Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | julian-cook |
View: | 218 times |
Download: | 0 times |
Name Collisions in the Domain Name System
Burt Kaliski, Verisign
USTelecom Webinar
April 17, 2014
Verisign Public 2
Agenda
• Name Collision Problem
• Timeline
• Mitigating Name Collisions• Remediation: ICANN’s Guidance to IT Professionals
• Constraints: ICANN’s “Alternate Path” of SLD Blocking
• Notification: JAS Global Advisors’ “Controlled Interruption”
• Next Steps
Verisign Public 3
Installed System
… .SLD .TLDUp to
~1400 (or more!) new
gTLDs!
KeyTLD = top-level domain (e.g., “.com”, “.de”, “.net”)
New gTLD = new generic TLDSLD = second-level domain (e.g., “example” in “example.com”)
NXDOMAIN = “non-existent domain” error message
Global DNS
without TLD
Global DNS
without TLDNXDOMAIN
expected
Name Collision Problem for Domain Name System (DNS Queries)
Verisign Public 4
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
Internally Generated Query
collides with Externally Assigned Name
Up to ~1400 (or
more!) new
gTLDs!
Root Causes:• Best Practice: “.” not required at end of domain name
• “Private” TLDs (e.g., “.corp”), Shortened Internal Domain Names• Search List Processing
• Mobile Computing
Name Collision Problem for Domain Name System (DNS Queries)
Verisign Public 5
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
Internally Generated Query
collides with Externally Assigned Name
Up to ~1400 (or
more!) new
gTLDs!
Potential Risks• Installed System Breaks
• Internal Information Leaks (beyond root)• Cyberattacks Exploit Collision
Name Collision Problem for Domain Name System (DNS Queries)
Verisign Public 6
Mitigating Name Collisions
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
(1) Remediate Installed System
(4) Hybrid Approach(2) Constrain Global DNS
(3) “Notify” System Operators
Internally Generated Query
collides with Externally Assigned Name
Up to ~1400 (or
more!) new
gTLDs!
Verisign Public 7
Timeline• Nov. 2010: ICANN’s Security and Stability Advisory Committee (SSAC)
warns of potential name collision risks
• June 2011: ICANN launches New gTLD Program
• Mar. 2013: Verisign Labs publishes first in series of research reports analyzing name collision risk
• Aug. 2013: ICANN publishes report on name collision risk
• Oct. 2013: ICANN defines name collision risk management strategy
• Oct. 2013: First new gTLDs delegated
• Dec. 2013: ICANN publishes guidance to IT professionals
• Feb. 2014: JAS Global Advisors publishes Phase One Report on name collision risk management under contract to ICANN
• Mar. 2014: Verisign Labs holds name collisions research workshop, namecollisions.net
• Apr. 2014: Comments due on Phase One Report
• Jun. 2014: Phase Two Report expected
Verisign Public 8
Mitigating Name Collisions
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
(4) Hybrid Approach(2) Constrain Global DNS
(3) “Notify” System Operators
Internally Generated Query
collides with Externally Assigned Name
Up to ~1400 (or
more!) new
gTLDs!
(1) Remediate Installed System
Verisign Public 9
Remediation: ICANN’s Guidance to IT Professionals
Change Installed System to Avoid Potential Name Collisions
Basic steps
• Replace private TLDs, shortened internal domain names with fully qualified global domain names
• Turn off search lists at shared DNS resolvers
• Update application, device configurations
• Train users and administrators
• Revoke certificates with private TLDs
• Monitor, monitor, monitor …
Reference: Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013.
Verisign Public 10
A Good Remediation: .CBA Case Study
Verisign Public 11
Mitigating Name Collisions
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
(4) Hybrid Approach
(3) “Notify” System Operators
Internally Generated Query
collides with Externally Assigned Name
Up to ~1400 (or
more!) new
gTLDs!
(2) Constrain Global DNS
(1) Remediate Installed System
Verisign Public 12
Constraints: ICANN’s “Alternate Path” of SLD Blocking
Restrict SLD Registrations to Avoid Potential Name Collisions
Basic steps
• Don’t delegate “.corp”, “.home” for now
• Block from registration any SLD that received queries in certain “Day-in-the-Life” annual data sets
• Assume some imply at-risk queries from installed systems
• All but 25 applied-for new gTLDs eligible
• This is until full name collision management framework is completed
Reference: NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013.
Verisign Public 13
Challenging Constraints: SLD Variability
• How to block a moving target?
• 25 applied-for new gTLDs declared ineligible for SLD blocking by ICANN due to high variability
Verisign Public 14
How Much Does Blocking Help?
