A new internet naming system [Elektronische Ressource] / eingereicht von Gert Pfeifer

A new internet naming system [Elektronische Ressource] / eingereicht von Gert Pfeifer

-

English
175 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

A New Internet Naming SystemDISSERTATIONzur Erlangung des akademischen GradesDoktoringenieur (Dr.-Ing.)eingereicht vonDipl.-Inf. Gert Pfeifergeboren am 30.07.1979 in Meissenvorgelegt am 15. April 2009 an derTechnischen Universitat¨ DresdenFakultat¨ InformatikGutachter: Prof. Christof Fetzer, Ph.D. Prof. Pascal Felber, Ph.D.Institut Systemarchitektur Institut d’informatiqueTechnische Universitat¨ Dresden Universite´ de NeuchatelˆTag der Verteidigung: 21. September 2009Dresden, 26. September 2009iiiiiAbstractIn this thesis I describe my research activities and results of the last 4 years. I also provide anoutlook and guidelines on how to proceed with our project, that we named SEDNS - Security-Enhanced Domain Name System. This project’s ambitions are to complement DNS, the DomainName System, in a way that allows us to keep using it in the future. The main reason for thisstrategy is, that it has proven to be difficult to change any part of the Internet infrastructure, suchas parts of the protocols stack or well established Internet authorities, like ICANN or IANA.The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures toprevent data from being tampered with. (2) Furthermore, it is difficult to configure DNS correctlysince most of the configuration is done within the DNS data itself, e.g., delegating authority.

