[转载]A Survey of DNS Security：Most Vulnerable and Valuable Assets

The architecture of the legacy DNS greatly helps the attackers. It creates many non-obvious dependencies between names and nameservers, and can enable unexpected nodes to exert great control over remote domains. For example, the resolution of the host www.whitehouse.gov is directly dependent on all the servers that serve the whitehouse.gov domain. There are just seven of these, one of which is a.gov.zoneedit.com. But how does a client figure out the IP address of a.gov.zoneedit.com? For that, it will have to find out the name servers for .com, one of which is a.gtld-servers.net. To figure out the IP address of a.gtld-servers.net, it needs to contact a2.nstld.com. And so on, until the search bottoms out at a root server. In all, the name www.whitehouse.gov is dependent on 40 different nameservers. A compromise in any one of these servers can be used to redirect clients under the right circumstances. The root problem here is that legacy DNS requires a transitive trust relationship, from a name to all its nameservers, and from those nameservers' names to all their nameservers, and so on. These dependencies create a dependency graph (technically it should be a directed acyclic graph culminating in the root servers, but cycles can arise in practice - legacy DNS requires manual administration, and humans make mistakes. See Mockapetris 88 and Pappas 04 for the extent of cyclic delegations). We first examined the size of these graphs, to get a handle on the extent of the trust relationships.

Here are the results of our survey:

• Top-500 most vulnerable names
• Top-200 most vulnerable .COM names
• Top-200 most vulnerable .GOV names
• Top-100 most vulnerable .MIL names
• Top-200 most vulnerable .ORG names
• Top-200 most vulnerable .NET names
• Top-1000 most vulnerable not in the (COM, GOV, MIL, ORG, NET) top level domains
• Average number of dependencies per name in each top level domain

The linked pages rank web servers by the number of nameservers on which they depend. A higher number corresponds to a larger trusted computing base, and thus to a greater set of dependencies, a bigger attack profile, and greater vulnerability. Surely, it is not the case that all of the nameservers are involved in every name resolution involving that web server; caching, network availability, load-balancing decisions and the preferential order in each delegation set together determine the precise set of contacts for each query. However, under the right set of circumstances, say the severence of the wrong set of cables or a targeted link saturation attack, any one of these nodes can end up being queried and thus control the ultimate mapping for that name.

The numbers shown above exclude the DNS root servers, because they are sometimes treated specially at the network level through BGP anycast to a local root replica. To get a true count in most places in North America, one should add 13 to the numbers shown above. If anycasting is used for root queries in your part of the Internet, you should add the appropriate number for the root replicas in use.

The numbers also exclude any domain whose nameservers were down or timed out at the time we performed our survey. They strictly underestimate the level of dependence between names and nameservers. Here are the highlights from the raw data.

• The average DNS name depends on 46 nameservers.
  This is a surprisingly large number (note that it is 59 when the root servers are taken into account).

  We very much doubt if the name owners realize their level of dependence on other nameservers. More than half the names in DNS are served by just two direct nameservers. The administrators who set up these names directly named, and presumably directly trust, just two hosts. However, legacy DNS forces them to have to trust the entire transitive closure of the all names that appear in the physical delegation chains. That transitive closure contains slightly less than four dozen hosts.

• The names in the top level domains .UA, .BY, .AL, .SM, .MT, .MY, .VA, .PL, .IT, in that order, are on average the most vulnerable. Most country code TLDs average more than 100 dependencies per name.
  These numbers depend on the trust decisions made by nameowners in that domain, and should not be seen as a blanket indictment. A competently administered domain, say, .COM, can have a small set of dependencies at the top level, but a name like www.lionscastle.com can nevertheless end up depending on many nameservers due to poor trust decisions made by its administrators.

  On the other hand, some top-level domains are set up such that it is impossible to own a name in that subdomain and not depend on hundreds of nameservers. Ukrainian names seem to suffer from many such dependencies. The most vulnerable name in our survey, www.rkc.lviv.ua, depends on nameservers in the US including Berkeley (adns1.berkeley.edu), NYU (egress.nyu.edu), UCLA (dns.ucla.edu), as well as choice spots spanning the globe: Russia (ns.ipnet.ru), Poland (ns1.IKP.pl), Sweden (A.NS.SE), Norway (x.nic.no), Germany (sun.rhrk.uni-kl.de), Austria (SSS-JP.NIC.at), France (ns2.freenix.fr), England (jasmine.nene.ac.uk), Canada (dns3.ubc.ca), Israel (aliceoy.isracom.net.il), and Australia (ns2.its.monash.edu.au). It could be that the Ukrainian authorities are using the DNS system as a tool of diplomacy to show how much they trust fellow world citizens. But we think it is much more likely that they do not realize their dependence on servers outside their control. A cracker that controls a nameserver at Monash University in Australia can end up controlling the resolution of the web site for the Roman Catholic Church in Ukraine. Legacy DNS creates a small world after all.

• Some people ought to know better.
  www.nsa.gov ranks surprisingly high - it depends on a total of 65 nameservers.

Most Valuable Assets

We model the value of a nameserver as being proportional to the number of hostnames whose resolution that nameserver controls. It is these high profile servers whose compromise would put the largest portions of the DNS namespace in jeopardy. Attackers are likely to focus their energies on such high-leverae servers - the effort to break into a vulnerable nameserver is constant, and breaking into a nameserver that controls a large number of names provides a higher payoff ("0wnage points").

