DNSCurve: Usable security for DNS


Introduction
DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Caches
Forwarders
Protocol designers:
Cryptography
DNS integration
Attackers:
Forgery
Negative forgery
Replays
Query espionage
Database espionage
+ nsec3walker
CPU flooding
Amplification
+ dnssecamp

Why install a DNSCurve cache?

Are you a DNS user? Of course you are! For example, whenever you click on a new link in your web browser, the web browser first uses DNS to figure out the web server's "IP address," and then makes an HTTP connection to that IP address.

Unfortunately, DNS is not cryptographically protected. Attackers can easily watch the DNS query that your computer is sending through the network and can easily forge the DNS response. The forged response will fool your computer into connecting to a different IP address, such as a fake web server. If you're making an HTTPS connection then your browser is supposed to warn you about an "invalid certificate" and avoid showing you the fake web pages; but this still doesn't show you the web page you wanted! Furthermore, most of your connections are normal HTTP connections, normal SMTP (mail) connections, etc., none of which have any protection.

How do attackers spy on your DNS queries? Answer: The packets that your computer sends through the network are physically broadcast (by wireless 802.11 or wired Ethernet) to every computer near yours, to every computer near the server, and to many computers in between. Are you confident that attackers from around the world haven't broken into any of these computers? Stop kidding yourself. Cisco estimates that the Storm botnet has seized control of "potentially tens of millions of systems" around the Internet. Perhaps you've managed to keep your computer secure, but it is extremely unlikely that all of the nearby computers are secure.

How do attackers forge DNS responses? Answer: Internet packets are like postcards. Anyone can toss into the mail a forged postcard that appears to be from someone else; similarly, anyone can toss into the Internet a forged packet that appears to be from someone else. In particular, attackers can send your computer a DNS response that appears to be from the legitimate DNS server but that actually contains data selected by the attacker.

What does DNSCurve do for me?

An increasing number of DNS servers around the Internet support DNSCurve. If you install a DNSCurve cache on your computer then your computer's outgoing DNS queries to those servers, and the DNS responses sent back to your computer from those servers, will be automatically encrypted with high-speed high-security cryptography. This has several benefits:
  • An attacker who sees your outgoing DNS query won't be able to understand it. He can still gain information from "traffic analysis" (seeing when you're sending packets and how long the packets are) but will not be shown the packet contents.
  • An attacker who sees the incoming DNS response won't be able to understand it.
  • An attacker who forges an incoming DNS response won't be able to fool your computer. Your computer will simply discard the forgery and wait for the correct response to get through.

Your communication with non-DNSCurve servers won't be affected, and in particular won't be (and can't be) cryptographically protected. However, as more and more servers support DNSCurve, more and more of your outgoing queries and incoming responses will be cryptographically protected.

Of course, if your computer next makes an unencrypted HTTP or SMTP connection, the attacker can seize control of that connection. However, DNSCurve is part of a larger project to cryptographically protect all Internet packets, including HTTP packets, SMTP packets, etc.

Version

This is version 2009.06.22 of the in-benefits.html web page.