Subjects

Informations

Published by
Published 01 January 2009
Reads 9
Language English
Document size 2 MB
Report a problem
Gutachter:
A New Internet Naming System
DISSERTATION zur Erlangung des akademischen Grades Doktoringenieur (Dr.Ing.)
eingereicht von Dipl.Inf. Gert Pfeifer
geboren am 30.07.1979 in Meissen
vorgelegt am 15. April 2009 an der Technischen Universität Dresden Fakultät Informatik
Prof. Christof Fetzer, Ph.D. Institut Systemarchitektur Technische Universität Dresden
Tag der Verteidigung: 21. September 2009 Dresden, 26. September 2009
Prof. Pascal Felber, Ph.D. Institut d’informatique Université de Neuchâtel
ii
Abstract
iii
In this thesis I describe my research activities and results of the last 4 years. I also provide an outlook and guidelines on how to proceed with our project, that we named SEDNS  Security Enhanced Domain Name System. This project’s ambitions are to complement DNS, the Domain Name System, in a way that allows us to keep using it in the future. The main reason for this strategy is, that it has proven to be difficult to change any part of the Internet infrastructure, such as parts of the protocols stack or well established Internet authorities, like ICANN or IANA. The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures to prevent data from being tampered with. (2) Furthermore, it is difficult to configure DNS correctly since most of the configuration is done within the DNS data itself, e.g., delegating authority. It is well known that DNS problems lead to reduced availability of Internetbased services in many different ways. In this thesis, I present four main results. All of them contribute to improvements and deeper understanding of DNS’ dependability issues. First, I discuss, how well established cryptographic tools can be used to enhance DNS’ security without getting into the same problems that prevent DNSSEC from being globally deployed. These problems are explained as well. This is an important topic for the Internet and DNS community, since at the moment most of the protocol improvements are connected to DNSSEC. Second, I thoroughly discuss the technique that was used in the recent years to overcome any problems related to clientserver architectures, i.e., peertopeer systems. Such solutions have been proposed to improve DNS’ availability and reduce configuration effort. I show, that those systems do not keep up with the expectations, neither as client side tools nor as server infras tructure replacement. To reach this conclusion, a novel DHT scheme has been developed. The evaluation of it is shown as well. Third, results of our DNS data mining show that it is useful to improve the quality of DNS data and therefore, to protect clients from malicious or erroneous information. And fourth, an outlook is presented, which combines all the results of the first three points to suggest an architecture that indeed can improve our supply with DNS data, omitting the shortcomings of the classical clientserverarchitecture and its peertopeer replacements. Note, that although the development of future DNS standards and protocols is subject to political struggle, e.g., on whether or not an international organization should maintain the root zone instead of the USA, this thesis focuses only on technical aspects.
iv
Contents
List of figures
List of tables
List of listings
1
2
Introduction 1.1 DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 DNS Data: Consistency and Correctness . . . . . . . . . . . . . . . . . . . . . 1.3 Access Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Problems Query Processing . . . . . . . . . . . . . . . . DNS Architecture . . . . . . . . . . . . . . . . 2.2.1 DNS Usage . . . . . . . . . . . . . . . DNS Performance . . . . . . . . . . . . . . . . 2.3.1 Serverside Problems . . . . . . . . . . 2.3.2 Clientside problems . . . . . . . . . . DNS Security Flaws . . . . . . . . . . . . . . 2.4.1 Trust Model . . . . . . . . . . . . . . . 2.4.2 Trusted Hosts Mechanism . . . . . . . 2.4.3 Common Attacks on DNS . . . . . . . DNSSEC . . . . . . . . . . . . . . . . . . . . 2.5.1 DNSSEC weaknesses . . . . . . . . . . Alternatives to DNSSEC . . . . . . . . . . . . 2.6.1 The Secure Socket Layer (SSL) . . . . 2.6.2 Cache Poisoning Countermeasures . . . 2.6.3 The Proxy Approach . . . . . . . . . . 2.6.4 NymBased Security . . . . . . . . . . Conclusion . . . . . . . . . . . . . . . . . . .
2.1 2.2 2.3 2.4 2.5 2.6 2.7
v
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
vii
x
xi
1 2 6 6 7 7 8
11 11 11 12 14 15 17 20 20 21 22 25 26 27 28 29 29 33 33
vi
3
4
5
6
CONTENTS
DNS Data Characteristics 3.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 DNS Data Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2 Map/Reduce Example . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Peertopeer approaches 4.1 Introduction to PeertoPeer systems . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Unstructured PeertoPeer Systems . . . . . . . . . . . . . . . . . . . 4.1.2 Structured PeertoPeer Systems . . . . . . . . . . . . . . . . . . . . . 4.1.3 LocalityAware Structured PeertoPeer Networks . . . . . . . . . . . 4.1.4 Hybrid Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.5 Membership approaches . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Using PeertoPeer systems for low latency services . . . . . . . . . . . . . . . 4.3 Administrative Control and Autonomy in Structured PeertoPeer Overlays . .
5.1 5.2 5.3 5.4
DNSPastry Main Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Configuration Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.2 DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.3 Data Integrity Problems . . . . . . . . . . . . . . . . . . . . . . . . 5.1.4 Advantages of Extending Pastry . . . . . . . . . . . . . . . . . . . . 5.1.5 Security of Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1 Hierarchical Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.2 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.3 Composability with Legacy Products . . . . . . . . . . . . . . . . . 5.2.4 Registrars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.1 Performance of the Application in PlanetLab . . . . . . . . . . . . . 5.4.2 Simulation with TransitStubTopologies . . . . . . . . . . . . . . . 5.4.3 Building Realistic Topologies with TopDNS . . . . . . . . . . . . . . 5.4.4 Stretch of P2P Systems on TopDNSBased Realistic Topologies . . . 5.4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
