TOC 
www.isc.orgInternet Systems Consortium
 October 10, 2003

ISC OARC: A Public Service for the Global DNS


 TOC 

Table of Contents




 TOC 

1. Overview and Background

This overview document describes the ISC OARC: An Operations, Analysis, and Research Center focused on the global Domain Name System. The OARC provides a neutral forum for bilateral sharing of sensitive information during DNS attacks by organizations that are dependent on the proper operation of the DNS. The OARC also provides a continued stream of analysis on the operation of the global DNS. The secretariat for this public service is Internet Systems Consortium (ISC), a non-profit corporation based in Redwood City, California. ISC's co-founding research partner for the OARC is the Cooperative Association for Internet Data Analysis (CAIDA), a leading Internet research institution based at the University of California San Diego.

1.1 About Internet Systems Consortium

Internet Systems Consortium is a public service, not-for-profit corporation that specializes in the Domain Name System. Some of the programs of ISC include:

  1. Operation of the F-root server for the DNS. The F Root is one of the busiest of the 13 root servers that form the core of the DNS.
  2. Production of BIND, an open source implementation of the DNS that is used in most of the high-volume DNS servers in operation around the world.
  3. Production of OpenReg, an open source implementation of registry software used by several Top Level Domains (TLDs).
  4. Substantial contribution to the Internet standardization efforts for the DNS in areas such as DNS Security (DNSSEC).
  5. Substantial contribution to research and analysis on operation of the DNS in conjunction with research partners such as CAIDA. In addition to cooperative research projects with groups such as CAIDA, ISC hosts the Internet Domain Survey, a comprehensive periodic survey of the size of the Domain Name System.

ISC has been in operation since 1993. The staff of ISC is well known throughout the Internet for their long-term operational experience and their leadership in international standards and research centered around the DNS. The infrastructure maintained by ISC includes some of the busiest DNS servers in the world and is based on many years of operational experience of running highly secure, highly reliable systems. ISC sponsors include many of the industry's leading computer and Internet companies. More information is available on the ISC web site at http://www.isc.org/.

1.2 About the Cooperative Association for Internet Data Analysis

CAIDA is one of the leading Internet research institutions, having made substantial contributions to our understanding of the operation of the DNS, multicasting, and routing. CAIDA was started with a substantial grant from the National Science Foundation, and has received continued support from the NSF, ARPA, and many leading Internet vendors such as Cisco Systems.

CAIDA is based in the San Diego Supercomputer Center at the University of California at San Diego. In addition to a substantial staff of researchers and students, CAIDA maintains research and data collection partnerships with large ISPs, academic networks, and other Internet research institutions.

CAIDA is noted for research on the real-world operation of the global Internet. For example, their research has shown the pattern of actual traffic to root servers (and demonstrated that over 90% of such traffic was unnecessary). CAIDA has also measured performance of root and gTLD name servers, misconfiguration of the DNS and the impact on global operations, and has also conducted numerous studies examining routing, multicast topologies, and global worm propagation.

1.3 Overview of the ISC OARC

Reliable operation of the Domain Name System is one of the key requirements for the continued operation of the Internet. Anytime a user opens a web page, sends email, or transfers a file, repeated queries to the DNS are required. If the DNS stops operating, the Internet stops operating. Today, there is no formal mechanism in place to keep the DNS operating during times of crisis.

The ISC OARC for DNS is a forum and platform for information sharing and analysis. The OARC provides a neutral mechanism for information sharing during times of crisis, such as an attack on the global DNS. But, the OARC also provides a mechanism for long-term information sharing among members to better understand the operation of the global DNS and provide a more secure and reliable global infrastructure.

The ISC OARC has five core functions:

  1. Incident Reporting.
  2. Analysis
  3. Testing
  4. Operations
  5. Outreach and Education

These five functions are described in the following sections of this white paper.



