A new visualization tool, created by Sandia Laboratories computer scientist Casey Deccio, can help network administrators understand Domain Name System Security (DNSSEC) and troubleshoot problems with the new security feature.
The Domain Name System (DNS) translates the hostname of a Uniform Resource Locator (URL) into an Internet Protocol (IP) address. A DNS "lookup" is a prerequisite for doing almost anything on the Internet, including Web browsing, emailing, or videoconferencing.
Unfortunately, DNS is vulnerable to something called "spoofing" – tampering by third-party attackers that redirects internet traffic to unwanted and potentially malicious websites. Even worse, spoofing often goes undetected.
With DNSSEC, a new security feature that is mandatory for all US federal information systems, user applications such as web browsers can ensure that the IP addresses they receive from the DNS have not been spoofed. As such, internet-connected systems within the government can verify that responses are authoritative and have not been altered.
Unfortunately, DNSSEC is difficult to implement. That's where DNSViz comes into the picture. The tool "provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, made available via a Web browser to any internet user at http://dnsviz.net/. It visually highlights and describes configuration errors detected by the tool to assist administrators in identifying and fixing DNSSEC-related configuration problems," according to a Sandia Laboratories article.
On a lark, we had DNSViz analyze isgtw.org. This issue's front page shows an edited version of the result; click here for the original generated by DNSViz.
To learn more about DNS, DNSSEC, and DNSViz, watch this week's visual, above, or check out Sandia Labs' article about the project by clicking here.