A new internet naming system [Elektronische Ressource] / eingereicht von Gert Pfeifer

175 pages

English

A new internet naming system [Elektronische Ressource] / eingereicht von Gert Pfeifer

technische_universitat_dresden - Gert Pfeifer

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

175 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

A New Internet Naming SystemDISSERTATIONzur Erlangung des akademischen GradesDoktoringenieur (Dr.-Ing.)eingereicht vonDipl.-Inf. Gert Pfeifergeboren am 30.07.1979 in Meissenvorgelegt am 15. April 2009 an derTechnischen Universitat¨ DresdenFakultat¨ InformatikGutachter: Prof. Christof Fetzer, Ph.D. Prof. Pascal Felber, Ph.D.Institut Systemarchitektur Institut d’informatiqueTechnische Universitat¨ Dresden Universite´ de NeuchatelˆTag der Verteidigung: 21. September 2009Dresden, 26. September 2009iiiiiAbstractIn this thesis I describe my research activities and results of the last 4 years. I also provide anoutlook and guidelines on how to proceed with our project, that we named SEDNS - Security-Enhanced Domain Name System. This project’s ambitions are to complement DNS, the DomainName System, in a way that allows us to keep using it in the future. The main reason for thisstrategy is, that it has proven to be difﬁcult to change any part of the Internet infrastructure, suchas parts of the protocols stack or well established Internet authorities, like ICANN or IANA.The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures toprevent data from being tampered with. (2) Furthermore, it is difﬁcult to conﬁgure DNS correctlysince most of the conﬁguration is done within the DNS data itself, e.g., delegating authority.

Sujets

Informatik

Informations

Publié par	technische_universitat_dresden
Publié le	01 janvier 2009
Nombre de lectures	9
Langue	English
Poids de l'ouvrage	2 Mo

Extrait

Gutachter:

A New Internet Naming System

DISSERTATION zur Erlangung des akademischen Grades Doktoringenieur (Dr.Ing.)

eingereicht von Dipl.Inf. Gert Pfeifer

geboren am 30.07.1979 in Meissen

vorgelegt am 15. April 2009 an der Technischen Universität Dresden Fakultät Informatik

Prof. Christof Fetzer, Ph.D. Institut Systemarchitektur Technische Universität Dresden

Tag der Verteidigung: 21. September 2009 Dresden, 26. September 2009

Prof. Pascal Felber, Ph.D. Institut d’informatique Université de Neuchâtel

Abstract

iii

In this thesis I describe my research activities and results of the last 4 years. I also provide an outlook and guidelines on how to proceed with our project, that we named SEDNS  Security Enhanced Domain Name System. This project’s ambitions are to complement DNS, the Domain Name System, in a way that allows us to keep using it in the future. The main reason for this strategy is, that it has proven to be difﬁcult to change any part of the Internet infrastructure, such as parts of the protocols stack or well established Internet authorities, like ICANN or IANA. The main problems of DNS are twofold. (1) The DNS protocol does not contain any measures to prevent data from being tampered with. (2) Furthermore, it is difﬁcult to conﬁgure DNS correctly since most of the conﬁguration is done within the DNS data itself, e.g., delegating authority. It is well known that DNS problems lead to reduced availability of Internetbased services in many different ways. In this thesis, I present four main results. All of them contribute to improvements and deeper understanding of DNS’ dependability issues. First, I discuss, how well established cryptographic tools can be used to enhance DNS’ security without getting into the same problems that prevent DNSSEC from being globally deployed. These problems are explained as well. This is an important topic for the Internet and DNS community, since at the moment most of the protocol improvements are connected to DNSSEC. Second, I thoroughly discuss the technique that was used in the recent years to overcome any problems related to clientserver architectures, i.e., peertopeer systems. Such solutions have been proposed to improve DNS’ availability and reduce conﬁguration effort. I show, that those systems do not keep up with the expectations, neither as client side tools nor as server infras tructure replacement. To reach this conclusion, a novel DHT scheme has been developed. The evaluation of it is shown as well. Third, results of our DNS data mining show that it is useful to improve the quality of DNS data and therefore, to protect clients from malicious or erroneous information. And fourth, an outlook is presented, which combines all the results of the ﬁrst three points to suggest an architecture that indeed can improve our supply with DNS data, omitting the shortcomings of the classical clientserverarchitecture and its peertopeer replacements. Note, that although the development of future DNS standards and protocols is subject to political struggle, e.g., on whether or not an international organization should maintain the root zone instead of the USA, this thesis focuses only on technical aspects.

