The Domain Name and Addressing System (Domain Name System) (DNS) is a distributed set of databases residing in computers around the world that is used to translate alphanumeric domain names into the equivalent numeric Internet Protocol (IP) address used by computers to find a website. It is a critical component of the Internet infrastructure and is used by almost every Internet protocol-based application to associate human-readable computer host names with the numerical IP addresses required to deliver information on the Internet.
The DNS infrastructure is made up of computing and communication entities that are geographically distributed throughout the world. There are more than 250 top-level domains, such as .gov and .com, and several million second-level domains, such as nist.gov and ietf.org. Accordingly, there are many name servers in the DNS infrastructure, each of which contain information about a small portion of the domain name space. The DNS infrastructure functions through collaboration among the various entities involved. The domain name data provided by DNS is intended to be available to any computer located anywhere on the Internet.
In the early days of computer networks, the address system used to permit one computer to communicate with another was cumbersome. Each computer had to have a unique 32-digit number called an Internet Protocol (IP) address, so that it could transmit information to, and receive information from, other computers on the network. To make these numerical, computer-readable addresses, more user-friendly, human-readable names, which typically consist of fewer numerical and/or other characters, were adopted.
Before the development of the Domain Name System, all of these address pairs — both the 32-digit numbers and the more user-friendly names associated with the number — were placed in a master "host file," which was maintained by the Stanford Research Institute pursuant to a contract with the Department of Defense. Each computer on the network had to have a copy of the host file in order to communicate with the other computers on the network. Thus, every time a new computer was added to the network, the host file had to be revised to include the new computer, and all of the computers on the network had to download the entire revised host file. As the network grew and more computers were added, its operation was increasingly affected by errors and slow machine speeds caused by the continual need to download the host file.
Working under funding provided by the Department of Defense, a group led by Drs. Paul Mockapetris and Jon Postel creates the domain name system (DNS) for locating networked computers by name instead of by number. The DNS was introduced by the Internet Engineering Task Force, Network Working Group (NWG) in 1983. Two years later, <symbolics.com> became the first second-level domain. This granting of ownership over a new second-level domain marks the beginning of the modern internet.
|“||Although its implementation is complex, the concept behind [the DNS] is simple. The name space was divided into a hierarchy. The responsibility for assigning unique names, and for maintaining databases capable of mapping the names to specific IP addresses, was distributed down the levels of the hierarchy. The DNS is just a database — a protocol for storing and retrieving information that has been formatted in a specific way.||”|
Following a 1997 presidential directive, the Department of Commerce began a process for transitioning the technical responsibility for the domain name system to the private sector. After requesting and reviewing public comments on how to implement this goal, in June 1998 the Department issued a general statement of policy, known as the “White Paper.” In this document, the Department stated that because the Internet was rapidly becoming an international medium for commerce, education, and communication, the traditional means of managing its technical functions needed to evolve as well. Moreover, the White Paper stated the U.S. government was committed to a transition that would allow the private sector to take leadership for the management of the domain name system.
Accordingly the Department stated that the U.S. government was prepared to enter into an agreement to transition the Internet’s name and number process to a new not-for-profit organization. At the same time, the White Paper said that it would be irresponsible for the U.S. government to withdraw from its existing management role without taking steps to ensure the stability of the Internet during the transition. According to Department officials, the Department sees its role as the responsible steward of the transition process.
A 1998 Memorandum of Understanding (MOU) between ICANN and the Department of Commerce (DOC) initiated a process intended to transition technical DNS coordination and management functions to a private sector not-for-profit entity. While the DOC currently plays no role in the internal governance or day-to-day operations of the DNS, ICANN remains accountable to the U.S. government through a Joint Project Agreement (JPA) with the DOC.
On September 17, 2003, ICANN and the Department of Commerce agreed to extend their MOU until September 30, 2006. The MOU specified transition tasks which ICANN agreed to address. On June 30, 2005, Michael Gallagher, then-Assistant Secretary of Commerce for Communications and Information and Administrator of NTIA, stated the U.S. government’s principles on the Internet’s domain name system. Specifically, NTIA stated that the U.S. government intends to preserve the security and stability of the DNS, that the United States would continue to authorize changes or modifications to the root zone, that governments have legitimate interests in the management of their country-code top-level domains, that ICANN was the appropriate technical manager of the DNS, and that dialogue related to Internet governance should continue in relevant multiple fora.
On September 29, 2006, DOC announced a new Joint Project Agreement (JPA) with ICANN which continues the transition to the private sector of the coordination of technical functions relating to management of the DNS. The JPA extended through September 30, 2009, and focused on institutionalizing transparency and accountability mechanisms within ICANN.
How the DNS works
The DNS is a hierarchical and globally distributed system in which distinct servers throughout the world maintain the detailed information for their local domains and pointers for how to navigate the hierarchy to retrieve information from other domains. The system works like an automated telephone directory, allowing users to reach websites using easy-to-understand domain names like www.senate.gov, instead of the string of numbers that computers use when communicating with each other.
|“||Since it would be impractical to store all of the names in the DNS in a single database, it is divided into zones that are stored on different servers, but logically linked together into an immense interoperable distributed database.||”|
Each domain name server stores a limited set of names and numbers. They are linked by a series of 13 root servers, which coordinate the data and allow users to find the server that identifies the site they want to reach. Domain name servers are organized into a hierarchy that parallels the organization of the domain names. For example, when someone wants to reach the website at www.senate.gov, his or her computer will ask one of the root servers for help. The root server will direct the query to a server that knows the location of names ending in the .gov top-level domain. If the address includes a sub-domain, the second server refers the query to a third server — in this case, one that knows the address for all names ending in senate.gov. This server will then respond to the request with an numerical address, which the original requester uses to establish a direct connection with the www.senate.gov site. Figure 3 illustrates this example.
