Revamp for web navigation system urged
来源：未知 作者：都唿 时间：2019-03-03 06:02:04
By Celeste Biever The system the internet relies on to direct web traffic needs to be revamped to thwart spammers and identity thieves, concludes a report released on Thursday. The Domain Name System (DNS) is a distributed network of servers that contain records mapping each domain name – such as www.newscientist.com) to an internet protocol address – such as 22.214.171.124. When surfers request websites, their browsers refer first to those records. But DNS records are currently susceptible to denial-of-service (DoS) and spoofing attacks, says the report, which was funded by the US National Academies, the Department of Commerce and National Science Foundation. “The continued successful operation of the DNS is not assured: many forces are challenging DNS’s future,” it says. In June 2004, a DoS attack exploited the reliance on the DNS to bring down sites including Microsoft.com, Yahoo.com and Google.com for over two hours. To make such DOS attacks harder to mount, the report calls for a large increase in the number of “copy” DNS servers, distributed throughout the world. Identity thieves also spoof DNS records by “poisoning” a cache of the records held by internet service providers. Poisoning could make the URL of a banking website, for example, point to a bogus site set up by fraudsters. Once a redirect of this type is established, fraudsters send out emails, seemingly from the bank in question, inviting customers to the fake site where they are asked to “confirm” their account details. These so-called “pharming” attacks have been on the rise recently as email users have become more vigilant to phishing attacks – which use emails to dupe users directly. To fight pharming, the report calls for the wide deployment of a security protocol called DNS Security Extensions (DNSSEC) that digitally signs and verifies every DNS mapping using cryptographic keys. “DNSSEC, once widely deployed, would deprive pharmers of a wide variety of tools,” says John Klensin, an independent consultant based in Cambridge, Massachusetts, US, who contributed to the report. The report also calls for a series of changes in the way people use the DNS. For example, it warns people not to guess domain names, if they do not want to be redirected to malicious or pornographic sites. “The belief is that the guessing of DNS names is a good way to find things,” says Klensin. But in fact this merely plays into the hands of pornographers and fraudsters who buy up names that resemble popular site addresses, such as www.whitehouse.com, which once hosted an adult site. The review also recommends that the DNS “continue to be run by a non-governmental body”, in order to prevent censorship. This would mean abandoning recent suggestions put forward by the UN to transfer control to an intergovernmental coalition. But some experts point out that the report’s suggestion is inconsistent with the current situation, as the DNS is controlled by the Internet Corporation for Assigned Names and Numbers (ICANN), which reports directly to the US government. Much better, says California-based Karl Auerbach, a former member of ICANN, would be to have a free market for DNS servers run by many different private companies. People could choose which DNS servers they used, according to the quality of the service and the websites they wanted to visit – some could promise not to provide records for pornography sites, for example. Auerbach says this would make the system harder to attack – if one set of servers go down, people would just use another set. “There is this false notion that the DNS has to be this single, uniform, worldwide namespace,” he says. He is also sceptical of DNSSEC, because he says adding protocols means it will take the system much longer to re-load if it goes down. “If it takes longer to recover, is it more or less secure?