Contents

List of ﬁgures

List of tables

List of listings

Introduction 1.1 DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 DNS Data: Consistency and Correctness . . . . . . . . . . . . . . . . . . . . . 1.3 Access Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DNS Problems Query Processing . . . . . . . . . . . . . . . . DNS Architecture . . . . . . . . . . . . . . . . 2.2.1 DNS Usage . . . . . . . . . . . . . . . DNS Performance . . . . . . . . . . . . . . . . 2.3.1 Serverside Problems . . . . . . . . . . 2.3.2 Clientside problems . . . . . . . . . . DNS Security Flaws . . . . . . . . . . . . . . 2.4.1 Trust Model . . . . . . . . . . . . . . . 2.4.2 Trusted Hosts Mechanism . . . . . . . 2.4.3 Common Attacks on DNS . . . . . . . DNSSEC . . . . . . . . . . . . . . . . . . . . 2.5.1 DNSSEC weaknesses . . . . . . . . . . Alternatives to DNSSEC . . . . . . . . . . . . 2.6.1 The Secure Socket Layer (SSL) . . . . 2.6.2 Cache Poisoning Countermeasures . . . 2.6.3 The Proxy Approach . . . . . . . . . . 2.6.4 NymBased Security . . . . . . . . . . Conclusion . . . . . . . . . . . . . . . . . . .

2.1 2.2 2.3 2.4 2.5 2.6 2.7

. . . . . . . . . . . . . . . . . .

vii

1 2 6 6 7 7 8

11 11 11 12 14 15 17 20 20 21 22 25 26 27 28 29 29 33 33

CONTENTS

DNS Data Characteristics 3.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 DNS Data Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2 Map/Reduce Example . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Peertopeer approaches 4.1 Introduction to PeertoPeer systems . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Unstructured PeertoPeer Systems . . . . . . . . . . . . . . . . . . . 4.1.2 Structured PeertoPeer Systems . . . . . . . . . . . . . . . . . . . . . 4.1.3 LocalityAware Structured PeertoPeer Networks . . . . . . . . . . . 4.1.4 Hybrid Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.5 Membership approaches . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Using PeertoPeer systems for low latency services . . . . . . . . . . . . . . . 4.3 Administrative Control and Autonomy in Structured PeertoPeer Overlays . .

5.1 5.2 5.3 5.4

DNSPastry Main Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 Conﬁguration Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.2 DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.3 Data Integrity Problems . . . . . . . . . . . . . . . . . . . . . . . . 5.1.4 Advantages of Extending Pastry . . . . . . . . . . . . . . . . . . . . 5.1.5 Security of Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1 Hierarchical Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.2 Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.3 Composability with Legacy Products . . . . . . . . . . . . . . . . . 5.2.4 Registrars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.1 Performance of the Application in PlanetLab . . . . . . . . . . . . . 5.4.2 Simulation with TransitStubTopologies . . . . . . . . . . . . . . . 5.4.3 Building Realistic Topologies with TopDNS . . . . . . . . . . . . . . 5.4.4 Stretch of P2P Systems on TopDNSBased Realistic Topologies . . . 5.4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

A ClusterBased Internet Naming System 6.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 Data Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Main Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.1 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35 35 37 39 40 43 46

63 64 65 66 74 77 78 80 80 84

87 87 88 88 89 90 90 91 92 94 95 95 96 96 96 96 109 118 127

129 129 130 132 133

CONTENTS

6.3

6.4

6.2.2 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.1 Access Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.2 Data Mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.3 Continuous Map/Reduce Examples . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Conclusion 7.1 Scientiﬁc publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 Awards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 Evaluation of DNS Server Behavior . . . . . . . . . . . . . . . . . . . 7.2.2 Hierarchical PullCaches for the Cloud . . . . . . . . . . . . . . . . . 7.2.3 Timeout Adaption for Local Resolvers . . . . . . . . . . . . . . . . . . 7.2.4 Stable Hash Maps and Continuous Map/Reduce . . . . . . . . . . . . .

References

Acknowledgements

vii

135 135 136 138 139 142

145 146 146 146 146 147 148 149

149

161

viii

CONTENTS

List of Figures

2.1 2.2 2.3 2.4

2.5 2.6 2.7

3.1 3.2 3.3

3.4 3.5 3.6 3.7 3.8 3.9 3.10

4.1 4.2

5.1 5.2 5.3 5.4

5.5

5.6 5.7 5.8

Infrastructure overview: components needed to resolve a DNS request . . . . . Typical error rates observable in the PlanetLab [PPPW04] . . . . . . . . . . . Typical error reasons indicated by error rates characteristics [PPPW04. . . .] . A cache poisoning attack without message interception or malicious authorita tive name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A DNSbased denial of service ampliﬁcation . . . . . . . . . . . . . . . . . . local resolution of 12.000 names . . . . . . . . . . . . . . . . . . . . . . . . . remote resolution of 12.000 names . . . . . . . . . . . . . . . . . . . . . . . .

