Sandia cyber project looks to help IT professionals with complex DNS vulnerabilities

Jan 11, 2012
Sandia computer scientist Casey Deccio developed a software tool called DNSViz to help network administrators with Domain Name System (DNS) vulnerabilities. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace. Credit: Dino Vournas

Sandia National Laboratories computer scientist Casey Deccio has developed a visualization tool known as DNSViz to help network administrators within the federal government and global IT community better understand Domain Name System Security (DNSSEC) and to help them troubleshoot problems.

DNSSEC is a security feature mandated to all by the White House's Office of Management and Budget (OMB). The mandate, issued in 2008, requires that "the top level .gov domain will be DNSSEC-signed, and processes to enable secure delegated sub-domains will be developed."

The entity that serves to translate the hostname of a Uniform Resource Locator (URL) into an Internet Protocol (IP) address is known as the (DNS). A DNS "lookup" is a prerequisite for doing almost anything on the Internet, including Web browsing, emailing or videoconferencing.

This video is not supported by your browser at this time.
Deccio discussing the DNSViz tool

Although the mandate made perfect sense, said Deccio, there soon emerged a problem when .gov organizations actually began deploying DNSSEC.

"DNSSEC is hard to configure correctly and has to undergo regular maintenance," he said. "It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren't fully compatible, it keeps users from accessing .gov sites. They just get error responses."

The still-new DNSSEC is designed to allow user applications like to ensure that the IP addresses they have received from the DNS have not been "spoofed" by anyone with ill intent. As such, Internet-connected systems within the government can verify that the responses are authoritative and have not been altered. Still, the hiccups with implementing DNSSEC convinced Deccio that there was a need for a tool like DNSViz.

DNSViz – helping the IT professional "see" the problems

DNS, said Deccio, is inherently insecure. Without DNSSEC, tampering by third-party attackers could go undetected, thus redirecting online communications to unwanted destinations. This represents a particularly troublesome problem for .gov addresses owned by government organizations guarding national security information and other vital data.

Deccio believes DNSSEC is of little use if network administrators don't know how to configure or use it.

He describes DNSViz as a "tool for visualizing the status of a DNS zone." It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, made available via a Web browser to any Internet user (http://dnsviz.net/). It visually highlights and describes configuration errors detected by the tool to assist administrators in identifying and fixing DNSSEC-related configuration problems.

DNSViz brings together all the components that work together for DNSSEC to function properly into a single graphical representation. The resulting visualization is a collection of configuration data and relationships that are otherwise difficult to assemble, assess and understand.

To help in their DNSSEC deployment, Sandia's DNSViz tool functions in two primary ways: It actively analyzes a domain name by performing pertinent DNS lookups, and it makes the analysis available via the Web interface. The active analysis occurs periodically to build a history of DNSSEC deployment over time and provide a historical reference for DNS administrators.

Currently, the Web interface is the primary source for viewers to observe data, though Deccio intends to expand DNSViz functionality to allow access via other means. For example, alert mechanisms might be used to inform affected parties, and application programming interfaces (API) can be designed to allow administrators to programmatically access the information instead of manually browsing the DNSViz website.

Deccio has the tool running in the background on Sandia/California's servers, monitoring a list of some 100,000 DNS names. It performs an analysis a couple of times each day and offers a situational awareness of what the DNS configuration for each name looks like from top to bottom.

Though the functionality provided by DNSViz could potentially be included in a marketable software product that's sold by a for-profit company, Deccio says he envisions it as an open-source tool available to anyone who needs it. With further funding, he hopes to expand the tool so that it can analyze DNS health and security on a continuous basis, essentially creating a full-blown monitoring system that is scalable, versatile and more informational.

Explore further: The internet was delivered to the masses; parallel computing is not far behind

Related Stories

Internet upgraded to foil cyber crooks

Jul 29, 2010

The Internet has undergone a key upgrade that promises to stop cyber criminals from using fake websites that dupe people into downloading viruses or revealing personal data.

Researchers devise new method of detecting botnets

Mar 25, 2011

(PhysOrg.com) -- With the threat of Botnets increasing, researchers in the Department of Electrical and Computer Engineering at Texas A&M University have devised a new method to detect their activity.

IronPort Revamps Security Monitoring Site

May 22, 2007

IronPort Systems has revised its Internet traffic monitoring Web site, a resource for IT staffers searching for a real-time view into security threats.

ICANN chief to leave at end of term

Aug 17, 2011

The head of the Internet Corporation for Assigned Names and Numbers (ICANN), the global body which manages the technical infrastructure of the Web, has announced he will not seek another term.

Recommended for you

Hacking Gmail with 92 percent success

9 hours ago

(Phys.org) —A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows ...

User comments : 0