The system the internet relies on to direct web traffic needs to be revamped to thwart spammers and identity thieves, concludes a report released on Thursday.
The Domain Name System (DNS) is a distributed network of servers that contain records mapping each domain name 鈥 such as www.newscientist.com) to an internet protocol address 鈥 such as 194.203.155.123. When surfers request websites, their browsers refer first to those records.
But DNS records are currently susceptible to denial-of-service (DoS) and spoofing attacks, says the report, which was funded by the US National Academies, the Department of Commerce and National Science Foundation. 鈥淭he continued successful operation of the DNS is not assured: many forces are challenging DNS鈥檚 future,鈥 it says.
Advertisement
In June 2004, a DoS attack exploited the reliance on the DNS to bring down sites including Microsoft.com, Yahoo.com and Google.com for over two hours. To make such DOS attacks harder to mount, the report calls for a large increase in the number of 鈥渃opy鈥 DNS servers, distributed throughout the world.
Poisoned caches
Identity thieves also spoof DNS records by 鈥減oisoning鈥 a cache of the records held by internet service providers. Poisoning could make the URL of a banking website, for example, point to a bogus site set up by fraudsters.
Once a redirect of this type is established, fraudsters send out emails, seemingly from the bank in question, inviting customers to the fake site where they are asked to 鈥渃onfirm鈥 their account details. These so-called 鈥減harming鈥 attacks have been on the rise recently as email users have become more vigilant to phishing attacks 鈥 which use emails to dupe users directly.
To fight pharming, the report calls for the wide deployment of a security protocol called DNS Security Extensions (DNSSEC) that digitally signs and verifies every DNS mapping using cryptographic keys.
鈥淒NSSEC, once widely deployed, would deprive pharmers of a wide variety of tools,鈥 says John Klensin, an independent consultant based in Cambridge, Massachusetts, US, who contributed to the report.
Avoiding pornography
The report also calls for a series of changes in the way people use the DNS. For example, it warns people not to guess domain names, if they do not want to be redirected to malicious or pornographic sites.
鈥淭he belief is that the guessing of DNS names is a good way to find things,鈥 says Klensin. But in fact this merely plays into the hands of pornographers and fraudsters who buy up names that resemble popular site addresses, such as www.whitehouse.com, which once hosted an adult site.
The review also recommends that the DNS 鈥渃ontinue to be run by a non-governmental body鈥, in order to prevent censorship. This would mean abandoning recent suggestions put forward by the UN to transfer control to an intergovernmental coalition.
But some experts point out that the report鈥檚 suggestion is inconsistent with the current situation, as the DNS is controlled by the Internet Corporation for Assigned Names and Numbers (ICANN), which reports directly to the US government.
Free market
Much better, says California-based Karl Auerbach, a former member of ICANN, would be to have a free market for DNS servers run by many different private companies. People could choose which DNS servers they used, according to the quality of the service and the websites they wanted to visit 鈥 some could promise not to provide records for pornography sites, for example.
Auerbach says this would make the system harder to attack 鈥 if one set of servers go down, people would just use another set. 鈥淭here is this false notion that the DNS has to be this single, uniform, worldwide namespace,鈥 he says.
He is also sceptical of DNSSEC, because he says adding protocols means it will take the system much longer to re-load if it goes down. 鈥淚f it takes longer to recover, is it more or less secure?鈥 he asks.