 TOC 

2. Incident Reporting

One of the prime, and certainly the most visible, functions of the OARC is incident reporting in times of crisis. The OARC provides two kinds of mechanisms for incident reporting:

  1. A filtered channel from the Internet Systems Consortium.
  2. Bilateral and multilateral information sharing among OARC members.

Internet Systems Consortium will coordinate a stream of information available to all members providing early warning and continued analysis of attacks or other malfunctions of the global DNS. The highly experienced staff of ISC, along with research partners at CAIDA and at other research and analysis institutions, will carefully analyze incoming data and provide their expert opinion about the situation and possible solutions. Great care will be taken to filter out any confidential information provided by members.

The OARC also provides a secure and reliable platform for information sharing among members. Members can choose to whom their information is made available to preserve the confidentiality of proprietary information and encourage the prompt and frank exchange of important information.

Information sharing by ISC and among members is provided on a highly reliable and secure infrastructure. This information takes place on a highly secure web site as well as through the use of secure electronic mail using PGP. Because an attack on the DNS may make communication using domain names unreliable, ISC will maintain up-to-date mechanisms to insure that electronic mail can be transmitted if the DNS is unusable. In addition, a voice/pager/fax infrastructure will be used to supplement Internet communications.



 TOC 

3. Analysis

Analysis of the functioning of the global DNS is important not only in times of crisis but to prevent future problems. The OARC will provide members with a steady stream of research and analysis about the operation of the DNS and how various incidents have affected that operation.

The analysis function will take two forms:

  1. Analysis by ISC, CAIDA, and other institutions distributed to OARC members.
  2. Facilities for OARC members to conduct their own analysis.

CAIDA is well known for research undertaken to characterize the large-scale behavior of the public Internet. Its DNS research is carried out in cooperation with the operators of critical servers such as the root and selected TLDs. Data has been gathered on many characteristics of Internet behavior that can affect users' ability to access network services, including the global impact on Internet traffic of events like the Slammer worm attack of January 2003 and detailed descriptions of behavior in widely deployed software that causes extra work for critical nameservers. CAIDA's participation in the OARC will allow this work to be continued and expanded.

ISC's analysis activities, in cooperation with root and TLD operators and other OARC members, will include the impact on critical infrastructure performance of different routing policies and firewalling and filtering practices. Top priorities include the ability to understand and react quickly to threats as they materialize.

In addition, the ISC OARC will maintain a 500 Gbyte server containing facilities for OARC members to upload log files and conduct their own analyses.



 TOC 

4. Testing

There is little information available from neutral parties on the security-relevant characteristics of DNS software. Vulnerabilities are occasionally discovered by public-minded programmers and users, but more commonly by malware authors, security consultants, and others who are not specialists in the DNS. As a result, some things that look like threats aren't, while some real threats go unnoticed.

The ISC OARC Testing Laboratory will include test platforms for all major DNS software. The laboratory will use test suites undertaken by ISC or contributed by members and will allow the OARC to show the impact of changes to software on the operation of DNS servers. This work will focus on testing to determine vulnerability to various forms of attack, both intentional and inadvertent. Particular attack modes of concern include subversion of DNS data and denial of service.



 TOC 

5. Operations

ISC, secretariat for the OARC, is also heavily involved in operations of public DNS services, include TLD hosting, a root server, and, of course, the BIND software used throughout the DNS.

Using off-the-shelf hardware, ISC will coordinate an effort to build a prototype of a more robust root name server node architecture for the rest of the community. A 200Mbyte/sec disk system with 2 terabytes of storage and much stronger networking capability will form the core of this system.

The system will also include support for measurement instrumentation, including several Gbit/sec ports with the ability to transmit as well as write to disk at the same speed and an online archive of 24-hours of logs. This instrumentation capability will prove particularly useful during attacks on the global DNS, allowing the OARC to reverse engineer attack tools and measure the strength of the attackers' random number generators.

