Section 4.14 Protecting Your DNS Registration

   


4.14 Protecting Your DNS Registration

graphics/threedangerlevel.gif

This is an area of security that never occurs to most SysAdmins to worry about. Simply, they register with the helpful folks at Network Solutions and never worry about their multimillion dollar company riding on about 80 bytes of data that map their domain name to the IP address of the name servers. See "AOL's DNS Change Fiasco" on page 380 for the "really big" problem that this caused AOL. Sometimes, you want to change this information, typically when changing ISPs or when changing which systems act as name servers. Certainly, remembering passwords is a bother, and you risk them being lost.

Network Solutions provides three ways to change this information electronically. The default way is to send e-mail from an account listed as that of the registrant or technical contact. As almost everyone knows by now, it is trivial to spoof these. This is what happened to AOL and can happen to the vast majority of domain owners who are set up for this method. The solution is to change your domain's authentication method by which you convince Network Solutions that you are you.

The two other methods are by the use of a password or by the use of a PGP key. In the password method you supply a, um, ah, password. Network Solutions calls this the CRYPT-PW method. Using this method, Network Solutions encrypts your supplied password and stores it similarly to how Linux stores the encrypted versions of users' passwords. To change information, you will need to supply the original password. Even if a cracker compromises Network Solutions (though I have not heard of this ever happening), the cracker cannot obtain your password.

A minor weakness in this scheme is that the encryption algorithm seems to pass the first two characters of the unencrypted password through without change. Thus, it is suggested that the first two characters not be those of an easily guessed word. This is a minor problem because the encrypted password is not public information. Use a good password, as discussed in "Avoiding Weak and Default Passwords" on page 42.

The last method is via the use of PGP (Pretty Good Privacy) public key that you supply to Network Solutions. It has been reported that this method is too painful to use. To use their PGP method, if you decide to, first you need to register your public key with Network Solutions by sending e-mail to PGPREG@networksolutions.com with ADD as the subject. The body should contain your public key, normally stored on your system in pubkey.asc. They will accept keys generated with PGP Version 5.X, including keys generated via the "Diffie-Hellman algorithm."

They cannot work with PGP Version 6.X as this is being written, but that may have changed by the time you read this. When altering your data, you will need to sign your e-mail with your private key, of course. Regardless of the method used, please switch from the default "e-mail address authentication method" immediately. AOL wishes they had earlier. Point your browser at

www.networksolutions.com/makechanges/

Then enter your domain (the form shows www. in front of it) and click Submit. On the new form, click Beginner. (If you feel comfortable clicking Expert, you do not need to read further in this section.)

Select Authentication and click Next>>. On the next screen, you will need to put in the contact handle that you want to operate under. To avoid redundant information and updating effort, Network Solutions recognizes that a particular person may be responsible for multiple domains. Thus, in their database there are contact records containing a tag name typically derived from one's initials and a number for uniqueness. This record contains an e-mail address too. Fill in the obvious information through several more screens. Finally, the generated form will be e-mailed to the account specified.

You will need to receive this e-mail and follow the instructions for e-mailing it back to Network Solutions. If your From: address matches your account and you are lucky, the update will be made. I have tried several times to update mine and my ISP has tried too, without effect.

A number of domain names of large sites have been "hijacked" successfully through "social engineering" (deception not involving breaching computer security directly), such as the sending of a FAX requesting Network Solutions to make a change.


This leads into the next topic, protecting your DNS registration information if you are using a Registrar other than Network Solutions. Thankfully, there now are alternatives to dealing with Network Solutions. Each of these "Registrars" has its own policies and prices (though there has not yet been a price war). Each of these new domain name Registrars are free to set up whatever policies regarding security that it wants. Look for one that has adequate security using either password protection or other means. Ask each of them what operating systems they use.

Look at what they use to secure data between you and their Web server and between their Web server and their DNS servers. The one chosen for realworldlinuxsecurity.com uses Linux for its name servers, SSL for its customers to communicate with their Web server, has password protection, and makes it very easy to create new domains or make changes to existing ones. (Interested readers are encouraged to contact the author for the details; as a minor security point, its name is not being published.) Network Solutions does not encrypt form information en route, though this only presents a low probability of a cracker listening for that one transmission in the million that will flow through your network containing the unencrypted password.

Also, if you will be using the Registrar's name servers (if it even offers this valuable service), look for ones that geographically disperse their name servers, that put their name servers on different backbones, and, of course, that offer generators to provide backup power to them. If your site is in Canada you do not want customers to be unable to reach you because an ice storm in Virginia or a hurricane in Florida shut down your Registrar's only building with name servers. Note also that if your Registrar provides geographically dispersed name servers on secure systems, preferably running Linux, you are protected from some of the problems of weak security at your ISP. Some sites with strong security have been broken into or suffered successful DoS attacks due to the cracker taking over their domain or ISP instead of the sites directly. See "Your ISP" on page 156 for more on this.

Additionally, there is the danger of accidentally failing to pay the renewal bill, and someone else then registering the domain. This almost happened to an important domain that Microsoft had. A good Samaritan, who is a Linux consultant, paid the $70 renewal bill and got reimbursed by a very grateful Microsoft. How many people remember to update their e-mail and postal addresses in Network Solutions domain records when a new person takes over this function or the company moves?


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net