Tool Finds Holes in Domain Name System Security Extensions

The DNSViz tool creates graphs of network connections that helps viewers identify security vulnerabilities in domain name system connections.

by / January 20, 2012

Casey Deccio, a computer scientist with Sandia National Laboratories, has developed DNSViz, a tool that creates graphs of network connections to help viewers identify security vulnerabilities in domain name system (DNS) connections.

Deccio developed the tool to help network administrators understand DNS Security Extensions (DNSSEC) that the Office of Management and Budget mandated in 2008 for federal information systems.

The extensions add an additional security layer to the DNS in which the top level of a dot-gov domain is DNSSEC-signed. In these configurations, client-side applications like Web browsers can be sure that IP addresses they receive from servers are safe. If a domain is “signed,” a browser can validate the signature is secure.

DNSViz went live in spring 2010, but Sandia announced the tool earlier this month ( DNSSEC is a relatively new protocol. When federal agencies first started deploying it, Deccio said he noticed problems. The extra layer made systems more complex and it was problematic to configure properly.

“We were validating other people’s sign zones and we started getting all these errors and it made it difficult,” Deccio said. “We were trying to troubleshoot what the problems were that we were seeing, and it was very cumbersome to try to troubleshoot these things.”

He developed DNSViz to graph the complex network relationships visually. Users access the tool by visiting the DNSViz website, where they type a domain name into the search field. DNSViz returns a flow chart of the DNSSEC authentication chain for the domain name and lists any configuration errors.

Viewers can zero in on problems more easily, Deccio said, if they see a graphical representation of the issue. “It helps at a glance to understand their DNSSEC configuration and to troubleshoot any problems they might have. It will help them deploy DNSSEC,” Deccio said. He estimates that the DNSViz website has had around 710,000 hits since its 2010 launch.

Sandia is currently looking for sponsors to fund DNSViz’s expansion so that it would become more robust. Deccio hopes to upgrade the tool to provide a historical analysis of what a domain name system looked like at any point in its past, which would allow users to compare and contrast changes in its makeup.

Deccio discusses DNSViz as it is today in this video from Sandia Labs.

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs