DNSCurve: Usable security for DNS


Introduction
DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Caches
Forwarders
Protocol designers:
Cryptography
DNS integration
Attackers:
Forgery
Negative forgery
Replays
Query espionage
Database espionage
+ nsec3walker
CPU flooding
Amplification
+ dnssecamp

DNS query espionage

Attackers can easily watch the DNS queries that your computer is sending through the network. For example, if your computer looks up the address of www.cancertreatment.net, attackers can see that your computer is looking up that address.

How do attackers spy on your DNS queries? Answer: The packets that your computer sends through the network are physically broadcast (by wireless 802.11 or wired Ethernet) to every computer near yours, to every computer near the server, and to many computers in between. Are you confident that attackers from around the world haven't broken into any of these computers? Cisco estimated in 2008 that Storm, one of today's active botnets, had seized control of "potentially tens of millions of systems" around the Internet. Perhaps you've managed to keep your computer secure, but it is extremely unlikely that all of the nearby computers are secure.

Normally each computer is listening only for packets addressed to it. However, a computer can instead sniff the network, watching every packet that flies by. Try running the following dnsoutloud script on a Linux machine with the standard tcpdump, text2wave, and play utilities installed:

   lastwhen=0
   tcpdump -l -n -e port 53 \
   | awk -W interactive '{if ($14 == "A?") print $15}' \
   | while read domain
   do
     when=`date +%s`
     if [ `expr $when - $lastwhen` -gt 2 ]
     then
       tput bold; echo "address request for $domain (audio on)"; tput sgr0
       echo " $domain" | sed 's/www\.//' | text2wave | play -t wav - >/dev/null 2>&1
       lastwhen=`date +%s`
     else
       tput bold; echo "address request for $domain (audio paused temporarily)"; tput sgr0
     fi
   done
Warning: If you value your health, do not run this script in an Internet cafe.

How does DNSSEC help?

It doesn't. DNSSEC does nothing at all to protect the privacy of the DNS queries that your computer is sending through the network. RFC 4033 says "Due to a deliberate design choice, DNSSEC does not provide confidentiality."

How does DNSCurve help?

DNSCurve encrypts DNS query packets. An attacker who sees a DNS query won't be able to understand it. He can still gain information from "traffic analysis" (seeing when you're sending packets and how long the packets are) but will not be shown the packet contents.

Of course, if your computer next makes an unencrypted HTTP or SMTP connection, the attacker can see everything you send through that connection. However, DNSCurve is part of a larger project to cryptographically protect all Internet packets, including HTTP packets, SMTP packets, etc.

Version

This is version 2009.06.24 of the espionage.html web page.