- Slides: 7
The Domain Name System and Internet Still Survive Presented by: Ao-Jan Su
Please clarify • Section 4. : Two recent survey by Pappas and Ramasubramanian… most domain names are served by a small number of nameservers. • Abstract: The survey shows that a typical name depends on 46 servers on average. • Which one is correct?
Ordered Records (Large TCB is not an important issue) 1. Most DNS queries use the first entry in the ordered list 2. It is very unlikely to ask Rochester for Cornell’s IP address ; ; QUESTION SECTION: ; cornell. edu. IN A ; ; ANSWER SECTION: cornell. edu. 86400 IN A ; ; AUTHORITY SECTION: cornell. edu. 432000 NS NS NS IN IN IN 128. 253. 161. 179 dns. cit. cornell. edu. cudns. cit. cornell. edu. simon. cs. cornell. edu. bigred. cit. cornell. edu. cayuga. cs. rochester. edu.
Hijack FBI (DNS design’s fault? ) • reston-ns 2. telemail. net is running an old nameserver (BIND 8. 2. 4) • It is the vulnerability of software (server) NOT the design of DNS. • This problem can be easily detected and corrected (by scanning the versions of BIND in the nameservers periodically and keep the software up to date)
OK, . edu and. org are Lazy • But, this also implies that hackers have very little interest in hijacking these domains. • Or cs. northwestern. edu would be hijacked now! • Same reason goes to Ukraine, Belarus, San Marino, Malta… • BTW Can you give me some examples of domains with. aero and. int?
Conclusion • Don’t blame on DNS for vulnerability (bugs) of BIND • TCB is not a good representation of daily DNS operations (extreme conditions should not count the same weight as normal cases) • However, I agree that. edu and. org nameservers should update their BIND as soon as possible