs. Starting in 2012, individual organizations could establish and manage custom-named TLDs. Country codes are based on two-letter abbreviations defined in ISO Standard 3166. Individual countries decide how to manage their own country codes. Some countries allow anyone to register a domain, regardless of their location or nationality.
We always construct domain names from right to left, starting with the TLD. Referring to Figure 12.9, we move down the tree as we build the name from right to left. After selecting a TLD, we select a unique subdomain name, like the word “stthomas” in stthomas.edu (FIGURE 12.10).
FIGURE 12.10 Example format of a three-part domain name.
Even though there are several schools with “St. Thomas” in their name, there may only be one stthomas.edu. Other organizations may choose the subdomain “stthomas” from other TLDs. For example, the domain name “stthomas.com” was occasionally used to promote tourism in the U.S. Virgin Islands, whose capital is on the island of St. Thomas.
Email addresses contain domain names but those names typically contain only two parts: the subdomain followed by the TLD. Three-part domain names often are used when a site offers several different services. The third, “local” subdomain identifies the service offered. For example, the www in Figure 12.10 stands for World Wide Web, and the domain name identifies the stthomas.edu web server.
Local subdomains are controlled by the subdomain owner. Some subdomain owners use them, while others don’t. In many cases, the www is optional when using a browser: The DNS for the two-part domain name yields the same address as a three-part name beginning with www. For example, stthomas.edu yields the same website as www.stthomas.edu.
Some organizations produce subdomains for subdomains. For example, the University of Minnesota has a website at www.umn.edu, and the computer science and engineering department has its own website at www.cs.umn.edu.
12.3.1 Domain Names in Practice
People and organizations may acquire a domain name by registering it under one of the TLDs. The first step is to find an unregistered name under an existing TLD. For example, Kevin has decided to start a small business on the internet. He chooses a name and tries to register it under the “.com” domain. His first six name choices were already taken by others, but he settles on “einsec.com,” which hadn’t already been registered.
To take possession of his chosen domain name, Kevin contacts a domain registrar to register the domain. He pays a registration fee and the registrar creates that name on his behalf. He also provides the registrar with the IP addresses to appear in his DNS entries. The registrar sets up the appropriate DNS entries for Kevin’s new domain. As noted in Table 12.1, there are restrictions on some TLDs. For example, Kevin can’t register einsec.edu because he’s not an educational organization, nor could he register einsec.mil. These TLDs are managed by special registrars that validate an organization’s right to register such names.
The Internet Corporation for Assigned Names and Numbers, or ICANN, manages the distribution of domain names and IP addresses. ICANN accredits domain registrars to issue domain names and manage the associated records. Through its subsidiary, the Internet Assigned Numbers Authority, it manages the DNS root and assigns numeric values for protocols and addresses.
Using a Domain Name
The domain name provides a memorable substitute for a numerical IP address. Many people think of domain names as standing for websites or as a “home address” for someone’s email. DNS itself cannot associate a domain name with a personal web page or email account. DNS uses a domain name to retrieve the numerical IP address of the host providing web service or email service.
Many domain registrars provide a service to link a registered domain name to an existing email account or to a web page hosted on a larger site. The registrars implement special hosts to provide this service. The domain name’s owner supplies information about their existing email address or web page, and the registrar’s server redirects email and web transactions to the appropriate destination. This provides an “alias” for an email address or website.
When handling a website alias, the registrar translates the domain name into a link to a particular web page. For example, Kevin might not have his own host and global IP address. Instead, Kevin has a personal website on “comcast.net” and he wants “einsec.com” to point to those pages. Using a web-based interface provided by the registrar, Kevin supplies a link to his Comcast home page. After that, the registrar automatically redirects any visit to “einsec.com” to Kevin’s home page at comcast.net.
This allows Kevin to use a personalized domain name with web space he already owns. Many domain registrars also offer web services and will automatically link a personal domain name to the customer’s rented web space.
Registrars often also provide email aliases. For example, Kevin has an email account at school, but he wants to also use the email address “[email protected].” To do this, the registrar provides another web-based interface to establish email forwarding. Kevin selects his domain name “einsec.com” and gives it the user name “kev.” Then he enters his school email address as the email destination.
Whenever the registrar receives email for “einsec.com,” it looks at Kevin’s email forwarding requests. If the user name on the email is “kev,” then the registrar retrieves Kevin’s school email address and forwards the email there.
