Domain Name Service Research Articles

Security Assurance Evaluation and IT Systems’ Context of Use Security Criticality

Today’s IT systems are ubiquitous and take the form of small portable devices, to the convenience of the users. However, the reliance on this technology is increasing faster than the ability to deal with the simultaneously increasing threats to information security. This paper proposes metrics and a methodology for the evaluation of operational systems security assurance that take into account the measurement of security correctness of a safeguarding measure and the analysis of the security criticality of the context in which the system is operating (i.e., where is the system used and/or what for?). In that perspective, the paper also proposes a novel classification scheme for elucidating the security criticality level of an IT system. The advantage of this approach lies in the fact that the assurance level fluctuation based on the correctness of deployed security measures and the criticality of the context of use of the IT system or device, could provide guidance to users without security background on what activities they may or may not perform under certain circumstances. This work is illustrated with an application based on the case study of a Domain Name Server (DNS).

An efficient architecture for the integration of sensor and actuator networks into the future internet

Abstract. In the future, sensors will enable a large variety of new services in different domains. Important application areas are service adaptations in fixed and mobile environments, ambient assisted living, home automation, traffic management, as well as management of smart grids. All these applications will share a common property, the usage of networked sensors and actuators. To ensure an efficient deployment of such sensor-actuator networks, concepts and frameworks for managing and distributing sensor data as well as for triggering actuators need to be developed. In this paper, we present an architecture for integrating sensors and actuators into the future Internet. In our concept, all sensors and actuators are connected via gateways to the Internet, that will be used as comprehensive transport medium. Additionally, an entity is needed for registering all sensors and actuators, and managing sensor data requests. We decided to use a hierarchical structure, comparable to the Domain Name Service. This approach realizes a cost-efficient architecture disposing of "plug and play" capabilities and accounting for privacy issues.

Fast Configuration for Mobile IPTV in IPv6 Networks

This letter proposes a new fast network configuration scheme that realizes an IP interface that allows users to view Internet Protocol TV (IPTV) in IPv6 networks more quickly than is possible with the current configuration procedure. The new scheme, a hybrid combination of IPv6, address information, and non-IP information, especially the Domain Name Service, is newly designed based on a technical analysis. The evaluation results show that the proposed scheme is acceptable for real-time television watching in IPv6 networks, even when in motion. key words: IPTV, Mobile IPTV, IPv6, DHCP

Translucent Implementation of IPv6 Addressing Scheme in Communication Networks

This paper presents a translucent representation of currently implemented IPv6 address and proposes a more compact and end-user friendly format for IT professionals especially for naive users. It has been evaluated that the next generation IPv6 address would not only facilitate network professionals but also be used by all other communities. IPv6 will also be employed on objects other than communication devices for tracking and remote administration viz. household electronic devices, mobile devices and even assign Human beings to track them. Considering the fact that it would be harder to remember 32 characters long IPv6 address separated by colons by humans like remembering telephone numbers, this paper presents an alphanumeric IPv6 address Masking which contains 0-9, a-z, A-Z, . (dot) and – (Hyphen) using base64 number system. Total length of address reduces from 39 characters (32 + 7 colons) to the maximum of 22 characters that is approximately 56% (22/39*100). The proposed 22 characters address which is a userfriendly address could be further compressed by using “6 5 4 rule” which has also been proposed in this paper. Another approach that can be used as easy to remember IPv6 addresses is Domain Name Services (DNS). It translates IP addresses into human acceptable names and vice versa. However, it has been evaluated that the promulgation processing of modifying in DNS Server requires days in case of IPv4 and it multiplies in the case of IPv6. An authoritative response from a non-authoritative DNS server is also proposed for IP address resolution and tested, through which not only request time out has been reduced but also DNS response time decreased to 50% approximately in comparison with the existing DNS resolution process.

