Tool to Troubleshoot DNS Issues

Wednesday, January 11, 2012 @ 01:01 PM gHale


There is a new visualization tool in development called DNSViz to help network administrators within the federal government and global IT community better understand Domain Name System Security (DNSSEC) and to help them troubleshoot problems.

DNSSEC is a security feature mandated to all federal information systems by the White House’s Office of Management and Budget (OMB). The mandate, issued in 2008, requires that “the top level .gov domain will be DNSSEC-signed, and processes to enable secure delegated sub-domains will be developed.”

RELATED STORIES
Don’t Click on Unsolicited Attachments
Phishing Subsets: Vishing, Smishing
Phishing Attack Hits Apple Users
Malware Target: Defense Contractors

The entity that serves to translate the hostname of a Uniform Resource Locator (URL) into an Internet Protocol (IP) address is the Domain Name System (DNS). A DNS “lookup” is a prerequisite for doing almost anything on the Internet, including Web browsing, emailing or videoconferencing.

Although the mandate made perfect sense, said Sandia National Laboratories Computer Scientist Casey Deccio, there soon emerged a problem when .gov organizations actually began deploying DNSSEC.

“DNSSEC is hard to configure correctly and has to undergo regular maintenance,” he said. “It adds a great deal of complexity to IT systems, and if configured improperly or deployed onto servers that aren’t fully compatible, it keeps users from accessing .gov sites. They just get error responses.”

The still-new DNSSEC security feature allows user applications like Web browsers to ensure the IP addresses they received from the DNS have not been “spoofed” by anyone with ill intent. As such, Internet-connected systems within the government can verify the responses are authoritative and not altered. Still, the hiccups with implementing DNSSEC convinced Deccio there was a need for a tool like DNSViz.

DNS is inherently insecure, Deccio said. Without DNSSEC, tampering by third-party attackers could go undetected, thus redirecting online communications to unwanted destinations. This represents a particularly troublesome problem for .gov addresses owned by government organizations guarding national security information and other vital data.

Deccio believes DNSSEC is of little use if network administrators don’t know how to configure or use it.

He describes DNSViz as a “tool for visualizing the status of a DNS zone.” It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, made available via a Web browser to any Internet user (http://dnsviz.net/). It visually highlights and describes configuration errors detected by the tool to assist administrators in identifying and fixing DNSSEC-related configuration problems. Click here to see a short video of Deccio discussing the DNSViz tool.

DNSViz brings together all the components that work together for DNSSEC to function properly into a single graphical representation. The resulting visualization is a collection of configuration data and relationships that are otherwise difficult to assemble, assess and understand.

To help network administrators in their DNSSEC deployment, Sandia’s DNSViz tool functions in two primary ways: It actively analyzes a domain name by performing pertinent DNS lookups, and it makes the analysis available via the Web interface. The active analysis occurs periodically to build a history of DNSSEC deployment over time and provide a historical reference for DNS administrators.

Deccio has the tool running in the background on Sandia/California’s servers, monitoring a list of some 100,000 DNS names. It performs an analysis a couple of times each day and offers a situational awareness of what the DNS configuration for each name looks like from top to bottom.

Though the functionality provided by DNSViz could go in a marketable software product sold by a for-profit company, Deccio said he envisions it as an open-source tool available to anyone who needs it. With further funding, he hopes to expand the tool so it can analyze DNS health and security on a continuous basis, essentially creating a full-blown monitoring system that is scalable, versatile and more informational.



Leave a Reply

You must be logged in to post a comment.