Monday, May 16, 2016

Dynamic Domain Name System and Transaction Signature

When we want to visit a website, we simply type the URL of the website in the address bar of the browser and the webpage loads. We do not need to memorize the IP address of the website. When we type a URL, our computer makes a DNS query with the URL to the DNS Server and the corresponding DNS Server responds with a DNS record containing the proper IP address. And, using this IP address our browser opens the website in the browser.

Dynamic DNS is a method to update these DNS records in a Domain Name System automatically without manual intervention. And, Transaction Signature or TSIG is a protocol which is used to secure Dynamic DNS updates.

Why Dynamic DNS ?

In the initial stages of the internet (ARPANET), addressing of hosts in the network used to be done using static address translation tables maintained manually in the form of host file in a computer. This host file used to map hostnames with IP addresses. But later, it became inconvenient and Domain Name System was developed.

Domain Name System started distributing the same address information automatically using recursive queries to remote distributive databases configured for each network or domain.

At that time, IP addresses used to be statically assigned to hosts and would rarely change. So, this method was sufficient. But later, rapid growth of the internet made this mechanism highly inefficient.

To reduce the burden of network administrators or of manually configuring the IP addresses of hosts, Dynamic Host Configuration Protocol or DHCP was introduced. In this protocol, hosts contact the DHCP Servers when they boot up and get IP addresses dynamically assigned to them.

As hosts can have IP addresses dynamically assigned to them now, DNS records in DNS Servers needed automatic updates. And, Dynamic Domain Name System or DDNS was developed for that purpose.

Using DDNS, host computers dynamically notify their respective DNS Servers of the IP addresses they received from the DHCP Servers or through self-configuration.

But, these DDNS updates need to be secured from attackers. And, to safeguard them Transaction Signature or TSIG is used. TSIG is a protocol which authenticates DDNS updates coming from an approved DNS Client or from an approved recursive name server.

How does Transaction Signature Work ?

TSIG uses shared secret keys to establish a trust relationship between two entities in a DNS communication. It uses a new record type called TSIG RR which is dynamically computed to cover a particular DNS transaction.

A TSIG RR is related to one DNS request/response and thus, it is discarded once it has been used to authenticate a DNS message. It contains name of the hosts amd the secret key shared between them along with other information.

When a DNS communication is done between a DNS Client and a DNS Server, it typically follows the steps below :

  • When a DNS Client wants to send a DNS request to a DNS Server, it computes the message digest of the request message and adds the digest in the TSIG record. It also keeps a copy of the message digest with it for its own reference.
  • The DNS Server receives the signed request from the DNS Client. It generates a response and signs the response using the same algorithm and the secret key shared between them. A DNS Server does not generate a signed response for an unsigned request.
  • The DNS Client receives the signed response from the DNS Server and extracts the TSIG. It calculates the keyed digest in the same way as the DNS Server and verifies it.

Security of TSIG

Transaction Signature makes DDNS updates more secure. As long as the shared secret key is not compromised, it provides strong authentication. To safeguard the secret keys, they should not be stored in an unencrypted form and should be changed periodically.

This article was meant to give some basic information on Dynamic DNS and Transaction Signature. Hope it helped.

No comments:

Post a Comment