Thursday, August 7, 2008

DNS - The Basics Explained

I realized today why consumers sometimes get so fed up with news involving Internet security alerts: it's because sometimes the basics and the acronyms are not explained, which makes the rest of the news story hard to follow.

Take, for example "DNS", as in the recently-announced "DNS flaw" - currently the subject of much current news and speculation.

What, exactly, does a Domain Name Server do?

Let's start by explaining the concept of a "domain" on the Internet. The modern word "domain" originates from the Latin word "dominion". It's most commonly used by people to refer to their house, corner office, or area of expertise.

If you live in a block of condos, your domain is the condo in which you live. If you live in a house in the suburbs, your domain is your house. Your "domain" is simply your part of a much larger area - i.e. your condo, vs. the entire development.

Likewise, in Internet terms, a "domain" in simply a sub-section of the Internet.

The largest "top level" domains (i.e. the suburbs) use ".com", ".net", ".org", ".gov", ".edu" and similar suffixes to identify the type of top-level domain (.gov = government).

The next level down (i.e. your condo development) is usually the name of a company, organization, or government agency that is part of the top-level domain.

For example, the domain name "authentium.com" refers to the ".com" top level domain, then to the part of the Internet that is under Authentium's control. "Google.com" refers to the ".com" top level domain, then to the piece under Google's control.

Put another way, when you type the domain name "google.com" into your address bar, you are saying, I want to 1) Go to the commercial section of the Internet, then 2) Go explore the domain of the company Google.

"Finance.google.com" refers to a sub-domain of Google relating to finance. The smallest domain is on the left: The finance sub-domain is smaller than the Google domain. The Google domain is smaller than the ".com" top-level domain.

Now you're probably reading this, thinking "I thought I heard today that there was a problem with Domain Name Servers. How could there be a problem? I just type in a web site address, and so long as I spell the domain name correctly, I connect, right?"

Unfortunately, the answer is no.

The definition I just gave you is how us humans look at domain names. Computers - more specifically, the web servers that host the web pages of Authentium and Google - use a different form of domain name: a set of numbers called an Internet Protocol address, or IP address.

Human-version domain name: "google.com"
Computer-version domain name: "72.14.207.99"

Which is where the Domain Name Server (DNS) comes in.

DNS servers, or Domain Name Servers, are simply translation devices. What they do is take your request for "google.com" and turn it from "google.com" into the IP address 72.14.207.99, so that your request can be understood by the computers that form the Internet and sent to Google's domain for processing.

As you can imagine, translating the names of all the web sites we type in every day into numbers is a massive task - and that is what the ten million or so DNS servers do every day.

Sometimes, to make things faster, the servers store these translations. It is not uncommon for even small-sized Domain Name Servers, like the kind you might have sitting in a rack at your office, to contain thousands or even millions of similar "translations" in storage.

The problem with this approach is that hackers can make a ton of money by successfully changing the "translations". Typically, in a DNS hack, the hacker just takes your request for mybank.com, changes the IP address, and re-routes you to a look-alike site, so he can steal your username and password.

Now, the effort required to hack a DNS server is not trivial, and not likely to be successful with respect to large, well-organized organizations. But the recent announcement of a major flaw in the underlying DNS software has even seasoned pros working late into the night to get their fixes in place.

The good news is - since the announcement yesterday of the full extent of the "Kaminsky DNS flaw", a majority of the world's servers have been patched, including 70% of Fortune 500 companies.

The other good news is, our product SafeCentral provides a really nice set of protections that secure DNS requests and bypass the standard DNS infrastructure. If you're worried, give it a try. It also stops key-loggers and screen-scraping spyware.

Note: If I didn't do a good job explaining these basics, email me, and help me improve this post. The shorthand in here (yes, I know the Google domain includes multiple IP addresses, etc, etc) is by design - I just want to help folks understand the basics of DNS so they can get a handle on what this flaw means.

If you want to dig deep on DNS, head over to Kaminsky's blog at DoxPara Research.

No comments: