Sandia's free tool makes Internet domain security easier
- By Kevin McCaney
- Jan 11, 2012
A Sandia National Laboratories computer scientist has developed a free tool that could make life a little easier for network administrators who have to deploy security protocols on their .gov Internet domains.
Casey Deccio’s visualization tool, DNSViz, provides a graphical analysis of a Domain Name System zone, highlighting and describing any configuration errors to help admins fix them, according to a Sandia release.
The idea is to aid admins in deploying DNS Security Extensions, security protocols designed to prevent spoofing of Web addresses by using digital signatures to authenticate DNS data that is returned to users’ queries.
Government's 'orphan websites' could be stalling .gov security
Internet security hits a major milestone, as .com signs on
The Office of Management and Budget in 2008 decreed that DNSSEC was to be deployed to all federal systems by December 2009. But for a variety of reasons — technical, budgetary and organizational — agencies were still stuck at 50 percent deployment as of mid-2011.
One problem is that the job isn’t easy, which is where DNSViz comes in.
“DNSSEC is hard to configure correctly and has to undergo regular maintenance,” Deccio said in Sandia’s announcement. “It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren’t fully compatible, it keeps users from accessing .gov sites. They just get error responses.”
DNSViz, which can be downloaded here, visually presents “configuration data and relationships that are otherwise difficult to assemble, assess and understand,” Sandia said.
The tool analyzes activity with a domain name by performing DNS lookups, then presents its data via Web interface, Sandia said. Eventually, it develops a DNSSEC deployment history.
At Sandia, DNSViz runs in the background on the labs' servers, monitoring about 100,000 DNS names and doing an analysis a couple times each day.
You can see a video of Deccio talking about DNSViz here.
DNS translates Internet domain names, such as gcn.com, to numerical IP addresses. But although it has easily scaled to the growth of the Internet, it never was built for security. In 2008, a vulnerability was discovered that would allow attackers to exploit its weaknesses, use tactics such as pharming, cache poisoning and DNS redirection to misdirect traffic.
DNSSEC can prevent those attacks by authenticating DNS data, but it must be deployed to all of the Internet’s domains to be truly effective.
To date, DNSSEC has been successfully deployed to the most of the Internet’s largest Top Level Domains, including .com, .gov, .org, .net and .edu. Digitally signing lower domains is the next step — Comcast Jan. 10 became one of the first Internet service providers to fully deploy the protocols —but that is taking a little longer.
Deccio’s visualization tool could help speed things up.
Kevin McCaney is a former editor of Defense Systems and GCN.