Potentially at-risk queries
observed for a newly
delegated gTLD,
without and with
required SLD blocking
Verisign Public 15
Mitigating Name Collisions
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
(4) Hybrid Approach
Internally Generated Query
collides with Externally Assigned Name
Up to ~1400 (or
more!) new
gTLDs!
(1) Remediate Installed System
(3) “Notify” System Operators
(2) Constrain Global DNS
Verisign Public 16
Notification: JAS Global Advisors’ “Controlled Interruption”
Flag Impending Change in Global DNS to Users, System Administrators to Prompt Remediation
Basic steps
• Don’t delegate “.corp”, “.home”, “.mail” for now
• Return a special IP address (e.g., 127.0.53.53) for a period of time before regular delegations begin
• “Blocked” SLDs only for new gTLDs on “alternate path”
• Every SLD for other new gTLDs (“wildcard” record)
• Idea: At-risk queries will fail safely to internal IP address; applications may break, but users, system administrators will notice “interruption”
Reference: Mitigating the Risk of DNS Namespace Collisions: Phase One Report JAS Global Advisors, February 24, 2014.
Verisign Public 17
Verisign Comments on Controlled InterruptionIssue Recommendation
1. Name collision framework not yet provided
Wait until Phase Two Report available and publicly reviewed before implementing
2. Controlled Interruption untested, may not be effective
e.g., non-blocked SLDs for “alternate path” gTLDs; WPAD and related protocols
Verify that these cases are covered, based on analysis in full name collision framework
3. Controlled interruption may break systems not at riske.g., if SLD is in use internally, but
won’t be registered
If SLD won’t be registered, give gTLD operator option not to interrupt it
4. Risk management requires feedback
Collect traffic during interruption period for analysis by research community to assess, improve effectiveness
Reference: Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name-collision-26feb14 discussion thread, March 31, 2014.
Verisign Public 18
Mitigating Name Collisions
Installed System
Global DNS
with TLD
Global DNS
with TLD
… .SLD .TLD
Resource recordreceived
(if SLD delegated)
Internally Generated Query
collides with Externally Assigned Name
(3) “Notify” System Operators
(1) Remediate Installed System
(4) Hybrid Approach(2) Constrain Global DNS
Up to ~1400 more
choices!
Verisign Public 19
Next Steps
• Phase One Report comment period open through April 21, 2014
• Phase Two Report expected in June – completes name collision management framework
• ICANN to expand outreach to users, system administrators
• Research community analyzing mitigation techniques, proposing long-term improvements
Verisign Public 20
For Further Reading
• SAC045: Invalid Top Level Domain Queries at the Root Level of the Domain Name System. ICANN Security and Stability Advisory Committee, November 15, 2010.
• SAC057: SSAC Advisory on Internal Name Certificates. ICANN Security and Stability Advisory Committee, March 15, 2013.
• New gTLD Security and Stability Considerations. Verisign Labs Technical Report #1130007. Version 2.2, March 28, 2013.
• Danny McPherson. Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. Between the Dots, May 9, 2013.
Verisign Public 21
For Further Reading
• Name Collision in the DNS. Interisle Consulting Group. Version 1.5, August 2, 2013.
• New gTLD Collision Risk Mitigation. ICANN, August 5, 2013.
• New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Verisign Labs Technical Report #1130008. Version 1.1, August 27, 2013.
• Patrick S. Kane, Thomas C. Indelicarto, and Danny McPherson. Letter to ICANN Board of Directors re: ICANN’s Proposal to Mitigate Name Collision Risks – .CBA Case Study. September 15, 2013.
• New gTLD Collision Occurrence Management. ICANN, October 4, 2013.
Verisign Public 22
For Further Reading
• NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013.
• Burt Kaliski. Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose. Between the Dots, November 8, 2013.
• Burt Kaliski. Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis. Between the Dots, November 13, 2013.
• Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013.
• Mitigating the Risk of DNS Namespace Collisions: Phase One Report. JAS Global Advisors, February 24, 2014.
Verisign Public 23
For Further Reading
• Burt Kaliski. Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated. Between the Dots, February 26, 2014.
• Jeff Schmidt. Mitigating the Risk of DNS Name Space Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.
• Andrew Simpson. Detecting Search Lists in Authoritative DNS. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.
Verisign Public 24
For Further Reading
• Matthew Thomas, Yannis Labrou, and Andrew Simpson. The Effectiveness of Block Lists to Prevent Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.
• Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name-collision-26feb14 discussion thread, March 31, 2014.
© 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.