The DNS was not originally designed with strong security mechanisms to ensure the integrity and authenticity of the DNS data. Over the years, a number of vulnerabilities have been identified in the DNS protocol that threaten the accuracy and integrity of the DNS data and undermine the trustworthiness of the system. Technological advances in computing power and network transmission speeds have made it possible to exploit these vulnerabilities more rapidly and effectively.
Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a concern. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. Availability of DNS services and data is also very important; DNS components are often subjected to denial-of-service attacks intended to disrupt access to the resources whose domain names are handled by the attacked DNS components.
DNS is susceptible to the same types of vulnerabilities (platform-, software-, and network-level) as any other distributed computing system. However, because it is an infrastructure system for the global Internet, it has the following special characteristics not found in many distributed computing systems:
- No well-defined system boundaries — participating entities are not subject to geographic or topologic confinement rules
- No need for data confidentiality — the data should be accessible to any entity regardless of the entity’s location or affiliation.
Because of these characteristics, conventional network-level attacks such as masquerading and message tampering, as well as violations of the integrity of the hosted and disseminated data, have a completely different set of functional impacts, as follows:
- A masquerader that spoofs the identity of a DNS node can deny access to services for the set of Internet resources for which the node provides information (i.e., domains served by the node). This denial is not only for a limited set of clients but for the entire universe of all clients needing access to those resources.
- Bogus DNS information provided by a masquerader or intruder can poison the information cache of the DNS node providing that subset of DNS information (i.e., the name server providing Internet access service to the enterprise’s users), resulting in a denial of service to the resources serviced by it.
- Violation of the integrity of DNS information resident on its authoritative source or the information cache of an intermediary that has accumulated information from several historical queries may break the chained information retrieval process of DNS. This could result in either a denial of service for DNS name resolution function or misdirection of users to a harmful set of illegitimate resources.
- If the name resolution data hosted by the DNS system violates content requirements as defined in DNS standards, it could have adverse impacts such as increased workload on the DNS system, or serving obsolete data that could result in denial of service to Internet resources. In most software, program data independence (as in conventional Database Management Systems (DBMS)) provides a degree of buffer against adverse impacts due to erroneous data. In the case of DNS, the data content determines the integrity of the entire system.
The future of DNS governance
The U.S. government has no statutory authority over the DNS. The DNS is managed and operated by a not-for-profit public benefit corporation called the Internet Corporation for Assigned Names and Numbers (ICANN). Because the Internet evolved from a network infrastructure created by the Department of Defense, the U.S. government originally owned and operated (primarily through private contractors) the key components of network architecture that enable the domain name system to function. A 1998 Memorandum of Understanding (MOU) between ICANN and the Department of Commerce (DOC) initiated a process intended to transition technical DNS coordination and management functions to a private sector, not-for-profit entity. Additionally, a contract between DOC and ICANN authorizes ICANN to perform various technical functions such as allocating IP address blocks, editing the root zone file, and coordinating the assignment of unique protocol numbers. By virtue of this contract and two other legal agreements, DOC exerts a legacy authority and stewardship over ICANN, and arguably has more influence over ICANN and the DNS than other national governments.
On March 14, 2014, the DOC's National Telecommunications and Information Administration (NTIA) announced its intention to transition its stewardship role and procedural authority over key domain name functions to the global Internet multistakeholder community. If a satisfactory transition and Internet governance mechanism can be achieved, NTIA will let its contract with ICANN expire on September 30, 2015. NTIA has stated that it will not accept any transition proposal that would replace the NTIA role with a government-led or an intergovernmental organization solution.
H.R. 4342 (the DOTCOM Act) was introduced on March 27, 2014, to prohibit the NTIA from relinquishing responsibility over the Internet domain name system until the GAO submits a report to Congress examining the ramifications of the proposed transfer.
"The DNS system is exposed to threats that aim to bring down a central feature which allows convenient web browsing for non-technical users and enables flexible addressing for automated systems. Without the resolution of domain names into IP addresses the Internet is inaccessible for the general public. Attacks attempt to alter DNS records to redirect traffic, interrupt operation, or introduce censorship. The latest trends show a decrease for this sort of threat. However, this does not diminish its importance."
- David Lindsay, International Domain Name Law: ICANN and the UDRP §1.4 (2007).
- RFC 882.
- Milton L. Mueller, Ruling the Root: Internet Governance and the Taming of Cyberspace 41 (2002).
- See NTIA, U.S. Principles on the Internet's Domain Name and Addressing System (June 30, 2005) (full-text).
- Best Practices to Address Online and Mobile Threats, at 3.
- This example assumes that the required domain name information is not available on the user’s local network.
- See National Research Council, The National Academies, Signposts in Cyberspace: The Domain Name System and Internet Navigation 154 (2005) (full-text); Department of Homeland Security, National Security Division & National Institute of Standards and Technology, National Vulnerability Database, Vulnerability Summary for CVE-2008-1447 (Released July 08, 2008) (full-text) (This site provides a list of most recent advisories regarding DNS vulnerabilities including DNS spoofing, cache poisoning, etc., and includes links to tools and solutions).
- Threat Landscape and Good Practice Guide for Internet Infrastructure, at 12.
- DNSSEC Protocol
- Domain name administration
- Domain name registration
- Internet Domain Names: Background and Policy Issues
- RFC 1034 (full-text)
- RFC 1035(full-text)
- "The future of DNS governance" section: Internet Domain Names: Background and Policy Issues, Summary.