A ClusterBased Internet Naming System 6.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 Data Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Main Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.1 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35 35 37 39 40 43 46
63 64 65 66 74 77 78 80 80 84
87 87 88 88 89 90 90 91 92 94 95 95 96 96 96 96 109 118 127
129 129 130 132 133
CONTENTS
7
6.3
6.4
6.2.2 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.1 Access Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.2 Data Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.3 Continuous Map/Reduce Examples . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conclusion 7.1 Scientific publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 Awards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 Evaluation of DNS Server Behavior . . . . . . . . . . . . . . . . . . . 7.2.2 Hierarchical PullCaches for the Cloud . . . . . . . . . . . . . . . . . 7.2.3 Timeout Adaption for Local Resolvers . . . . . . . . . . . . . . . . . . 7.2.4 Stable Hash Maps and Continuous Map/Reduce . . . . . . . . . . . . .
References
8
Acknowledgements
vii
135 135 136 138 139 142
145 146 146 146 146 147 148 149
149
161
viii
CONTENTS
List of Figures
2.1 2.2 2.3 2.4
2.5 2.6 2.7
3.1 3.2 3.3
3.4 3.5 3.6 3.7 3.8 3.9 3.10
4.1 4.2
5.1 5.2 5.3 5.4
5.5
5.6 5.7 5.8
Infrastructure overview: components needed to resolve a DNS request . . . . . Typical error rates observable in the PlanetLab [PPPW04] . . . . . . . . . . . Typical error reasons indicated by error rates characteristics [PPPW04. . . .] . A cache poisoning attack without message interception or malicious authorita tive name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A DNSbased denial of service amplification . . . . . . . . . . . . . . . . . . local resolution of 12.000 names . . . . . . . . . . . . . . . . . . . . . . . . . remote resolution of 12.000 names . . . . . . . . . . . . . . . . . . . . . . . .
MapReduce overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overall architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Map phase: The owner names of A records and the RDATA sections of NS records are used as keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reduce phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS server software popularity . . . . . . . . . . . . . . . . . . . . . . . . . DNS name label count distribution . . . . . . . . . . . . . . . . . . . . . . . . DNS name label length distribution . . . . . . . . . . . . . . . . . . . . . . . DNS recourse record type distribution . . . . . . . . . . . . . . . . . . . . . . Relative popularity of [Pleaseinsertintopreamble] www vs. nowww approach . Relative popularity of www approach – CNAME vs. A . . . . . . . . . . . . .
Performance of SFR on top of Chord. [WBS04] . . . . . . . . . . . . . . . . . Comparison of average answer time without caching . . . . . . . . . . . . . .
SHA1 Hashes as node IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hierarchical hashes of peer names . . . . . . . . . . . . . . . . . . . . . . . . Leaf set structure for hierarchical hashes . . . . . . . . . . . . . . . . . . . . . Proxies (grey nodes) connected to the root ring. One ID digit represents one DNS label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subdomains can be attached to their parent domain or the root ring. One ID digit represents one DNS label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Certification chain for a node . . . . . . . . . . . . . . . . . . . . . . . . . . . stretch measured from planetlab1.sfc.wide.ad.jp . . . . . . . . . . . . . . . . . Routing information for node 02312 . . . . . . . . . . . . . . . . . . . . . . .
ix
15 18 19
24 26 32 32
41 43
45 46 52 53 54 55 56 57
64 83
91 91 92
93
94 95 97 102
x
5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24
6.1
6.2 6.3 6.4 6.5
7.1
LIST OF FIGURES
Comparison of Pastry, DNSPastry, Chord . . . . . . . . . . . . . . . DNSPastry average stretch . . . . . . . . . . . . . . . . . . . . . . . success rate of node name resolution and measurement . . . . . . . . Number of pings send by each landmark vs. successful pings . . . . . standard deviation of landmark measurements . . . . . . . . . . . . . Nodes measured with sufficient precision vs. outliers in total numbers Nodes measured with sufficient precision vs. outliers . . . . . . . . . Pairwise relative error for d+1 landmarks . . . . . . . . . . . . . . . Pairwise relative error for different numbers of landmarks . . . . . . . Pairwise relative error of the most precise solutions . . . . . . . . . . Ratio of names per TLD over second level subdomains in this TLD . . Average Number of Hops and round trip time . . . . . . . . . . . . . Stretch on a TopDNS topology . . . . . . . . . . . . . . . . . . . . . Number of third level subdomains per top level domain in our trace . . Pairwise distances of nodes within the same TLD . . . . . . . . . . . Pairwise distances of nodes within the same second Level Domains .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
Balancing problems with a SHA1 on DNS names with 256 buckets, graph nores popularity of names . . . . . . . . . . . . . . . . . . . . . . . . . . . TopLevel architecture of a cluster solution . . . . . . . . . . . . . . . . . Cluster selection, two routing tables: contentbased vs. proximitybased . . False positive probability for bloom filters, Figure made by Zbigniew Jerzak Data mining in VNodes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
ig . . . . . . . . . .
Comparison of default TTLs and validity of one version of a zone in seconds
.
106 108 113 114 115 116 117 118 119 120 121 123 124 125 126 127
134 136 137 138 139
148
List of Tables
3.1 3.2
4.1 4.2
5.1
6.1 6.2 6.3 6.4
CNAME chains and cycles of given length . . . . . . . . . . . . . . . . . . . . Results of our search for open mail relays . . . . . . . . . . . . . . . . . . . .
Structured overlays, reasons for being presented here. . . . . . . . . . . . . . . DNSPastry: selected features . . . . . . . . . . . . . . . . . . . . . . . . . . .
56 58
68 80
measured statistics for DNS namebased transitstubtopologies . . . . . . . . 116
Some examples for improving correctness issues automatically . . . . . . . . . Number of items per bucket: DHT versus stable hash map, 256 buckets . . . . Number of items per bucket: Hash Algorithm comparison, 256 buckets . . . . . Number of items per bucket, taking popularity of DNS names into account . . .
xi
131 133 134 135