Affiliations: Department of Computer Science and the Center for Image Analysis, George Mason University, Fairfax, VA, USA E-mail: {huangyih, darsenau,asood}@cs.gmu.edu.
Abstract: Domain Name Systems (DNS) provide the mapping between easily remembered host names and their IP addresses. While domain name information is typically created and updated off-line, dynamic DNS updates allow clients to manage domain names online, in real time. The current secure DNS standards (DNSSEC) require private keys to be kept online to sign dynamic updates, leaving private keys subject to network-based attacks. In this work, we develop a secure implementation framework of DNS servers that voids the above requirement. Our approach, called Self-Cleansing Intrusion Tolerance (SCIT), strengthens DNSSEC through hardware redundancy. Our system uses a highly integrated cluster of DNS servers that constantly rotates the role of individual servers, handles one-server failures gracefully, confines the damages of successful intrusion to a limited time, and digitally signs dynamic updates by a clean server using the DNS zone key while keeping the key offline at all times. It is our belief that the availability and integrity of critical communications infrastructure, such as DNS, far outweigh the costs of hardware redundancy. In this paper, we present (1) the architecture of SCIT DNS clusters that achieves the above goals, (2) a secure Cluster Coordination Protocol (CCP) that servers in the cluster use to coordinate role changes without ever opening a port, and (3) the designs of our ongoing SCIT DNS cluster prototype. Preliminary experiences of our prototype show that role rotation and self-cleansing cycles are in the range of minutes, restricting the damages of even undetected but successful attacks to short time windows.
Keywords: Computer security, fault-tolerance, information assurance, intrusion containment, self-cleansing systems
