Networking

Five tips to get ready for DNSSEC

DNSSEC is slowly being rolled out, but not much is being said about what that means to us -- or whether our existing equipment will work with it. Let's try to clear that up.

DNS drives the Internet. It may not be broken, but the fact that it trusts explicitly is a bad idea. Nasty people have figured out how to leverage that trust to hurt us using what's called spoofed DNS replies. I know, that's geek-speak. See if this example helps.

Needing to transfer money to a different account, you click on the bookmark for your bank. Bang, your bank's Internet portal shows up in the browser. You log in normally, but the site responds that something is wrong; please try later. Come on, but what can you do?

Then yours truly shows up asking," How do you know that really was your bank's Web site?" Currently, there is no for-sure way to tell, and the bad guys love it. By altering DNS information, they can point browsers to a malicious copy of the queried Web site. None the wiser, we log in and they have our credentials.

DNSSEC

Since 1997, the IETF has been trying to figure out a way to make sure that misdirection does not happen. Their solution is DNSSEC (Domain Name System Security Extensions). It seems like a good idea, according to the papers written about it.

What seems a bit odd is that there's not much available information about what DNSSEC means to us and our SOHO/home networks. After some searching, I have been able to piece together the following requirements.

1: What routers must handle

Routers must be able to handle larger than normal DNS packets. Because of the new authentication requirements, DNSSEC responses are larger than the current 512-byte UDP packets used by DNS. This could be a problem. Some routers are programmed to reject DNS packets larger than 512 bytes. Routers must also be able to process DNSSEC queries that have reverted to TCP/IP. If there is a problem with the larger UDP packet size, DNS servers are instructed to send DNSSEC responses using TCP/IP. If the router does not support this, the DNS query will fail.

Finally, routers must be able to handle DNSKEY, RRSIG, NSEC, and NSEC3 correctly. These are all new DNS resource records needed to authenticate DNSSEC traffic. The perimeter router must know how to handle them or the chain of trust is broken.

2: Determining whether a router is DNSSEC-capable

I haven't been able to find much in the way of recent information, but I did find this 2008 report: DNSSEC Impact on Broadband Routers and Firewalls. The research team did a thorough job of testing 24 consumer and SOHO routers. Check to see how yours did. If it's not on the list, I would check with the manufacturer.

3: Other DNS security tests

Although not directly related to DNSSEC, you will notice the following two tests were reported in the paper's results:
  • Rejects uninitiated DNS queries
  • Randomizes DNS query ports

Both are important. They remove two exploit possibilities. Typically, this information is not accessible. I would make a point to call the router manufacturer and ask.

4: Firmware updates

Updating firmware on gateway devices is always a good idea and more important now than ever. If your router did not pass the DNSSEC testing in 2008, more than likely the latest firmware update will.

5: Upstream Internet provider readiness

This should not be an issue. Still, it won't hurt to ask the provider about it. Two questions I like to inquire about are:

  • How are DNSSEC authentication keys protected?
  • Who should be called if things are not working right?

Extra tip for Firefox users

DNSSEC Validator is a Mozilla add-on that checks for the existence and authenticity of DNSSEC records. Different colored keys in the address bar indicate the status of that particular domain with regard to DNSSEC.

Final thoughts

DNSSEC has the potential to increase online security in a big way, but it has to be implemented correctly. That means our routers must belong to the chain of trust. Here's some added incentive to get on board: If the router does not handle DNSSEC packets correctly, your online experience could slow down considerably.


About

Information is my field...Writing is my passion...Coupling the two is my mission.

18 comments
seanferd
seanferd

A lot of routers will not failover to TCP when receiving a packet in excess of 512 b. Actually, overall, it seems to me that consumer routers are getting worse in a lot of ways, rather than better. But that is a whole other subject, excepting why routers sold today and over the past few years still won't switch to TCP for DNSSEC responses.

santeewelding
santeewelding

Do you realize how damned small the print is on the bottom of my router? Had to hunt down (lot of walking) my illuminated 10X again to read it (BEFSR41 ver. 4.1). So, who do I call and who do I scream at? You? Get over here and do something about it.

