rasd

RASDRASDRapid Adaptive Secure DNSRapid Adaptive Secure DNS

Matthew WeaverMatthew WeaverJeremy WitmerJeremy Witmer

Dr. Chow, AdvisingDr. Chow, AdvisingCS 622 – Fall 2007CS 622 – Fall 2007

12.5.07 2RASD - Weaver/Witmer - CS622

OverviewOverview

We designed and implemented a We designed and implemented a scalable system to secure DNS scalable system to secure DNS

traffic on a local networktraffic on a local network


System Design GoalsSystem Design Goals

1.1. Create trusted channels for name Create trusted channels for name record information exchangerecord information exchange

2.2. Rapid server-side push updates for Rapid server-side push updates for cached client name recordscached client name records


Data Exchange FormatData Exchange Format

DNS traffic is UDPDNS traffic is UDP Keep UDP on the clientKeep UDP on the client Client/Server communication is XML Client/Server communication is XML

over SSLover SSL


Client SoftwareClient Software

Listen and respond to local DNS Listen and respond to local DNS queries, with cachingqueries, with caching

Listen for server-pushed name Listen for server-pushed name record updatesrecord updates


Server SoftwareServer Software

Listen for client DNS queries and Listen for client DNS queries and respond, with cachingrespond, with caching

Wait for name record updates, and Wait for name record updates, and push to registered clientspush to registered clients


Prototype ResultsPrototype ResultsHostname RASD Lookup Time (s) Windows Client Lookup Time (s)

homestead.com 0.343 0.156

flickr.com 0.25 0.109

ncf.com 0.468 0.234

stockmarketenews.com 0.546 0.234

petroflexna.com 0.593 0.234

pnanet.com 0.5 0.234

nia.com 0.546 0.25

agilent.com 0.406 0.062

peyamner.com 0.359 0.062

yahoo.com 0.156 0.078

flbb.com 0.859 0.468

blogspot.com 0.671 0.234

AVERAGE 0.534 0.187


Prototype ResultsPrototype Results

Domain Name RASD Average (s) WinClient Average (s)

google.com 0.0368 0.0666

compusa.com 0.0342 0.0728

agilent.com 0.01475 0.0635

amazon.com 0.0244 0.0604

yahoo.com 0.0229 0.0524

Average Time for 10 DNS Queries


Further ResearchFurther Research

Extended DNS handlingExtended DNS handling RASD Server discoveryRASD Server discovery Automatic Client InstallationAutomatic Client Installation SCOLD Environment testingSCOLD Environment testing Standardized entry cachingStandardized entry caching


ConclusionConclusion

The architecture is validThe architecture is valid The implementation needs extension The implementation needs extension

and refactoringand refactoring Numerous options for further Numerous options for further

researchresearch


ReferencesReferences [1] A. Friedlander, A. Mankin, WD Maughan, and S. [1] A. Friedlander, A. Mankin, WD Maughan, and S.

Crocker. "DNSSEC: A Protocol Towards Securing the Crocker. "DNSSEC: A Protocol Towards Securing the Internet Infrastructure". Communications of the ACM. Vol. Internet Infrastructure". Communications of the ACM. Vol. 50, Num. 6. pp 44-50. June 2007.50, Num. 6. pp 44-50. June 2007.

[2] G. Ateniese and S. Mangard. "A New Approach to DNS [2] G. Ateniese and S. Mangard. "A New Approach to DNS Security (DNSSEC)". Proceedings of the 8th ACM Security (DNSSEC)". Proceedings of the 8th ACM conference on Computer and Communications Security. pp conference on Computer and Communications Security. pp 86-95. 2001.86-95. 2001.

[3] C.E. Chow, Y. Cai, D. Wilkinson, and G. Godavari. [3] C.E. Chow, Y. Cai, D. Wilkinson, and G. Godavari. "Secure Collective Defense System". Global "Secure Collective Defense System". Global Telecommunications Conference (GLOBECOM '04). Telecommunications Conference (GLOBECOM '04). Volume 4. pp 2245-2249. December 2004.Volume 4. pp 2245-2249. December 2004.

[4] Website: “DNS Tester”. [4] Website: “DNS Tester”. http://www.codeproject.com/KB/IP/DNSTester.aspxhttp://www.codeproject.com/KB/IP/DNSTester.aspx..

[5] Website: “Dig DNS Query Tool“. [5] Website: “Dig DNS Query Tool“. http://members.shaw.ca/nicholas.fong/dig/http://members.shaw.ca/nicholas.fong/dig/..

rasd

Documents