Location location location [IP address

On the Internet one can get a very good idea of where your kennel is, and perhaps even work out where you go for walkies. That's because everywhere you go on the Net you leave a unique scent behind you your IP address. Every time you send an email or browse a website, there it is, and even if you are savvy enough to conceal it by routing your traffic through a proxy server, you are only as safe as your proxy is willing and able to make you. Type an IP address taken from the headers of an incoming email into geoiptool.com, for instance, and this mash-up site will pull up the relevant data and merge it with a Google map, giving you an idea of where your correspondent is based. Most services of that kind called geolocation rely on proprietary databases, but assuming you don't use a proxy,then a basic level of IP location is possible simply using the data in the Internet's domain name service (DNS) databases.

Tabu Search Algorithm for Survivable Network Design Problem with Simultaneous Unicast and Anycast Flows

Tabu Search Algorithm for Survivable Network Design Problem with Simultaneous Unicast and Anycast FlowsIn this work we focus on the problem of survivable network design for simultaneous unicast and anycast flows. This problem follows from the growing popularity of network services applying the anycast paradigm. The anycasting is defined as one-to-one-of-many transmission and is applied in Domain Name Service (DNS), peer-to-peer (P2P) systems, Content Delivery Networks (CDN). In this work we formulate two models that enables joint optimization of network capacity, working and backup connections for both unicast and anycast flows. The goal is to minimize the network cost required to protect the network against failures using the single backup path approach. In the first model we consider modular link cost, in the second we are given a set of link proposal and we must select only one of them. Because these problems are NP-hard, therefore optimal solutions of branch-and-bounds or branch-and-cut methods can be generated for relatively small networks. Consequently, we propose a new heuristic algorithm based on Tabu Search method. We present results showing the effectiveness the proposed heuristic compared against optimal results. Moreover, we report results showing that the use of anycast paradigm can reduce the network cost.

Anycasting in connection-oriented computer networks: Models, algorithms and results

Anycasting in connection-oriented computer networks: Models, algorithms and resultsOur discussion in this article centers around various issues related to the use of anycasting in connection-oriented computer networks. Anycast is defined as aone-to-one-of-manytransmission to deliver a packet to one of many hosts. Anycasting can be applied if the same content is replicated over many locations in the network. Examples of network techniques that apply anycasting are Content Delivery Networks (CDNs), Domain Name Service (DNS), Peer-to-Peer (P2P) systems. The role of anycasting is growing concurrently with the popularity of electronic music, movies, and other content required by Internet users. In this work we focus on the optimization of anycast flows in connection-oriented networks. We formulate a model of anycast connections and next propose a heuristic algorithm based on the Lagrangean relaxation aimed to optimize jointly routes for anycast and unicast connections. Results of numerical experiments are presented and evaluated. Finally, we analyze briefly problems related to anycasting in dynamic routing and multi-layer networks.

Preparing network configurations for IPv6 renumbering

AbstractThe difficulty of renumbering a network—i.e., adding and removing an Internet Protocol (IP) prefix due to a provider change or a network merger—is a real issue for most network administrators. In this paper, we propose a set of macros that can be used in configuration files. These allow network administrators to write generic configurations that are independent of the public IPv6 prefixes allocated to their network. We explain how to apply our macros to key configuration files, namely firewall access lists, Domain Name Service and Dynamic Host Configuration Protocol, and how to use this mechanism in a full renumbering process. Copyright © 2009 John Wiley & Sons, Ltd.

Controlling Lease Time in Dynamic Host Configuration Protocol Servers

Dynamic Host Configuration Protocol (DHCP) allows the automatic networking configuration of computers and devices (clients) in Internet Protocol (IP) networks. It is used by clients to request an IP address and obtain configuration parameters (netmask, router IP address, Domain Name Server –DNS– address etc.) for IP networking from a DHCP server. For this purpose, a pool of IP addresses is administered and maintained in a DHCP server. In order to reuse an IP address that is no longer needed by the client to which it was assigned, a lease time parameter is applied. That is, each client leases an IP address from the chosen DHCP server for a limited period of time.

