Name Collisions in the Domain Name System

Burt Kaliski, Verisign

USTelecom Webinar

April 17, 2014

Verisign Public 2

Agenda

• Name Collision Problem

• Timeline

• Mitigating Name Collisions• Remediation: ICANN’s Guidance to IT Professionals

• Constraints: ICANN’s “Alternate Path” of SLD Blocking

• Notification: JAS Global Advisors’ “Controlled Interruption”

• Next Steps

Verisign Public 3

Installed System

… .SLD .TLDUp to

~1400 (or more!) new

gTLDs!

KeyTLD = top-level domain (e.g., “.com”, “.de”, “.net”)

New gTLD = new generic TLDSLD = second-level domain (e.g., “example” in “example.com”)

NXDOMAIN = “non-existent domain” error message

Global DNS

without TLD

Global DNS

without TLDNXDOMAIN

expected

Name Collision Problem for Domain Name System (DNS Queries)

Verisign Public 4

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

Internally Generated Query

collides with Externally Assigned Name

Up to ~1400 (or

more!) new

gTLDs!

Root Causes:• Best Practice: “.” not required at end of domain name

• “Private” TLDs (e.g., “.corp”), Shortened Internal Domain Names• Search List Processing

• Mobile Computing

Name Collision Problem for Domain Name System (DNS Queries)

Verisign Public 5

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

Internally Generated Query

collides with Externally Assigned Name

Up to ~1400 (or

more!) new

gTLDs!

Potential Risks• Installed System Breaks

• Internal Information Leaks (beyond root)• Cyberattacks Exploit Collision

Name Collision Problem for Domain Name System (DNS Queries)

Verisign Public 6

Mitigating Name Collisions

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

(1) Remediate Installed System

(4) Hybrid Approach(2) Constrain Global DNS

(3) “Notify” System Operators

Internally Generated Query

collides with Externally Assigned Name

Up to ~1400 (or

more!) new

gTLDs!

Verisign Public 7

Timeline• Nov. 2010: ICANN’s Security and Stability Advisory Committee (SSAC)

warns of potential name collision risks

• June 2011: ICANN launches New gTLD Program

• Mar. 2013: Verisign Labs publishes first in series of research reports analyzing name collision risk

• Aug. 2013: ICANN publishes report on name collision risk

• Oct. 2013: ICANN defines name collision risk management strategy

• Oct. 2013: First new gTLDs delegated

• Dec. 2013: ICANN publishes guidance to IT professionals

• Feb. 2014: JAS Global Advisors publishes Phase One Report on name collision risk management under contract to ICANN

• Mar. 2014: Verisign Labs holds name collisions research workshop, namecollisions.net

• Apr. 2014: Comments due on Phase One Report

• Jun. 2014: Phase Two Report expected

Verisign Public 8

Mitigating Name Collisions

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

(4) Hybrid Approach(2) Constrain Global DNS

(3) “Notify” System Operators

Internally Generated Query

collides with Externally Assigned Name

Up to ~1400 (or

more!) new

gTLDs!

(1) Remediate Installed System

Verisign Public 9

Remediation: ICANN’s Guidance to IT Professionals

Change Installed System to Avoid Potential Name Collisions

Basic steps

• Replace private TLDs, shortened internal domain names with fully qualified global domain names

• Turn off search lists at shared DNS resolvers

• Update application, device configurations

• Train users and administrators

• Revoke certificates with private TLDs

• Monitor, monitor, monitor …

Reference: Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013.

Verisign Public 10

A Good Remediation: .CBA Case Study

Verisign Public 11

Mitigating Name Collisions

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

(4) Hybrid Approach

(3) “Notify” System Operators

Internally Generated Query

collides with Externally Assigned Name

Up to ~1400 (or

more!) new

gTLDs!

(2) Constrain Global DNS

(1) Remediate Installed System

Verisign Public 12

Constraints: ICANN’s “Alternate Path” of SLD Blocking

Restrict SLD Registrations to Avoid Potential Name Collisions

Basic steps

• Don’t delegate “.corp”, “.home” for now

• Block from registration any SLD that received queries in certain “Day-in-the-Life” annual data sets

• Assume some imply at-risk queries from installed systems

• All but 25 applied-for new gTLDs eligible

• This is until full name collision management framework is completed

Reference: NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013.

Verisign Public 13

Challenging Constraints: SLD Variability

• How to block a moving target?

• 25 applied-for new gTLDs declared ineligible for SLD blocking by ICANN due to high variability

Verisign Public 14

How Much Does Blocking Help?

