Sandia's free tool makes Internet domain security easier

A Sandia National Laboratories computer scientist has developed a free tool that could make life a little easier for network administrators who have to deploy security protocols on their .gov Internet domains.

Casey Deccio’s visualization tool, DNSViz, provides a graphical analysis of a Domain Name System zone, highlighting and describing any configuration errors to help admins fix them, according to a Sandia release.

The idea is to aid admins in deploying DNS Security Extensions, security protocols designed to prevent spoofing of Web addresses by using digital signatures to authenticate DNS data that is returned to users’ queries. 


Related coverage:

Government's 'orphan websites' could be stalling .gov security

Internet security hits a major milestone, as .com signs on


The Office of Management and Budget in 2008 decreed that DNSSEC was to be deployed to all federal systems by December 2009. But for a variety of reasons — technical, budgetary and organizational — agencies were still stuck at 50 percent deployment as of mid-2011.

One problem is that the job isn’t easy, which is where DNSViz comes in.

“DNSSEC is hard to configure correctly and has to undergo regular maintenance,” Deccio said in Sandia’s announcement. “It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren’t fully compatible, it keeps users from accessing .gov sites. They just get error responses.”

DNSViz, which can be downloaded here, visually presents “configuration data and relationships that are otherwise difficult to assemble, assess and understand,” Sandia said.
 
The tool analyzes activity with a domain name by performing DNS lookups, then presents its data via Web interface, Sandia said. Eventually, it develops a DNSSEC deployment history.

At Sandia, DNSViz runs in the background on the labs' servers, monitoring about 100,000 DNS names and doing an analysis a couple times each day.

You can see a video of Deccio talking about DNSViz here.

DNS translates Internet domain names, such as gcn.com, to numerical IP addresses. But although it has easily scaled to the growth of the Internet, it never was built for security. In 2008, a vulnerability was discovered that would allow attackers to exploit its weaknesses, use tactics such as pharming, cache poisoning and DNS redirection to misdirect traffic.

DNSSEC can prevent those attacks by authenticating DNS data, but it must be deployed to all of the Internet’s domains to be truly effective.

To date, DNSSEC has been successfully deployed to the most of the Internet’s largest Top Level Domains, including .com, .gov, .org, .net and .edu. Digitally signing lower domains is the next step — Comcast Jan. 10 became one of the first Internet service providers to fully deploy the protocols —but that is taking a little longer.

Deccio’s visualization tool could help speed things up.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • russian email hack (Bakhtiar Zein/Shutterstock.com)

    Mueller indictment details hacks on state election systems

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group