The progress has been slow and painful, but network managers for government sites on the Internet are on their way to implementing Domain Name System Security Extensions, which is a system for providing authenticated Domain Name System information for IP address requests. The reason for DNSSEC is that hackers are able to insert bogus DNS information into the network and, as a result, direct users to fraudulent Websites.
Unfortunately, DNSSEC is highly complex. Few IT managers understand its workings, and even fewer understand why DNSSEC might fail. This complexity was made worse by the lack of any means of seeing what was happening within the DNSSEC process to discover why things weren’t working. Now, Sandia National Laboratories has developed a tool called DNSViz for visualizing and troubleshooting problems with DNSSEC.
Computer scientist Casey Deccio decided that understanding the ins and outs of DNSSEC was probably beyond the experience of most IT managers and he designed DNSViz to graphically display the DNS security status of any Website, including the full chain of trust down to and including the actual site itself. Anyone can use the tool to examine their own or any other site. If you use Opera or Firefox to run the tool, you can get detailed information from each step of the trust chain by simply mousing over it.
Deccio also explains the details in a Sandia article, and he demonstrates it in a video to give you a better idea of how all of this works. Sandia worked with Comcast to create a site, www.dnssec-failed.org , that has bad domain information so that you can compare a properly configured site with one that’s not. DNSViz users need to cut and paste this site address into the tool to view the problems that crop up when DNSSEC is improperly configured. If you want to see what a properly configured secure DNS site looks like, just use the DNSViz tool to look at the Sandia site.
Right now, chances are that your site isn’t configured to take advantage of DNSSEC, but eventually, many sites will be, especially if they handle sensitive data. This might include banks, credit card companies and perhaps even e-commerce sites. Your local motor vehicles department or social services office should eventually be covered anyway if they use the .gov domain. But eventually, most top-level domains will move to DNSSEC if only to mitigate the efforts of online criminals.
Problem is, once you move into DNSSEC, you will need help, and that’s why Deccio developed DNSViz. “It’s a tool for understanding how DNSSEC works and how authentication works in DNSSEC,” Deccio said. “I found this out as we began to validate other people’s signed zones. When problems came up, it was hard to troubleshoot them.”
Setting Up DNSSEC Successfully Requires Preparation
Deccio said that part of the problem is that DNSSEC has several kinds of keys, and keeping them all straight can be confusing. “You have the notion of a DNS key, and it can play several roles,” he explained. “You have key signing keys, zone keys, standby keys, revoked keys. Then there’s the relationship between the different zones. Then there’s the key in the parent zone and links with the child zone.”
Deccio said that what he’s accomplished is to boil everything down into a graphical representation of the trust relationship in the DNS system. The graphics are interactive, and there’s a summary column that gives you the bottom line at a glance. If you have something wrong with your DNSSEC configuration, it shouts “BOGUS” in a big red sign. Regular old DNS is simply listed as insecure.
Even looking at a plain old DNS site DNSViz will not only tell you what level of security is available to its address entries, but what alias addresses it’s also pointing to. When you look at the graphical representation of the trust chain, the levels of trust are indicated, and mousing over the arrows will tell you where the connection stops being trusted, which is probably at the beginning of your organization’s site. You can also find out what DNS servers are responding and it includes IPv4 and IPv6 DNS entries.
The good news about DNSSEC is that it exists and that most sites that are at risk of attack can use it. The bad news is that using DNSSEC isn’t something done casually. It requires careful planning along with some actual training of your IT staff if you have any hope of getting it right. But the rewards, such as not having a DNS-based attack to contend with, are considerable.
Fortunately, Sandia National Labs has decided to make DNSViz available to the public, so anyone can check to see how they stand in regards to DNS security. Deccio said that he’s planning to keep on expanding the functionality of DNSViz, although he will need some additional resources to do this.
He also said that he’s planning to make it easier to incorporate DNSViz into automated security systems. “It’s a work in progress, and I’m hoping to expand the scope,” Deccio said. “I’d like people to have a programmatic interface. If you could plug into a API, you could have a regular monitoring system.”