Potentially at-risk queries

observed for a newly

delegated gTLD,

without and with

required SLD blocking

Verisign Public 15

Mitigating Name Collisions

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

(4) Hybrid Approach

Internally Generated Query

collides with Externally Assigned Name

Up to ~1400 (or

more!) new

gTLDs!

(1) Remediate Installed System

(3) “Notify” System Operators

(2) Constrain Global DNS

Verisign Public 16

Notification: JAS Global Advisors’ “Controlled Interruption”

Flag Impending Change in Global DNS to Users, System Administrators to Prompt Remediation

Basic steps

• Don’t delegate “.corp”, “.home”, “.mail” for now

• Return a special IP address (e.g., 127.0.53.53) for a period of time before regular delegations begin

• “Blocked” SLDs only for new gTLDs on “alternate path”

• Every SLD for other new gTLDs (“wildcard” record)

• Idea: At-risk queries will fail safely to internal IP address; applications may break, but users, system administrators will notice “interruption”

Reference: Mitigating the Risk of DNS Namespace Collisions: Phase One Report JAS Global Advisors, February 24, 2014.

Verisign Public 17

Verisign Comments on Controlled InterruptionIssue Recommendation

1. Name collision framework not yet provided

Wait until Phase Two Report available and publicly reviewed before implementing

2. Controlled Interruption untested, may not be effective

e.g., non-blocked SLDs for “alternate path” gTLDs; WPAD and related protocols

Verify that these cases are covered, based on analysis in full name collision framework

3. Controlled interruption may break systems not at riske.g., if SLD is in use internally, but

won’t be registered

If SLD won’t be registered, give gTLD operator option not to interrupt it

4. Risk management requires feedback

Collect traffic during interruption period for analysis by research community to assess, improve effectiveness

Reference: Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name-collision-26feb14 discussion thread, March 31, 2014.

Verisign Public 18

Mitigating Name Collisions

Installed System

Global DNS

with TLD

Global DNS

with TLD

… .SLD .TLD

Resource recordreceived

(if SLD delegated)

Internally Generated Query

collides with Externally Assigned Name

(3) “Notify” System Operators

(1) Remediate Installed System

(4) Hybrid Approach(2) Constrain Global DNS

Up to ~1400 more

choices!

Verisign Public 19

Next Steps

• Phase One Report comment period open through April 21, 2014

• Phase Two Report expected in June – completes name collision management framework

• ICANN to expand outreach to users, system administrators

• Research community analyzing mitigation techniques, proposing long-term improvements

Verisign Public 20

For Further Reading

• SAC045: Invalid Top Level Domain Queries at the Root Level of the Domain Name System. ICANN Security and Stability Advisory Committee, November 15, 2010.

• SAC057: SSAC Advisory on Internal Name Certificates. ICANN Security and Stability Advisory Committee, March 15, 2013.

• New gTLD Security and Stability Considerations. Verisign Labs Technical Report #1130007. Version 2.2, March 28, 2013.

• Danny McPherson. Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. Between the Dots, May 9, 2013.

Verisign Public 21

For Further Reading

• Name Collision in the DNS. Interisle Consulting Group. Version 1.5, August 2, 2013.

• New gTLD Collision Risk Mitigation. ICANN, August 5, 2013.

• New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Verisign Labs Technical Report #1130008. Version 1.1, August 27, 2013.

• Patrick S. Kane, Thomas C. Indelicarto, and Danny McPherson. Letter to ICANN Board of Directors re: ICANN’s Proposal to Mitigate Name Collision Risks – .CBA Case Study. September 15, 2013.

• New gTLD Collision Occurrence Management. ICANN, October 4, 2013.

Verisign Public 22

For Further Reading

• NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013.

• Burt Kaliski. Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose. Between the Dots, November 8, 2013.

• Burt Kaliski. Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis. Between the Dots, November 13, 2013.

• Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013.

• Mitigating the Risk of DNS Namespace Collisions: Phase One Report. JAS Global Advisors, February 24, 2014.

Verisign Public 23

For Further Reading

• Burt Kaliski. Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated. Between the Dots, February 26, 2014.

• Jeff Schmidt. Mitigating the Risk of DNS Name Space Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.

• Andrew Simpson. Detecting Search Lists in Authoritative DNS. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.

Verisign Public 24

For Further Reading

• Matthew Thomas, Yannis Labrou, and Andrew Simpson. The Effectiveness of Block Lists to Prevent Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.

• Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name-collision-26feb14 discussion thread, March 31, 2014.

© 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.