MapReduce overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overall architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Map phase: The owner names of A records and the RDATA sections of NS records are used as keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reduce phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS server software popularity . . . . . . . . . . . . . . . . . . . . . . . . . DNS name label count distribution . . . . . . . . . . . . . . . . . . . . . . . . DNS name label length distribution . . . . . . . . . . . . . . . . . . . . . . . DNS recourse record type distribution . . . . . . . . . . . . . . . . . . . . . . Relative popularity of [Pleaseinsertintopreamble] www vs. nowww approach . Relative popularity of www approach – CNAME vs. A . . . . . . . . . . . . .

Performance of SFR on top of Chord. [WBS04] . . . . . . . . . . . . . . . . . Comparison of average answer time without caching . . . . . . . . . . . . . .

SHA1 Hashes as node IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hierarchical hashes of peer names . . . . . . . . . . . . . . . . . . . . . . . . Leaf set structure for hierarchical hashes . . . . . . . . . . . . . . . . . . . . . Proxies (grey nodes) connected to the root ring. One ID digit represents one DNS label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subdomains can be attached to their parent domain or the root ring. One ID digit represents one DNS label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Certiﬁcation chain for a node . . . . . . . . . . . . . . . . . . . . . . . . . . . stretch measured from planetlab1.sfc.wide.ad.jp . . . . . . . . . . . . . . . . . Routing information for node 02312 . . . . . . . . . . . . . . . . . . . . . . .

15 18 19

24 26 32 32

41 43

45 46 52 53 54 55 56 57

64 83

91 91 92

94 95 97 102

5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24

6.1

6.2 6.3 6.4 6.5

7.1

LIST OF FIGURES

Comparison of Pastry, DNSPastry, Chord . . . . . . . . . . . . . . . DNSPastry average stretch . . . . . . . . . . . . . . . . . . . . . . . success rate of node name resolution and measurement . . . . . . . . Number of pings send by each landmark vs. successful pings . . . . . standard deviation of landmark measurements . . . . . . . . . . . . . Nodes measured with sufﬁcient precision vs. outliers in total numbers Nodes measured with sufﬁcient precision vs. outliers . . . . . . . . . Pairwise relative error for d+1 landmarks . . . . . . . . . . . . . . . Pairwise relative error for different numbers of landmarks . . . . . . . Pairwise relative error of the most precise solutions . . . . . . . . . . Ratio of names per TLD over second level subdomains in this TLD . . Average Number of Hops and round trip time . . . . . . . . . . . . . Stretch on a TopDNS topology . . . . . . . . . . . . . . . . . . . . . Number of third level subdomains per top level domain in our trace . . Pairwise distances of nodes within the same TLD . . . . . . . . . . . Pairwise distances of nodes within the same second Level Domains .

. . . . . . . . . . . . . . . .

Balancing problems with a SHA1 on DNS names with 256 buckets, graph nores popularity of names . . . . . . . . . . . . . . . . . . . . . . . . . . . TopLevel architecture of a cluster solution . . . . . . . . . . . . . . . . . Cluster selection, two routing tables: contentbased vs. proximitybased . . False positive probability for bloom ﬁlters, Figure made by Zbigniew Jerzak Data mining in VNodes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

ig . . . . . . . . . .

Comparison of default TTLs and validity of one version of a zone in seconds

106 108 113 114 115 116 117 118 119 120 121 123 124 125 126 127

134 136 137 138 139

148

List of Tables

3.1 3.2

4.1 4.2

5.1

6.1 6.2 6.3 6.4

CNAME chains and cycles of given length . . . . . . . . . . . . . . . . . . . . Results of our search for open mail relays . . . . . . . . . . . . . . . . . . . .

Structured overlays, reasons for being presented here. . . . . . . . . . . . . . . DNSPastry: selected features . . . . . . . . . . . . . . . . . . . . . . . . . . .

56 58

68 80

measured statistics for DNS namebased transitstubtopologies . . . . . . . . 116

Some examples for improving correctness issues automatically . . . . . . . . . Number of items per bucket: DHT versus stable hash map, 256 buckets . . . . Number of items per bucket: Hash Algorithm comparison, 256 buckets . . . . . Number of items per bucket, taking popularity of DNS names into account . . .

131 133 134 135