rasd
DESCRIPTION
RASD. Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007. Overview. We designed and implemented a scalable system to secure DNS traffic on a local network. System Design Goals. Create trusted channels for name record information exchange - PowerPoint PPT PresentationTRANSCRIPT
RASDRASDRapid Adaptive Secure DNSRapid Adaptive Secure DNS
Matthew WeaverMatthew WeaverJeremy WitmerJeremy Witmer
Dr. Chow, AdvisingDr. Chow, AdvisingCS 622 – Fall 2007CS 622 – Fall 2007
12.5.07 2RASD - Weaver/Witmer - CS622
OverviewOverview
We designed and implemented a We designed and implemented a scalable system to secure DNS scalable system to secure DNS
traffic on a local networktraffic on a local network
12.5.07 3RASD - Weaver/Witmer - CS622
System Design GoalsSystem Design Goals
1.1. Create trusted channels for name Create trusted channels for name record information exchangerecord information exchange
2.2. Rapid server-side push updates for Rapid server-side push updates for cached client name recordscached client name records
12.5.07 4RASD - Weaver/Witmer - CS622
Data Exchange FormatData Exchange Format
DNS traffic is UDPDNS traffic is UDP Keep UDP on the clientKeep UDP on the client Client/Server communication is XML Client/Server communication is XML
over SSLover SSL
12.5.07 5RASD - Weaver/Witmer - CS622
Client SoftwareClient Software
Listen and respond to local DNS Listen and respond to local DNS queries, with cachingqueries, with caching
Listen for server-pushed name Listen for server-pushed name record updatesrecord updates
12.5.07 6RASD - Weaver/Witmer - CS622
Server SoftwareServer Software
Listen for client DNS queries and Listen for client DNS queries and respond, with cachingrespond, with caching
Wait for name record updates, and Wait for name record updates, and push to registered clientspush to registered clients
12.5.07 7RASD - Weaver/Witmer - CS622
Prototype ResultsPrototype ResultsHostname RASD Lookup Time (s) Windows Client Lookup Time (s)
homestead.com 0.343 0.156
flickr.com 0.25 0.109
ncf.com 0.468 0.234
stockmarketenews.com 0.546 0.234
petroflexna.com 0.593 0.234
pnanet.com 0.5 0.234
nia.com 0.546 0.25
agilent.com 0.406 0.062
peyamner.com 0.359 0.062
yahoo.com 0.156 0.078
flbb.com 0.859 0.468
blogspot.com 0.671 0.234
AVERAGE 0.534 0.187
12.5.07 8RASD - Weaver/Witmer - CS622
Prototype ResultsPrototype Results
Domain Name RASD Average (s) WinClient Average (s)
google.com 0.0368 0.0666
compusa.com 0.0342 0.0728
agilent.com 0.01475 0.0635
amazon.com 0.0244 0.0604
yahoo.com 0.0229 0.0524
Average Time for 10 DNS Queries
12.5.07 9RASD - Weaver/Witmer - CS622
Further ResearchFurther Research
Extended DNS handlingExtended DNS handling RASD Server discoveryRASD Server discovery Automatic Client InstallationAutomatic Client Installation SCOLD Environment testingSCOLD Environment testing Standardized entry cachingStandardized entry caching
12.5.07 10RASD - Weaver/Witmer - CS622
ConclusionConclusion
The architecture is validThe architecture is valid The implementation needs extension The implementation needs extension
and refactoringand refactoring Numerous options for further Numerous options for further
researchresearch
12.5.07 11RASD - Weaver/Witmer - CS622
ReferencesReferences [1] A. Friedlander, A. Mankin, WD Maughan, and S. [1] A. Friedlander, A. Mankin, WD Maughan, and S.
Crocker. "DNSSEC: A Protocol Towards Securing the Crocker. "DNSSEC: A Protocol Towards Securing the Internet Infrastructure". Communications of the ACM. Vol. Internet Infrastructure". Communications of the ACM. Vol. 50, Num. 6. pp 44-50. June 2007.50, Num. 6. pp 44-50. June 2007.
[2] G. Ateniese and S. Mangard. "A New Approach to DNS [2] G. Ateniese and S. Mangard. "A New Approach to DNS Security (DNSSEC)". Proceedings of the 8th ACM Security (DNSSEC)". Proceedings of the 8th ACM conference on Computer and Communications Security. pp conference on Computer and Communications Security. pp 86-95. 2001.86-95. 2001.
[3] C.E. Chow, Y. Cai, D. Wilkinson, and G. Godavari. [3] C.E. Chow, Y. Cai, D. Wilkinson, and G. Godavari. "Secure Collective Defense System". Global "Secure Collective Defense System". Global Telecommunications Conference (GLOBECOM '04). Telecommunications Conference (GLOBECOM '04). Volume 4. pp 2245-2249. December 2004.Volume 4. pp 2245-2249. December 2004.
[4] Website: “DNS Tester”. [4] Website: “DNS Tester”. http://www.codeproject.com/KB/IP/DNSTester.aspxhttp://www.codeproject.com/KB/IP/DNSTester.aspx..
[5] Website: “Dig DNS Query Tool“. [5] Website: “Dig DNS Query Tool“. http://members.shaw.ca/nicholas.fong/dig/http://members.shaw.ca/nicholas.fong/dig/..