what if central dns servers are blown up ?

Simon Waters Simon at wretched.demon.co.uk
Sun Feb 17 21:57:47 UTC 2002


skybuck wrote:
> 
> > I think far bigger threats exist to the Internet infrastructure
> > than physical destruction of all the servers at the same time.
> 
> Can you name a few and take away my ignorance about that ? :)

Well technically it is off topic, and discussing such things in
public doesn't always help the situation! One DNS related issue
has already been made very public so...

Probably the worst feature of the current DNS is the huge
dependence most top level domains have on a large number of
servers giving correct information.

DJB explains this on http://cr.yp.to, but it is a little terse,
DJB assumes his readers are intelligent enough to understand the
implications for themselves.

For example take one close to home. To get a correct answer for
"gov.uk" we rely on UK nameservers (4), as well as the root
servers (13).

ns.uu.net.
ns0.ja.net.
ns1.nic.uk.
ns.eu.net.

gov.uk name servers (7);

ns3.ja.net.
ns4.ja.net.
ns-ja.pipex.net.
ns0.ja.net.
ns1.cs.ucl.ac.uk.
ns1.surfnet.nl.
ns2.ja.net.

But how do we find ns1.surfnet.nl? Well we rely on nl name
servers (6); 

sunic.sunet.se.
auth02.ns.uu.net.
ns.eu.net.
ns.domain-registry.nl.
ns2.nic.fr.
ns2.domain-registry.nl.   

A little imagination shows that by using even one DNS server
outside your own part of the DNS hierarchy, you are then at the
mercy of the servers and DNS configuration for that domain.

I haven't done the sums for gov.uk, I make it 29 already without
looking, but it looks like the number involved is about to
explode if we start looking closer. Of course hardly anyone ever
looks up just "gov.uk", so we have at least one more tier of
name servers and related servers....

So if any one of those servers is compromised by an attacker, or
the attacker otherwise managed to impersonate one of these
servers, then they can potentially hijack the "gov.uk" domain,
and give spurious answers for any subdomain, or intercept e-mail
for any such domain. The smaller the change, the longer before
someone will notice it.

The problem doesn't affect the .com/.net domains particularly.

One might also comment that physical security of some boxes
involved may be an issue. 

For historical reasons many of these domains are hosted on
servers at Universities, which whilst Universities often have
very good security, they are often not going to take the same
precautions as say an online banking providers, although
indirectly they may be responsible for far more valuable
traffic.

Worse still the level of monitoring of DNS is such that even a
very crude change, turning a slave into a master for a zone it
is responsible for and changing relevant data, might well go
unnoticed for a considerable period. Where as it is possible to
make quite subtle changes that would likely go undetected unless
someone was specifically checking the data was consistent from
all servers involved, which would syphon of a copy of all the
mail to a specific domain.


More information about the bind-users mailing list