Michael Kassner
Michael Kassner

That's a good thing, but is your network equipment capable of handling the new type of traffic. Find out.

Michael Kassner
Michael Kassner

Rather strange that the router manufacturers are not mentioning whether they are DNSSEC-ready of not.

Michael Kassner
Michael Kassner

I have asked support about Version 4.3 and DNSSEC. I believe it is the latest version.

seanferd
seanferd

But if you want, you can join me in a shout at Cisco, who have really made dealing with Linksys support a major travail as they change the sites and domain names to incorporate them into the main Cisco domain. Oh, wait, no. It has changed again. Now it is linksysbycisco.com. Good grief. We can also have a shout at them for producing more routers which hand out WAN DNS server addresses via DHCP to client machines. Who the hell ever thought this was a good idea? I mean, aside from the deranged Apple Airport engineers or marketeers (whomever is in charge of such decisions). So, you are saying this one does not fall back to TCP or otherwise handle DNSSEC packets correctly? edit: it seems to handle responses over twice as large as 512 b over UDP, but lacks EDNS0 extension support.

JCitizen
JCitizen

available router that scored all the way accross the board for configuration. It must be an old model, because most houses are dropping it. Cisco and Juniper are so difficult to purchase, that I hesitate to recommend them.

Ocie3
Ocie3

been "finalized" or are they still negotiating some of them? I've been looking at routers recently and you're right, I don't recall even one that has a mention of DNSSEC among the information that was available about the router.

seanferd
seanferd

very obvious things about their routers in the manuals, let alone on the outside of the box at the store. Some of the things vendors do, I find flat-out baffling.

JCitizen
JCitizen

they don't have a clue about customer support, or any kind of support. They kept locking me out of my account when I was in Cisco CCNA school; and I should have known that was bad karma right then and there! X-(

santeewelding
santeewelding

I went through the whole PDF -- all of it. The one chart looked half-assed decent for mine, just before my eyes began to glaze. I'm not worried. Michael will gas up his jet and be arriving anon. He will see to things.

Ocie3
Ocie3

Not yet, but I will let you know when you need to get it. .... just a suggestion. :-)

Michael Kassner
Michael Kassner

Which means there will be a lot of unsecure routers out there for the forseeable future.

pgit
pgit

I set up a lot of home broadband connections, or expand on existing ones. Most of the folks could do it themselves but don't want to face the potential frustration. They gladly pay me to do it for them. So if this were borne in mind by the manufacturers they would realize a lot of their products are sold on professional recommendations. The first company to call my attention to their product's compatibility with IPv6 and DNSSEC will get my $$. I won't even mention the reason for the choice of hardware to the customer, they'd glaze over with the 'too much information' stare. Even if it's a non=professional buying and installing the devices, eg nephew Timmy who's always been a whiz with computers, chances are the buyer still has a better understanding of the technology than the 'average.' It would seem to me the manufacturers would really want to tout compatibility with the future. Other words, I bet you're right, they just aren't making compatible devices. Probably wringing out every last penny possible from the existing factory set up/supply line.

Michael Kassner
Michael Kassner

Yet, I thought the router companies would want to leverage the fact they are DNSSEC-ready. Or is it that they are not ready?

pgit
pgit

For the most part the only 'technical' information clients want is your answer to "why isn't it working?" I have said simply "it's a software problem" and been cut off with a palms-out "whoa! WAY too much information!" I kid you not. All I wanted to put across was the problem was not hardware, meaning we could get it fixed here and now. I've learned to say "I should be able to fix it here" versus "I'm afraid this is going to have to go back to the shop." BTW this is another example of a muddy answer to the inevitable"do I need it?" question. Like with IPv6 the true answer is "not at the moment, strictly speaking." Don't know about you guys but I may as well have said "absolutely not, I personally guarantee you!"

Michael Kassner
Michael Kassner

Yet, this is something they have to do. Why not twist it into an advertisement?

Michael Kassner
Michael Kassner

My jet is in the shop. What is you exact version of firmware? Edit: Spell