12.3.2 Looking Up Names
If the DNS serves the same purpose as a telephone book, then we need to examine the lookup process. Every time we type in a link to a web page, we enter a domain name and that name must be converted to an IP address. DNS translations must be fast and accurate.
The lookup process is handled by domain name resolver software. The software is part of the standard internet API. Resolver software follows these four steps:
The software collects the domain name of interest.
The software looks up the domain name in the host’s cache. Each host keeps a cache of previous domain name queries.
If the name isn’t in the cache, the host sends a query across the network to its assigned DNS server.
The software saves the answer in the cache in case the same query recurs, and it returns the answer to the caller.
The host’s DNS server is assigned when the host receives its other internet configuration information, like its IP address and gateway address. The DNS server is identified by its IP address.
If the host must send a DNS query to a server, it sends the query to port 53 at the server’s IP address. Typical DNS queries and replies fit in a single packet and are transmitted using UDP. The resolver software sets a timer to detect lost queries because UDP won’t detect lost packets.
There are several kinds of DNS servers. Some are actually resolvers that simply contact other servers for information; these are called recursive resolvers. Some contain authoritative answers to some DNS queries but must contact other servers for other queries. In most cases, the resolvers maintain a cache of answers to save time when handling repeated queries.
DNS Lookup
Most computer systems have a keyboard command nslookup that uses the resolver to look up domain names. The command works in Unix command shells available in MacOS and Linux and in the MS-DOS command shell on Windows. Unlike the nmap command examined earlier, nslookup doesn’t take a list of options and parameters. Instead, it starts its own command shell that collects domain names to look up.
The following is an example using nslookup on MS-DOS. We underline the commands typed by the user. First, the user Kevin types the nslookup command itself. The program responds by typing the name and IP address of the default name server. In private networks behind a firewall, this will be the local address of the network’s gateway. Because this server address has no domain name, the “Server” name is “Unknown.” Then nslookup types a “>” to prompt the user for a domain name:
Kevin types in the domain name to retrieve its IP address:
Nslookup responds with a short report of the domain’s IP address. If the domain has several IP addresses, the report lists them. For example, a large site like google.com will produce a list of IP addresses. Kevin also may set certain options in the program.
For example, he can tell the program to return “any” domain records it finds instead of only returning the basic IP address record. FIGURE 12.11 shows what happens when he does this and repeats his query.
FIGURE 12.11 Nslookup list of “any” DNS records found for einsec.com.
12.3.3 DNS Protocol
The ARPANET relied on a file named “HOSTS.TXT” to provide a mapping between host names and their numerical addresses. The early internet used the same approach, but within a year it was reaching the limits of manageability. Any approach based on a single database would not keep pace with even modest internet growth.
The proposed solution was a distributed database to convert host names into numerical addresses. Individual hosts could contact any server in the domain name system. If that server couldn’t answer their query, it could redirect the query to a server capable of answering it.
FIGURE 12.12 shows a Wireshark display of a DNS query response. Like most DNS operations, it travels in a UDP packet. Wireshark provides a link to the corresponding request, which carries a matching transaction ID. The actual query contains the same “queries” section, but lacks the “answers” section. Here, the “answers” section provides the requested IP address.
FIGURE 12.12 Wireshark display of a DNS response.
© Wireshark Foundation
Resolving a Domain Name via Redirection
Names in the DNS form a hierarchy, and different servers are assigned to different sections of the hierarchy. These sections are called “zones.” A server assigned to a zone is considered the authority for answering questions about domain names in that zone.
The starting point is, of course, the “root zone” at the top of the hierarchy in Figure 12.9. If we need to resolve a domain name like “www.stthomas.edu” and we don’t know where to start, we go to a root server. The root server then refers us to a more specialized server to answer our question. The process repeats until we find the server with the answer.
FIGURE 12.13 illustrates this iterative lookup process. Our first query goes to the root server. The server looks at the top-level domain in the name: “.edu” in this case. The server doesn’t know the whole answer itself, so it refers us to a server with better information.
FIGURE 12.13 Looking up a domain name.
We send our query a second time, this time to the “.edu” server. This server looks up the subdomain name “stthomas” and finds a server that can answer queries about it. Our second query, like our first, yields a referral to another name server. Our third query goes to the “stthomas.edu” server, which finally returns a response.
