DNSViz: Intimate view of a website's DNS security

DNSSEC is supposed to certify DNS transactions, but how do you know if it's working?DNSViz, that's how.

Domain Name System (DNS) -- arbitration technology that helps number-challenged humans use the Internet -- is in serious, serious trouble. Couldn't tell by me, everything seems fine. Type in TechRepublic.com and the web browser magically retrieves TechRepublic's web page.

What's the problem?

Instead of TechRepublic, go to your Internet-banking website. Now consider this; how do you know it's the real deal? What if it's a copy? One designed by bad guys to capture keystrokes and screen shots -- specifically login information.

Update (17 Jan 2012): I just read a blog post by Brian Krebs where he discusses an application called Simple Phishing Toolkit and how it simplifies setting up a "phishing website".

"The toolkit lives up to its name: It's extremely simple to install and to use. Using a copy of WampServer - a free software bundle that includes Apache, PHP and MySQL - I was able to install the toolkit and create a Gmail phishing campaign in less than five minutes."

The toolkit was designed to educate employees on avoiding fake websites that are phishing for sensitive personal information. It is only a matter of time before nasty types also start using the toolkit.


Experts all over the world are working hard to resolve issues like misdirection to malicious websites. One solution at the forefront is Domain Name System Security Extensions (DNSSEC), a verification method using Public Key Infrastructure (PKI).

Sadly, DNSSEC is incredibly difficult to understand and implement. That's probably why only a small percentage of companies have incorporated DNSSEC, even though it's been available for the .com domain since April 2011.

So, how does one know if a website is using DNSSEC. One way is to use the DNSSEC test website -- ironic, I know -- by Verisign Labs. The screenshot below shows the test results for www.TechRepublic.com.

You can see the domain techrepulic.com is not using DNSSEC from the red Xs by "No DS records" and "No DNSKEY records". The next screenshot displays the test results for www.Sandia.gov.

The Sandia National Laboratories website is using DNSSEC, probably due to the government mandate that all .gov top-level domains be secured with DNSSEC.

We're not done yet, though. There is something else to consider. Remember my mention of DNSSEC's complexity? Well, Dr. Casey Deccio, computer scientist with Sandia National Laboratories agrees (courtesy of Homeland Security News):

"DNSSEC is hard to configure correctly and has to undergo regular maintenance. It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren't fully compatible, it keeps users from accessing .gov sites. They just get error responses."


To help resolve DNSSEC problems, Casey developed a web-based tool called DNSViz:

"It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, made available via a Web browser to any Internet user.

It highlights and describes configuration errors detected by the tool to assist administrators in identifying and fixing DNSSEC-related configuration problems."

One can tell this stuff is complicated, I wasn't getting the intricacies of DNSViz, let alone DNSSEC. So I contacted Casey and asked a few questions.

Kassner: Why did you feel the need to create DNSViz? Deccio: It's no secret that the DNS is inherently insecure. DNSSEC is the mainstream community effort to secure DNS. However, the complexity it adds to regular DNS is non-trivial, from a perspective of both understanding and deployment. Without something to help address this complexity, DNSSEC deployment could be stunted, either because it seems too big of a bite to swallow for businesses and other entities that might otherwise benefit, or because of failure to properly operate it.

DNSViz was intended to take some of the voodoo out of DNSSEC and make it more understandable to those working most closely with it on the engineering and operations sides. It also visually demonstrates DNSSEC to those working less intimately with it, but who can still appreciate a pretty picture.

Kassner: What conditions would signal the need to test a website or other online presence? Deccio: DNSViz provides an at-a-glance view of the security that the TechRepublic domain offers-that is, whether or not DNS resolvers have a way to validate the correctness of a response they've retrieved for the TechRepublic domain. Like a majority of companies, TechRepublic does not have DNSSEC deployed, so it shows "insecure".

There are three primary reasons why someone might use DNSViz to analyze their domain:

  • To see where a domain currently stands, in terms of its DNSSEC status.
  • In conjunction with any DNSSEC maintenance, including initial deployment, as a sanity check.
  • To troubleshoot DNSSEC-related issues with the domain.
Kassner: I type www.TechRepublic.com into DNSViz and click on Go. What happens then? Deccio: DNSViz will produce a graphical representation of the DNSSEC "chain of trust" for www.TechRepublic.com, from the perspective of the last time it was analyzed. If using Firefox or Opera Web browsers, mousing over the various graph components will result in additional information being displayed about the selected components. Names are re-analyzed on a periodic basis, and can be explicitly re-analyzed upon request, if desired. Kassner: I tested www.TechRepublic.com. Here are the results. Would you please describe what we are looking at?

Deccio: One of the most interesting things about DNSSEC is insecurity must be proven-specifically from the top down. The output of TechRepublic.com is a perfect example. The only reason a validating DNSSEC client will accept an unsigned -- or an illegitimately signed, for that matter -- response for TechRepublic.com is because the com zone provides records (NSEC3) proving that no keys are available to validate TechRepublic.com names, as far as com is aware.

The chain of trust extends from the trust anchor at the top (identified by a double border), down through the com zone, and terminates with the NSEC3 nodes. Because the chain is complete through those NSEC3 nodes, a validating resolver knows that it cannot assert anything about the security of a response for TechRepublic.com. Thus records within that domain are labeled as "insecure".

Kassner: What does it mean if a domain fails your test? Deccio: DNSViz is intended to highlight problems with a domain's configuration. If some errors or warnings show up, they typically indicate an inconsistency caused by maintenance neglect, incompatibility, or misconfiguration. Something must be done on the part of the domain's operator to remedy such issues.

DNSViz is by no means a finished product. In the future, I hope to provide additional aids to resolve any problems detected by the tool, include a historical analysis, address general name resolution problems, and some additional features. We're seeking additional funding and collaboration opportunities to make these extensions possible and make DNSViz a more resourceful tool. I would invite organizations with the right kind of technical expertise and interest in this kind of security tool to contact me at Sandia.

Kassner: I sense frustration among experts who are expending tremendous effort trying to get DNSSEC more fully incorporated. Do you share their concern? Deccio: Deployment of DNSSEC, or any other technology for that matter, requires both the technical pathway and incentive. The technical pathway became a reality with the 2010 signing of the root zone and the signing of other major top-level domains.

Many businesses and other entities have yet to see the incentive for deployment. Being familiar with the deployment complexities, I understand that:

  • DNSSEC is not necessarily for everyone-why incur the overhead, if the net gain for a domain is minimal.
  • There are many who can benefit from DNSSEC deployment, but haven't put forth any effort to further it.

I think the Internet community can learn a couple of things from this. It is possible that the DNS-security solutions we have aren't palatable in their current state, and as they evolve -- either in available tools, protocols, or deployment -- they will be adopted by those that are waiting on the edge.

While we continue encouraging folks to engage in DNSSEC deployment efforts, we must improve and simplify our current solution set.

Kassner: I'm interested in why individuals become passionate about a certain technology, particularly a challenging one like DNS security. What in this field grabbed your interest enough to pursue it so intensely? Deccio: There are a lot of open problems with the DNS, and the community is quite active, even though DNS is over 25 years old. The field is open enough to benefit from academic research, as well as engineering; and solutions from both areas address a problem that is real and affects all Internet users.

Final thoughts

I wanted to mention that Sandia National Laboratories released a video of Communications Officer Mike Janes interviewing Casey. The video walks through the intimacies of DNSViz.

DNSSEC or something similar is needed. Otherwise, circumstances will degrade to a point where no one will trust the Internet. Thanks to efforts by DNS experts like Casey Deccio, maybe more companies will start implementing DNSSEC.