Verisign attack highlights where the real risks and fears lie

Philip Hunter looks at how Domain Name Servers (DNS) are to be protected in the aftermath of some rattling attacks.

Rethinking Accountability in Cyberspace: A New Perspective on ICANN

One of the most persistent debates regarding Internet governance concerns ICANN's accountability deficit. This paper identifies the habitual application of a state frame of reference, by which scholars and politicians address accountability issues regarding the domain name system, as the source of this debate. Re-examination of the assumptions underlying two exemplary solutions for the deficit, direct elections and intergovernmental supervision, shows that the state frame of reference informing this debate ultimately breaks down. The availability of alternative services renders the call for a state-based model by which to judge and design ICANN's accountability provisions superfluous. The latter part of the paper shows that a market model is more appropriate to assess ICANN's accountability mechanisms and its role among other domain name services providers. In addition, a market frame of reference enables us to understand ICANN's hybrid organisational structure better.

Dynamic Policy-Based Network Management for a Secure Coalition Environment

This article reports the latest results of an R&D effort to develop a prototype implementation of a dynamic policy-based network management (PBNM) system that can be used to configure and manage a secure network for a coalition environment across an unsecured wide area network. The prototype, based on a distributed architecture, includes capabilities for policy creation and management, dynamic policy negotiation, and dynamic policy provisioning. The policy negotiation facilitates the rapid deployment of a coalition network while the dynamic policy provisioning automates the configuration and management of network services including firewalls, virtual private network connections, routing, quality of service (QoS), and domain name services. Such a PBNM system enhances an organization's ability to react to network incidents identified by a network situational awareness assessment. Although the focus of the current research is a military coalition environment, the system can be used in any distributed enterprise or collaborative environment

Failover, load sharing and server architecture in SIP telephony

We apply some of the existing web server redundancy techniques for high service availability and scalability to the relatively new IP telephony context. The paper compares various failover and load sharing methods for registration and call routing servers based on the Session Initiation Protocol (SIP). In particular, we consider SIP server failover techniques based on the clients, DNS (Domain Name Service), database replication and IP address takeover, and load sharing techniques using DNS, SIP identifiers, network address translators, and servers with same IP addresses. We describe our two-stage reliable and scalable SIP server architecture in which the first stage proxies the request to one of the second stage server group based on the destination user identifier. We quantitatively evaluate the performance improvement of the load sharing architecture using our SIP server. We quantitatively compare the effect of SIP server architecture such as event-based and thread pool. Additionally, we present an overview of the failover mechanism we implemented in our test-bed using the open source MySQL database.

Rethinking Accountability in Cyberspace: A New Perspective on ICANN

One of the most persistent debates regarding Internet governance concerns ICANN's accountability deficit. This paper identifies the habitual application of a State frame of reference by which scholars and politicians address accountability issues regarding the domain name system as the source of this debate. Re-examination of the assumptions underlying two exemplary solutions, direct elections and intergovernmental supervision, shows that the State frame of reference informing this debate ultimately breaks down. The availability of alternative services renders the call for a State-based model by which to judge and design ICANN's accountability provisions superfluous. The latter part of the paper shows that a market model is more appropriate to assess ICANN's accountability mechanisms and its role amongst other domain name services providers. In addition, a market frame of reference enables us to understand ICANN's hybrid organisational structure better.

Balanced distributed web service lookup system

Web Services (WS) constitute an essential factor for the next generation of application integration. An important direction, apart from the optimization of the description mechanism, is the discovery of WS information and WS search engines lookup capabilities. In this paper, we propose a novel decentralized approach for WS discovery based on a new distributed peer-based approach. Our proposed solution builds upon the Domain Name Service decentralized approach majorly enhanced with a novel efficient lookup up system. In particular, we work with peers that store WS information, such as service descriptions, which are efficiently located using a scalable and robust data indexing structure for Peer-to-Peer networks, the Balanced Distributed Tree (BDT). BDT provides support for processing (a) Exact match Queries of the form “given a key, map the key onto a node” and (b) Range Queries of the form “map the nodes whose keys belong to a given range”. BDT adapts efficiently update queries as nodes join and leave the system, and can answer queries even if the system is continuously changing. Results from our theoretical analysis point out that the communication cost of both lookup and update operations scaling in sub-logarithmic (almost double-logarithmic) time complexity on the number of nodes. Furthermore, our system is also robust on failures.