Here are the results of our survey:

• Top-500 most critical nameservers overall

This list identifies the surveys that appear on the most number of delegation graphs for the web sites in our survey. Here are the highlights from the raw data:

• An average nameserver is involved in the resolution of 166 externally visible names.
  This is the number of externally visible names that appear in well-known web directories. It does not include automatically generated DHCP names or other DNS names that receive few, if any, lookups.

• The nameserver ranked 5000 is responsible for 67 hostnames that appear in Yahoo+DMOZ. The nameserver ranked 10000 is responsible for 29 publicly visible websites. The median number of externally visible names served is 4.
  These first two numbers are quite high; the median is modest. While an attacker that targets at random would likely compromise only a few sites, a little bit of targeting can yield nameservers with great leverage. A sample size as large as a few thousand servers provides a huge opportunity to a cracker - we show below that even among the professionally administered nameservers that serve the most popular 1000 websites (as measured by their Alexa ratings), 2% have known vulnerabilities.

• There are many valuable servers operated by institutions that may not be equipped to or willing to take on the DNS task.
  Many of the nameservers in the top-1000 are operated by entities whose primary business is not to provide networking services (e.g. universities, non-profits, and so forth). These institutions, unlike ISPs, typically do not have a financial relationship with the owners of the names they serve, and thus lack the fiduciary incentives for correct, secure service an ISP might have. These institutions take on an additional risk by placing their servers at critical locations in the DNS hierarchy - they may be liable if their servers are taken over and used to launch a DNS redirection attack. And the presence of high value nameservers on relatively soft networks may make the same networks more likely to be targeted.

Known Exploits and Their Impact

As part of our survey, we also collected version information for the nameservers we encountered, where possible. Older versions of nameserver software contain well-documented bugs. We can combine this data with the preceding two studies to determine which names and which nameservers are subject to compromise.

At this time, we are releasing only aggregated data. The link below examines which vulnerabilities are most prevalent.

• List of vulnerabilities and their prevalence

We next examine which names depend on nameservers with known security flaws. Of the 166771 nameservers, 27141 have known vulnerabilities. These vulnerabilities affect 185802 names. A naive expectation might be that, with ~17% vulnerable nameservers, only 17% of the names would be affected. This is patently not the case; transitive trust relationships "poison" every path that passes through an insecure nameserver. Hence 34% of DNS names can be compromised by launching well-known, scripted attacks.

The page below lists web server names whose DNS delegations may be handled by such an insecure nameserver. If a webserver you administer appears in this list and you do not know where the vulnerable web server is, we can identify the offending servers when you contact us with your credentials.

• List of names affected by known vulnerabilities

The fbi.gov domain is served by two machines called dns.sprintip.com and dns2.sprintip.com. A client trying to resolve www.fbi.gov will first have to get to sprintip.com to find the FBI nameservers. The sprintip.com domain is in turn served by three machines named reston-ns[123].telemail.net. Of these machines, reston-ns2.telemail.net is running an old nameserver (BIND8.2.2-p5), with nine different known exploits against it (namely, tsig, libbind, negcache, sigrec, DoS_multi, srv, zxfr, infoleak and sigdiv0 exploits). Having compromised reston-ns2 using a standard crack tool available on the web, an attacker can divert a query for dns.sprintip.com to a malicious nameserver, which can then divert the subsequent query for www.fbi.gov to any other address, hijacking the FBI's web site and services.

Discussion

The main culprit here is the reliance on transitive trust. Security-minded readers will quickly realize that the legacy DNS defines a "speaks-for" graph. A set of nameservers speak for the IP addresses of the names they manage. A different set of nameservers speak for the IP addresses of those nameservers in turn. The graph thus extends until the root servers are reached on all paths or cycles are encountered. All nodes in this name delegation graph can play a role in resolving the desired name - the graph defines the trusted computing base. It is a well-accepted axiom of computer security that a small trusted computing base is highly desirable: it is easier to secure, audit and manage.

Our survey has found that name delegation graphs in DNS commonly grow to be enormous and can include more than 600 nodes. An average name depends on 46 nameservers, while the average in some top-level domains exceeds 300. Since a significant percentage of nameservers contain known security flaws, it is often possible to locate a vulnerable node in the physical delegation graph.

Our study shows that one in three Internet names can be hijacked using publicly-known exploits. This points to a significant common vulnerability: legacy DNS. It is highly unlikely that an attacker can break into a third of the webservers around the globe. Firewalls, hardened kernels, and intrusion detection tools deter direct attacks on web servers. But the legacy DNS enables attackers to hijack one in three sites, thus gaining the ability to masquerade as the original site, obtain access to their clients, potentially collect passwords, and possibly spread misinformation. High-profile domains, including those belonging to the FBI, NSA and US Treasury, are vulnerable because of problems stemming from the way legacy DNS performs delegations.

A better approach is required to achieve name security on the Internet. Deployment of DNSSEC helps, but DNSSEC continues to rely on the same physical delegation chains as legacy DNS during lookups (not for establishing authority, but for service). We believe that the legacy DNS should be complemented with a system that serves cryptographically delegated name-to-address bindings that obviate the entire static nameserver hierarchy.