Because “stthomas” belongs to a university with a large IT department, it runs its own domain name server. Personal domain names often are directed to a server belonging to a domain registrar. If the subdomain has subdomains, those usually are interpreted by the same server.
Figure 12.13 shows that a domain name query might go through three or more servers in its quest for resolution. Each is responsible for part of the domain name space, and they work together to answer queries. The server responsible for a particular name’s meaning can update the information itself without having to update other systems. This is what makes the DNS a distributed database.
By distributing authority to different servers, DNS decentralizes management of different parts of domain names. Authority for “stthomas” or “umn” domain names are delegated to the organizations that own the names. In mid-2011, there were over 130 million subdomains registered under the major TLDs. The distributed approach provides a practical way to manage the enormous address space.
DNS Redundancy
Every zone usually has several authoritative servers. If we perform a query and are redirected to another server, the redirection often lists several server IP addresses and we can send our query to any of them. Thus, if one server fails to respond due to excessive load or any other reason, we can contact one of the other servers.
When the zone belongs to an organization, like umn.edu or stthomas.edu, the organization itself is responsible for providing redundant servers. If they don’t provide multiple servers and their main server goes down, then no one will be able to resolve their domain names until it recovers.
Shared parts of the name space, like the TLDs, also rely on redundancy. Root zone service is provided by several dozen root servers distributed worldwide. Most TLDs, especially the generic TLDs, also are served by multiple servers.
12.3.4 Investigating Domain Names
Domain names provide the starting point for connecting to entities on the internet. The names themselves, however, only connect to servers. In order to keep track of domain name ownership, ICANN requires the registration of all owners of domain names. ICANN also requires that the information be posted in a standard internet database, called the whois database.
This database contains ownership, administrative, and technical contact information for domain names, internet IP address ranges, and Autonomous System identifiers. FIGURE 12.14 shows the output from a whois query on the domain “stthomas.edu” (some text was suppressed for privacy reasons, but the latest version is available online).
FIGURE 12.14 Whois response for stthomas.edu.
ICANN requires that legitimate contact information be associated with the whois record of every domain name. Registrars provide the owner’s contact information, but in some cases, the registrar simply provides its own contact information. This happens if the customer wants to shield their personal information. The registrars provide this service at an extra cost.
The IP address and contact information for the domain name only tells part of a website’s story. It does not always identify the website’s physical location. This is especially true when organizations rent web service from other organizations. To track down a site’s location, we must find the owner of the IP address itself.
The whois service will identify the company owning a particular IP address in terms of the address range. We must use other services to narrow down an address location more precisely. There are also online geolocation services that convert IP addresses to more specific physical locations. Typically, these services use a custom database that has collected detailed IP address ranges and associated them with physical street addresses, map coordinates, zip codes, and so on.
12.3.5 Attacking DNS
DNS is a relatively old and widely used internet component. This makes it a very valuable target. Though vulnerabilities exist, most DNS transactions take place without trouble or interference. Here is a summary of major DNS vulnerabilities:
■ Cache poisoning: A resolver receives a bogus response to a DNS query. All subsequent queries will receive the wrong information and redirect connections to the wrong IP address.
■ DOS attack on major DNS servers: Attackers try to disable DNS service in parts of the internet by attacking major DNS servers.
■ DOS attack using a shared resolver: An attacker transmits numerous bogus DNS queries to the shared resolver.
Attacks either trick DNS into returning incorrect information, or they attack DNS services in a way that disrupts other internet services. We examine each attack and also review proposed DNS security improvements.
DNS information usually is correct because it is hard to trick a resolver into accepting incorrect information. The resolver uses established IP addresses to contact other DNS servers. Those addresses arrive during boot configuration, provided by a trustworthy server, or they are provided through a trustworthy configuration process.
Servers, or malicious hosts posing as servers, can’t simply announce DNS information to resolvers. Unlike ARP, the resolvers only look for answers to specific queries. Each query contains a randomly selected client port number and a randomly selected transaction identifier. An attacker must have that information in order to give a bogus answer to a resolver.
Cache Poisoning
This attack provides bogus responses to DNS queries. It takes advantage of the fact that most resolvers contain a cache. If the cache contains bogus data about a host, the resolver will provide the bogus data to all queries about that host.
