Survey on DNS configurations, interdependencies, resilience and security for *.ke domains

ACM DEV '12 Pub Date : 2012-03-11 DOI:10.1145/2160601.2160632

James G. Kagwe, M. Masinde

{"title":"Survey on DNS configurations, interdependencies, resilience and security for *.ke domains","authors":"James G. Kagwe, M. Masinde","doi":"10.1145/2160601.2160632","DOIUrl":null,"url":null,"abstract":"Statistics and research work show that the Legacy DNS as used today is slow, vulnerable to denial of service attacks, and does not support fast updates. To further compound this problem, configuring the DNS is complex and most of its implementations in use on many web servers are insecure. Consequently, Internet resources hosted on such servers have been subject to attacks of every kind. The *.ke domains have had a good share of such attacks, for example, 103 Government of Kenya's websites (.go.ke) were recently (January 2012) hacked in one night. In this paper, we present results of a survey for the *.ke domains whose main objective was to establish whether the DNS configurations for the *.ke domains met minimum setup configurations for security, resilience and interdependencies. Our focus on the three aspects was informed by the fact that these aspects are responsible for most DNS implementation shortcomings and by extension, responsible for most of the vulnerabilities and consequent attacks. To achieve this objective, 2,000 *.ke domains were collected through newspapers and magazines, posters and billboards, Internet, email directories and the main *.ke domain registrant KENIC. Dig and NSLOOKUP utilities were then used to drill down their configuration aspects such as primary and DNS servers, DNS application running on them, the dependencies among the DNS server, geographical location, MX records and web servers.\n The results indicated a very low compliance to the standard DNS configuration requirements making *.ke domains non-resilient to failure, vulnerable (over 60%) and overly insecure. Other findings were that 40% of the domains were hosted by 2 name servers and a further 46% of the domains interrogated were hosted a paltry 8 name servers. Of the 768 servers queried for their DNS applications 574 responded with the DNS application type and version; displaying such private information predisposes the server to attacks. it was also found out that on average, a *.ke domain DNS server depends on an average of 234 DNS servers and that some domains had only one DNS server.\n The study revealed major gaps in the way the DNS servers for *.ke domains are configured and questioned the capacity of those tasked with configuring these servers. Crypto graphical solutions like IPSEC and NSIG were recommended to secure the DNS servers. Awareness campaigns and capacity building on importance of DNS and security issues surrounding it on the technicians tasked with configuring the servers was also recommended. These findings were then used to inform the development of a web-based step-by-step DNS Configuration Tool. The latter is an online highly technical guide that the administrators can use to check if their DNS server(s) are properly set up to take care of configurations, resilience and interdependencies issues that may render the domain insecure and unavailable.","PeriodicalId":153059,"journal":{"name":"ACM DEV '12","volume":"AES-17 6","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM DEV '12","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2160601.2160632","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Statistics and research work show that the Legacy DNS as used today is slow, vulnerable to denial of service attacks, and does not support fast updates. To further compound this problem, configuring the DNS is complex and most of its implementations in use on many web servers are insecure. Consequently, Internet resources hosted on such servers have been subject to attacks of every kind. The *.ke domains have had a good share of such attacks, for example, 103 Government of Kenya's websites (.go.ke) were recently (January 2012) hacked in one night. In this paper, we present results of a survey for the *.ke domains whose main objective was to establish whether the DNS configurations for the *.ke domains met minimum setup configurations for security, resilience and interdependencies. Our focus on the three aspects was informed by the fact that these aspects are responsible for most DNS implementation shortcomings and by extension, responsible for most of the vulnerabilities and consequent attacks. To achieve this objective, 2,000 *.ke domains were collected through newspapers and magazines, posters and billboards, Internet, email directories and the main *.ke domain registrant KENIC. Dig and NSLOOKUP utilities were then used to drill down their configuration aspects such as primary and DNS servers, DNS application running on them, the dependencies among the DNS server, geographical location, MX records and web servers. The results indicated a very low compliance to the standard DNS configuration requirements making *.ke domains non-resilient to failure, vulnerable (over 60%) and overly insecure. Other findings were that 40% of the domains were hosted by 2 name servers and a further 46% of the domains interrogated were hosted a paltry 8 name servers. Of the 768 servers queried for their DNS applications 574 responded with the DNS application type and version; displaying such private information predisposes the server to attacks. it was also found out that on average, a *.ke domain DNS server depends on an average of 234 DNS servers and that some domains had only one DNS server. The study revealed major gaps in the way the DNS servers for *.ke domains are configured and questioned the capacity of those tasked with configuring these servers. Crypto graphical solutions like IPSEC and NSIG were recommended to secure the DNS servers. Awareness campaigns and capacity building on importance of DNS and security issues surrounding it on the technicians tasked with configuring the servers was also recommended. These findings were then used to inform the development of a web-based step-by-step DNS Configuration Tool. The latter is an online highly technical guide that the administrators can use to check if their DNS server(s) are properly set up to take care of configurations, resilience and interdependencies issues that may render the domain insecure and unavailable.

查看原文本刊更多论文

DNS配置，相互依赖性，弹性和安全性的调查*。科域

统计和研究表明，目前使用的传统DNS速度慢，容易受到拒绝服务攻击，并且不支持快速更新。雪上加霜的是，配置DNS很复杂，而且在许多web服务器上使用的大多数DNS实现都不安全。因此，托管在这些服务器上的互联网资源一直受到各种攻击。*。ke域名在此类攻击中占有很大份额，例如，103个肯尼亚政府网站(.go.ke)最近(2012年1月)在一个晚上被黑客攻击。在本文中，我们提出了一项关于*的调查结果。域名，其主要目的是确定是否为*. ke的DNS配置。Ke域满足安全性、弹性和相互依赖性的最低设置配置。我们之所以关注这三个方面，是因为这三个方面是造成大多数DNS实现缺陷的原因，推而广之，也是造成大多数漏洞和随之而来的攻击的原因。为实现这一目标，2000 *。ke域名是通过报纸和杂志、海报和广告牌、互联网、电子邮件目录和主要*收集的。域名注册人KENIC。然后使用Dig和NSLOOKUP实用程序来深入挖掘它们的配置方面，例如主服务器和DNS服务器、在其上运行的DNS应用程序、DNS服务器之间的依赖关系、地理位置、MX记录和web服务器。结果表明，对标准DNS配置要求的遵从性非常低*。Ke域对故障无弹性，易受攻击(超过60%)并且过于不安全。其他调查结果显示，40%的域名由2个域名服务器托管，另有46%的域名由区区8个域名服务器托管。在被查询的768台服务器中，有574台服务器回复了DNS应用程序的类型和版本;显示这样的私人信息会使服务器容易受到攻击。研究还发现，平均而言，a *。ke域的DNS服务器平均依赖234台DNS服务器，有些域只有一台DNS服务器。该研究揭示了*的DNS服务器在方式上的主要差距。Ke域被配置并质疑那些负责配置这些服务器的人的能力。建议使用诸如IPSEC和NSIG之类的加密图形解决方案来保护DNS服务器。还建议对负责配置服务器的技术人员开展关于DNS重要性和围绕它的安全问题的认识活动和能力建设。这些发现随后被用于通知基于web的逐步DNS配置工具的开发。后者是一个在线的高技术指南，管理员可以使用它来检查他们的DNS服务器是否正确设置，以处理可能导致域不安全和不可用的配置、弹性和相互依赖性问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM DEV '12

自引率

0.00%

发文量