The keepers of the dot-ca Internet domain should move quickly to implement a new security measure that could guard against large-scale pharming attacks, says the Montreal-based author of a book on the Domain Name System (DNS).
DNS is the facility that helps Web browsers find Web sites. The Canadian Internet Registration Authority (CIRA) says it is studying the DNS Security Extensions (DNSsec), but it appears implementation will take a couple of years.
Pharming – a relatively new addition to the lexicon of dirty tricks played on Internet users – is a more sophisticated variation on phishing. Phishing refers to using fraudulent e-mails to lure victims to fake Web sites that, by pretending to be the legitimate sites of banks and other institutions, trick visitors into revealing personal information that can be used to defraud them. Where phishing relies on getting people to visit Web sites with names that sound legitimate but differ slightly from the real thing, a pharming attack actually diverts a call for a legitimate Web site and returns an imitation site instead.
This can be done by corrupting a DNS name server, which is a sort of telephone operator for the Web. When you enter a Web URL in your browser, it turns to a DNS server to obtain a numeric Internet Protocol address – a “dotted quad” like 22.214.171.124 – corresponding to that URL, then retrieves the Web page you want using that address. A pharming attack modifies the list of addresses in a DNS server so that a legitimate URL points to an illegitimate IP address.
DNSsec is designed to guard against attacks like this by encrypting and “signing” addresses using a technique similar to the IP Security protocol (IPsec) used to protect e-commerce transactions. It makes it possible to check that the address returned by a DNS server hasn’t been tampered with.
Pharming attacks usually target smaller DNS servers such as those operated by Internet service providers (ISPs), but they could be aimed at higher levels, right up to the network of 13 root servers on which all other DNS servers depend.
Ronald Aitchison, author of “Pro DNS and BIND,” a book on running DNS systems, says CIRA should be moving as quickly as possible to implement DNSsec on the servers that manage the dot-ca name space. Until the top-level domain is secured, he points out, attempts to secure sub-domains within it (like gc.ca, for instance) can’t be wholly effective, because a pharming attack could bypass the protection by going to the next level up.
Johannes Ullrich, chief research officer at The SANS Institute, a Bethesda, Md.-based security training firm, agrees, saying it isn’t practical to secure subdomains one at a time because of the number of security keys involved. “You need an authority like the country-level domain that will sign all these names,” says Ullrich.
For that reason, Aitchison says, DNSsec is rarely used today. “People tend to ignore it because it’s not very effective unless there is a very tight, close community where they pass information back and forth between themselves.”
If DNSsec were implemented for top-level domains – including the generic domains such as dot-com, dot-org, dot-edu and so forth as well as the country-code TLDs like dot-ca – Aitchison believes DNSsec would be much more effective.
So far, Sweden is the only country to announce DNSsec implementation. Network Information Center Sweden AB (NIC-SE), the Swedish counterpart to CIRA, announced recently that it began the transition to DNSsec in mid-September.
Aitchison notes that it is not enough for operators of top-level domains to adopt DNSsec. Machines reading IP addresses must request security data from the secured servers. Full implementation will take some time, he says.
Gabriel Ahad, a spokesman for CIRA, says the agency’s board instructed its staff in June 2004 to start looking at DNSsec. CIRA plans to implement it as part of a larger package of measures to make the dot-ca domain more secure, he says. Ahad would not say what the timetable is for the implementation, except to say that CIRA’s over-all efforts to make the domain more secure are planned for 2006 and 2007.
Because of the importance of the DNS system, Ahad says, CIRA must approach the implementation carefully, and feels it would not be advantageous to be the first to make the move. Canada can learn from the experiences of the Swedes and others to ensure its implementation goes smoothly, he says.
Ullrich says DNS is “awfully important. We don’t really want to mess with it too much and maybe break it.” He predicts widespread implementation of DNSsec will take at least a couple of years, but “it is important that it be done, and it has to be done by the top-level domains.”