IDN server proxy architecture for Internationalized Domain Name resolution and experiences with providing Web services

The composition of traditional domain names are restricted to ASCII letters, digits, and hyphens (abbreviated as LDH). This makes it difficult for many to use their native language to name and access their Internet hosts. The IETF IDN (Internationalized Domain Name) Working Group proposes a mechanism, IDNA (Internationalizing Domain Names in Applications), for internationalized access to multilingual domain names. The proposal uses a preparation process that converts a Unicode IDN into an ACE (ASCII Compatible Encoding) string that uses only LDH. Thus, applications can look up the ACE string by using the existing DNS infrastructure. However, some of the domain name strings embedded in multilingual content do not have any charset tag so they cannot appropriately be converted into ACE strings. We noticed that many Internet applications allow users to use non-ASCII domain names. We were motivated to design an architecture for IDN resolution as well as to minimize the cost of modifying legacy Internet applications. We specifically focus on designing an IDN server proxy, which is located on the domain name server side, to handle domain names in multiple encodings. In this article, we study several architecture design issues including detection of charset encoding, routing of non-ACE IDN lookup requests, and so on.With respect to these design issues, we present an IDN server proxy architecture which stores ACE IDNs in domain name servers. Note that traditional domain name servers can be used without modification. An IDN server proxy, called Octopus, is employed on the domain name server side. Octopus converts a non-ACE IDN string into ACE upon receiving an IDN lookup request from remote users or autonomous systems. The ACE string is then forwarded to backend domain name servers (where the traditional domain names and ACE IDNs are stored) for further processing. This allows Internet users to access IDNs without having to upgrade their software.Based on the design and implementation of Octopus, we deployed a CDN (Chinese domain name) trial in July 2002. In this article, we present the results of testing Octopus IDN lookup functions as well as our experiences in providing CDN Web services. Several types of errors can occur if applications are unable to handle IDNs adequately. For example, a Web browser may erroneously parse an IDN within a URL. Many legacy Web servers are unable to process the IDN of a virtual host. Web application servers may have trouble completing some actions such as redirecting Web pages to alternative Web pages. Our studies help service providers understand potential problems when non-ASCII domain names are used and the best common practice at this stage. As well, the experiences give some guidance for software developers to develop IDNA-compliant Internet applications.

Caught in the net [Internet and e-mail security issues

Harvesting bank accounts is frighteningly easy. Millions of pounds are stolen each year, and the authorities seem powerless to prevent it. This article examines various methods used to obtain personal details from unsuspecting users. The methods considered include: phishing - an e-mail directing users to a counterfeit website; pharming - harvesting user details using malicious code installed on their machine; and DNS poisoning - hijacking of the domain name server to redirect the browser to sites other than that one displayed in the address bar. Countermeasures against these threats are discussed in each case.

