Prohibiting Redirection & Synthesized DNS Responses in

Top Level Domains

Mar 2010

Kuala Lumpur

APTLD Meeting

Redirection of DNS Responses @ TLDs• Issue

– Wildcarding of DNS records at TLDs– Provides “valid” address and routing even when

domain names do not exist

• Consequences– Breaks core DNS systems & legacy applications– Erodes trust relationships– Creates new opportunities for malicious attacks,

without ability of affected parties to mitigate problem

Reference Document: SAC041

2

SSAC Advice:

Clear & Significant danger to security & stability of the DNS

3

ICANN Board Resolution (June ‘09):

Take all available steps with appropriate entities to prohibit such use

Prohibit redirection/synthesis for all TLDs (gTLD & ccTLD, including IDN TLDs)

• Revise new gTLD Guidebook• Consult with ccTLD community/GAC for new

ccTLDs• Revise existing gTLD agreements• Add appropriate guidelines to existing ccTLD

arrangements

4

Reference Document: SAC041

Architectural Violation

• Redirection at the TLD level violates fundamental Internet engineering principles– DNS Protocol is neutral about what protocols to answer

– Redirection assumes HTTP protocol (web browsing)

• All future protocols dependent on DNS affected by redirection– Unacceptable invasion of protocol boundaries

• For example, HTTP could use DNS even though HTTP is a recent invention, due to clear layering

5

Most basic Internet tools break• Systems that test for “existence” of a host fail

• Spam filters stop working (all forged addresses now appear to be real)

• URL link checkers will fail (all links appear to be valid)

• Systems that believe a host name is valid break• Mail to a mis-typed address will not bounce anymore

• And, the mail is delivered to a different address, without any notification or choice by the e-mail sender

– Search engines won’t be able to function as normal

• And other software, applications, and equipment that depends upon the DNS “working” will break

6

Every Internet Application Is Affected

Requires Testing of Impact & Side-Effects on:– Every mail server, mail agent– Every instant message program and agent– Every VOIP server, proxy and user agent– Every parental control system– Every anti-virus system– Every license management system– Every software update system

i.e., Every Application On The Internet7

Data Privacy Laws May Be Violated

Misspelling of domain would cause redirection to a different zone instead of a failed connection

In cross-border situtations, this can cause violation of privacy

Wildcard operator may now become liable for privacy breaches under law

8

Negative impact on e-commerce

HTTPS requests get spurious resultshttps://www.does-not-exist.tld/

Server is provided critical information about security capabilities of client browser, cryptography, data compression etc. – now sent to an unknown source

Browser may call site invalid because IP address/domain name of SSL certificate does not match request

9

Negative impact on SMTP (EMail)

Negative impact on the clarity and promptness of error reports returned to sending users

– No one will know what happened to the message, and it may take some time before anyone notices that it has disappeared, if anyone notices at all

– The recipient party suddenly has access to a mail message that was in no way intended for them, which is quite harmful from an integrity perspective

Wastes resources at mail operators (handling millions of mails per day)– System resources are wasted on the sending mail server to keep track of the

message and its status, to issue repeated DNS queries, to make repeated attempts to deliver it, etc.

Impacts the ability of mail servers to reject mail from illegitimate mail addresses (Helps Spammers)

– Spam usually sent from non-existent mail domains; adding wildcards stops checks of non-existent domains – i.e., helps spammers

10

Negative Impact on DNS Resolver Search Lists

DNS Resolver Search List allows users to specify partial domain names, where resolver auto-completes domain name

Adopted widely in commercial software—search lists are implemented in all Microsoft and UNIX systems

User with a computer in the <local.tld> zone would have <local.tld> in their resolver’s search list

Allows users to type in http://internal to reach http://internal.local.tld

11

Impact on IDN TLDs

IDN TLD are deployed in <language>, but are represented on the DNS in ASCII

Wildcards for IDN TLD can cause unexpected behavior:– Localization of content breaks

• User may request a web page in <language A> and gets a different page in <language B>, with no control

12

Redirection in .KR Name

Total .kr Responses : 1.52 billion• – Normal .kr Queries : 1.45 billion (96.73%)• – .kr DNS Redirection : 2.5 million (0.17%)

Total .kr Redirection : 2.5 million• Hangul .kr Domain Name : 1.7 million (67%)

13

Solves IE6 Problem:- IE6 or earlier ver. users can use

Hangul .kr domain name without plug-ins

- Garbage traffic by using wild character(*) in .kr Zone, causes system overload

http://sel.icann.org/meetings/.../presentation-kr-dns-redirection-28oct09-en.pdf

QUESTIONS?

Reference document s (need to complete)

http://www.icann.org/committees/security/ssac-report-09jul04.pdf

http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html

http://www.icann.org/committees/security/sac041.pdf

http://sel.icann.org/meetings/.../presentation-kr-dns-redirection-28oct09-en.pdf

14