A simple but inefficient approach to cache poisoning is a form of bucket brigade attack. The attacker sits on a node between the resolver and some DNS servers. When a server sends a response, the attacker modifies the response so that the domain name points to the wrong IP address. In some cases, the attacker can trick the resolver into using the wrong servers to resolve top-level domain names like .com. This allows the attacker to provide bogus answers on a large portion of the names the resolver queries.
A more efficient attack transmits numerous bogus answers to a resolver in hopes of matching a query’s port number and transaction number. If the port and transaction numbers are predictable, this attack may work. Some DNS software resists this attack by using truly random values for those numbers and by carefully checking DNS responses against outstanding queries. However, such checks reduce DNS performance, so they are not used everywhere.
Attackers have targeted ISPs and specific sites with cache poisoning attacks. In 2008, the domain name for a security researcher’s site was hijacked by poisoning the cache on the ISP’s DNS servers. The attack occurred after the site had published details of how to exploit cache poisoning. Similar attacks hit a large ISP in China a few months later. In 2009, a cache poisoning attack redirected traffic to a bogus site masquerading as Brazil’s largest bank.
DOS Attacks on DNS Servers
In 2002, hundreds of computers worldwide sent thousands of packets to all of the DNS root servers for about an hour. This was a DDOS attack because it relied on numerous separate computers to work together to overwhelm the targets with traffic. The attack briefly interrupted service from all but four of the root servers. Most internet users saw no service trouble because most DNS queries are answered with cached responses. A similar attack occurred in early 2007. Although the second attack lasted several hours, it affected even fewer root servers.
However, the basic risk remains: Attackers can try to shut down portions of DNS by attacking authoritative servers for different parts of the name space. On Christmas Eve 2009, the DNS provider for amazon.com suffered a DDOS attack. It interfered with access to the Amazon website for about an hour, but only affected visitors in parts of California.
Botnets
DDOS attacks require a large collection of computers to transmit a steady stream of packets. Attackers often rely on botnets to perform such attacks. The attacker may upload special attack software to the individual computers (the “bots”) and then direct the attack at a particular DNS or IP address. Such attacks can pose a particular challenge, because the traffic isn’t from a single source and may be widely distributed across the network.
DOS Attacks and DNS Resolvers
Because DNS resolvers often reside in DNS servers that serve a particular zone of the name space, these machines are targets for attack. However, resolvers also may be tricked into taking part in an amplification attack.
In general, an amplification attack is one where the attacker sends a small amount of traffic to a server which responds with a lot of traffic. The attacker forges the packets’ return addresses to point to the victim’s computer. The server unwittingly sends vast quantities of traffic at the victim on behalf of the attacker.
In a DNS-based amplification attack, the attacker sends thousands of DNS queries to a resolver, with the victim’s IP address given as the source of the query. Each query is perhaps 50 bytes long, but the responses may be thousands of bytes long. Thus, the attacker sends a relatively small amount of attack data, and the DNS resolver sends a flood of data to the victim. The attacker can make the attack even more effective by sending a flood of queries to several different resolvers, so that they send the victim an even larger flood of responses.
DNS Security Improvements
DNS is one of the oldest and most heavily used elements of the internet. As such it is difficult to modify, because so many systems rely on its present structure and operation. However, there are certain steps that many sites and systems take to improve DNS security.
■ Randomized requests. The port number and transaction identifier in a DNS request are supposed to be randomly chosen so as to be hard to predict. Not all systems choose them randomly, though software updates have corrected this weakness.
■ Limited access to resolvers. An “open resolver” is one that accepts a DNS query from anywhere on the internet. It is easy to use an open resolver for an amplification attack. Many sites block access to their resolvers so that they are available only to their customers.
■ Distributed DNS servers. These provide multiple DNS servers to provide authoritative answers for important domain queries. The major root and TLD domains are covered by multiple servers distributed worldwide. DNS is less vulnerable to DDOS attacks if the attack must target numerous servers in separate locations.
Security improvements also arise from the DNS Security Extensions (DNSSEC), which consist primarily of cryptographic techniques for validating DNS transactions. DNSSEC prevents cache poisoning and man-in-the-middle attacks by affixing digital signatures to DNS responses and by providing a certification hierarchy for verifying the signature keys. DNSSEC was first deployed to root servers in 2010.