The normal operating characteristics of the DNS are a complex system that is not well understood. At any given time a great deal of the DNS traffic in the net is badly formed or unnecessary, due to buggy software or inefficient common practices in system configuration. Furthermore, attacks of other kinds on the net can have side effects that also need to be examined as potential threats. For example, the SQL Slammer Worm in January 2003, by itself did no specific damage to the function of the DNS. But it caused noticeable changes in traffic to global DNS infrastructure as firewalls and intrusion detection systems noticed unusual activity and performed large quantities of DNS lookups as part of attempting to track it. The OARC, in cooperation with members and others, will attempt to characterize the normal operation of the DNS, and advise operators on ways to improve the stability and resilience of their systems.



 TOC 

6. Outreach and Education

Many of the threats to the DNS, and the global Internet, could be mitigated by simple actions on the part of enterprise systems administrators, ISPs, and home users. Outreach is crucial to reducing these threats. For example, in October 2002 a massive flood of traffic directed against the root nameservers made them difficult to reach by legitimate users. This flood of traffic originated from thousands of machines that had been previously compromised by worms and viruses, many of them easily preventable.

In addition, many problems facing the overall DNS are the result of misconfiguration at the leaf nodes or in vendor software. The outreach and education function of the OARC will allow us to reach beyond the OARC membership to educate DNS users and vendors on the proper configuration and operation of their systems.



 TOC 

7. Membership of the OARC

OARC membership is available to the following types of institutions:

  1. Operators of Root and Top Level Domains (TLDs)
  2. Other groups hosting large numbers of domains, such as ecommerce providers or Internet Service Providers (ISPs).
  3. Government groups with responsibility for the DNS, including law enforcement and standards.
  4. Researchers and other analysts with a special interest in the operational aspects of the global DNS.

Membership is available only after submission and approval of the OARC Membership Agreement. Membership fees are based on the number of people participating in the system as follows:

  1. Normal membership is US$4,200/year and is based on three Points of Contact (POC), one of which is designated as the Prime Point of Contact.
  2. Larger institutions may subscribe at the rate of US$6,800/year and are allocated five Points of Contact (POC), one of which is designated as the Prime Point of Contact.
  3. Additional classes of membership are available for organizations wishing to provide greater levels of support to the OARC.
  4. At the ISC OARC's discretion, qualified non-profits and research institutions may join with no yearly fee, provided the institutions agree to the provisions of the membership agreement and that such participation will benefit the operation of the OARC.

Initial funding for the operation of the OARC is provided by the Internet Systems Consortium and Founding Sponsors. On-going operation is funded through membership fees. In addition, the OARC is applying for research funding to provide new software, infrastructure, and research to enhance and expand the operation of the OARC.

The ISC OARC for DNS begins initial operation on October 20, 2003.

7.1 Accountability

The OARC is accountable to the membership. The OARC secretariat carries out the will of the membership. This accountabiliy is provided through the following mechanisms:



 TOC 

For Further Reading

1 Internet Systems Consortium (ISC), "OARC Web Site", October 2003.
2 Internet Systems Consortium (ISC), "OARC Membership Agreement".
3 Internet Systems Consortium (ISC), "BIND: An Open-Source DNS Implementation".
4 Internet Systems Consortium (ISC), "F-Root Server Operational Statistics and Status".
5 Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000.
6 CAIDA, Nemeth, E., claffy, kc. and N. Brownlee, "DNS Measurements at a Root Server", IEEE Globecom, November 2001.
7 CAIDA, Wessels, D. and M. Fomenkov, "Wow, that's a lot of packets", Passive and Active Measurement 2003, April 2003.
8 CAIDA, Brodio, A., Nemeth, E. and kc. claffy, "Spectroscopy of DNS Update Traffic", Sigmetrics 2003, August 2003.


 TOC 

Author's Address

  Internet Systems Consortium
  ISC OARC Program Office
  950 Charter Street
  Redwood City, CA 94063
  US
Phone:  +1.650.423.1333
Fax:  +1.650.423.1355
EMail:  oarc@isc.org
URI:  http://oarc.isc.org/