MoinQ:

DNS/キャッシュサーバ/ghost/discussionについて、ここに記述してください。

議論のために論文から引用する。

みっつの対策案

1. Strengthening the bailiwick rule – DNS resolver implementation should tighten the bailiwick rule so that a recursive resolver only accepts a zone’s delegation data from authoritative server of its parent zone.

2. Refining the credibility rule – Another possible solution is to refine credibility to disallow cache overwriting when received records have the same trust level as cached data.

3. Allowing updates with the exception of the TTL value – Since the ghost domain attack achieves the goal of preserving revoked domain by refreshing the delegation data with a new authoritative server name and thus a new TTL, one possible solution is to allow the cache update with exception of the TTL value.

1. DNS サーバの移転問題

Another issue is about authoritative server migration. Allowing cached NS records to be overwritten can speed up legitimate migration of an authoritative server. However, with the strict bailiwick rule and current DNS protocol, resolvers will not be aware of the migration until cached delegation data expires. What’s even worse, DNS administrators tend to give large TTL values to delegation data.


脆弱ではなかった three implementations:

are immune to the ghost domain attack.

2. 理由

The immunity of the latest version of Microsoft DNS derives from a new feature called DNS cache locking [12], but we cannot know the details of this feature because of its proprietary implementation.

We reviewed the other two implementations and it turns out that each of them implemented one of the above proposed solutions.

Since there is no prior public disclosure of the ghost domain behavior, we do not know whether these two versions of DNS implementation intentionally address the ghost domain name problems or not.

Nevertheless, we summarize our findings on these implementations as follows:

MaraDNS, has already applied the first solution listed in the above section. It only accepts a zone’s delegation data from its parent zone.

The Unbound DNS server adopts the 3rd solution that allows overwriting of delegated data but keeps its old TTL value in the cache.

3. DNS Cache Inconsistency

To some extent, the ghost domain problem is a form of DNS cache inconsistency. As DNS only supports a weak cache consistency by us- ing TTL to limit the lifetime of cached copies, authorita- tive servers cannot propagate data changes to resolvers in a timely way, failing completely in the ghost domain case. Previous DNS studies have proposed a few approaches to address this problem. DNScup [8] proactively pushes data changes from authoritative server to cache resolvers. Os- terwail et. al. proposed Zone State Revocation [25], which embedded DNSKEY revocation in DNS response to notify resolvers. Such cache consistency mechanisms could po- tentially avoid the ghost domain problem. However, con- sidering the critical role of DNS, such a change needs to be

4. 結論、提案

We recommend that the DNS community apply a strict bailiwick rule to fix this vulnerability. Several DNS imple- mentations have adopted various defense mechanisms, but many popular implementations are still vulnerable. Our on- going work includes implementing patches for open source DNS implementations and addressing possible performance and management issues related to the implementation of a strict DNS cache update policy.