Survey on DNS configurations, interdependencies, resilience and security for *.ke domains
Kagwe, James G.
MetadataShow full item record
Statistics and research work show that the Legacy DNS as used today is slow, vulnerable to denial of service attacks, and does not support fast updates. To further compound this problem, configuring the DNS is complex and most of its implementations in use on many web servers are insecure. Consequently, Internet resources hosted on such servers have been subject to attacks of every kind. The *.ke domains have had a good share of such attacks, for example, 103 Government of Kenya's websites (.go.ke) were recently (January 2012) hacked in one night. In this paper, we present results of a survey for the *.ke domains whose main objective was to establish whether the DNS configurations for the *.ke domains met minimum setup configurations for security, resilience and interdependencies. Our focus on the three aspects was informed by the fact that these aspects are responsible for most DNS implementation shortcomings and by extension, responsible for most of the vulnerabilities and consequent attacks. To achieve this objective, 2,000 *.ke domains were collected through newspapers and magazines, posters and billboards, Internet, email directories and the main *.ke domain registrant KENIC. Dig and NSLOOKUP utilities were then used to drill down their configuration aspects such as primary and DNS servers, DNS application running on them, the dependencies among the DNS server, geographical location, MX records and web servers. The results indicated a very low compliance to the standard DNS configuration requirements making *.ke domains non-resilient to failure, vulnerable (over 60%) and overly insecure. Other findings were that 40% of the domains were hosted by 2 name servers and a further 46% of the domains interrogated were hosted a paltry 8 name servers. Of the 768 servers queried for their DNS applications 574 responded with the DNS application type and version; displaying such private information predisposes the server to attacks. it was also found out that on average, a *.ke domain DNS server depends on an average of 234 DNS servers and that some domains had only one DNS server. The study revealed major gaps in the way the DNS servers for *.ke domains are configured and questioned the capacity of those tasked with configuring these servers. Crypto graphical solutions like IPSEC and NSIG were recommended to secure the DNS servers. Awareness campaigns and capacity building on importance of DNS and security issues surrounding it on the technicians tasked with configuring the servers was also recommended. These findings were then used to inform the development of a web-based step-by-step DNS Configuration Tool. The latter is an online highly technical guide that the administrators can use to check if their DNS server(s) are properly set up to take care of configurations, resilience and interdependencies issues that may render the domain insecure and unavailable.