以NAT邊界協定(BNATP)實作雙向綱路位址轉譯装置

本文首度提出一種可雙向分享IP位址的雙向綱路位址轉譯(Bi-Directional NAT)之方法，本方法的组成包括有雙向IP分享之綱路架構、NAT邊界協定(BNATP；Border Network Address Translator Protocol)、回溯式綱域名稱查詢(DNS Ascent Query)、以及具有支援上述協定的雙向IP分享装置、主機等部份，協同産生雙向定址並雙向存取綱路服務的能力，讓目前所有使用私用IP(Private IP)来定址的内部綱路主機，除了透過原有單向綱路位址轉换(NAT)功能的IP分享器向外存取網際綱路外（由内向外），並可運用本方法及装置，讓網際綱路上的任何使用者亦得以同時经由全域名(FQDN；Fully Qualified Domain Name)穿透並存取内部綱路上的主機（由外向内），换言之，内部綱路使用私用IP的主機也都擁有其唯一的綱域名稱可供定址之用，即便雨方皆爲私有IP位址甚至於重覆(Duplicate IP)亦可直接建立連腺無虞，此装置連带解除了IPv4之定址空简限制(2^32)，提昇至2^56個以上，對目前綱際綱路IP位址耗盡問题極具助益。In this article we introduce a Bi-Directional NAT network device design first time, which consists of an IP Sharing Device with BNATP (Border Network Address Translator Protocol) function, and an method of DNS Ascent Query which bases on Standard DNS (Domain Name Service) services for providing address trigger function. Both above components coordinate and provide bidirectional access capacity between intranet and Internet, The device is capable of multiply private IP address sharing single public IP address to access the whole Internet (through internal to external) base on traditional NAT Method, It is also capable of multiply public IP address passing and sharing single private IP address to access the whole intranet via FQDN addressing Method (through external to internal) base on bilateral NAT Technology, In other words, this device can be allowed to share with as well as to have its own unique domain-name over the Internet for those people who own the host private IP address, Additionally, the device relieves the limitation of IPv4 addressing space from 2^32 to 2^56 and above. It is very helpful to solve the problem for people who exhaust the IP address in Internet.

Mapping the Internet using GIS: The death of distance hypothesis revisited

This paper revisits the death of distance hypothesis. To explore the role of distance in the information age, three methods – web scan, hyperlink, and trace-route – are used to map the Internet for the US educational network. Statistical analysis is conducted to evaluate whether physical distance has any impact on the Internet information access. The cartographic and statistical results indicate that geography in general and distance in particular are still important factors in shaping the spatial pattern of Internet activities. For the most popular fifty-three US educational web sites, the physical distance within one thousand miles has positive effects on Internet access while access to international hosts heavily depends on the response time, link speed and other Internet infrastructures and interconnections such as the availability of domain name servers, network access points, backbones, etc. Implications of absolute, relative, and virtual distance in mapping the Internet are discussed. It is concluded that the death of distance hypothesis is premature, even misguided in most cases.

A managerial overview of open source software

ost commercial software producers considersource code—the raw instructions that deter-mine how a program works—as valuableintellectual property and hence do not make it availableto users or the general public. In fact, US law permits soft-ware makers to refrain from releasing the source code forcopyrighted software for 95 years. However, one categoryof programs—generally referred to as open source soft-ware (OSS)—share their code with any interested user. OSS programs are now pervasive. There are at least twowell-known desktop operating systems: Linux and BSD.Products such as Open Office, Star Office and KDE Officecompete with the famous Microsoft Office suite in theproductivity software market. Several open source Webbrowsers are available; the leading examples are Mozillaand Nautilus. The infrastructure of the Internet is runusing many OSS products, including: Sendmail, the soft-ware used to transport most e-mail on the Net; Apache,the Web server software; and BIND, the program that pro-vides domain name server (DNS) services for the entireWeb, translating domain names into IP addresses. Manysmaller products are also thriving. As of April 22, 2002,sourceforge.net, an OSS directory, hosted 38,425 pro-grams and had 406,368 users.OSS must not be confused with public domain software(PDS), which is unconditionally free and not copyrighted.Users of PDS may or may not have access to the programsource code. Other forms of free software, such as share-ware, browser plug-ins, and media players, may or maynot make their code available and may have other restric-tions. OSS also differs from protocols (such as TCP/IP)and standards (such as 802.11, an IEEE standard for wire-less broadband), which are agreed-upon formats for datatransmission that can be granted by institutions or deter-mined after negotiations between firms.Linux has emerged as the poster child of the OSS ap-proach. According to OpenSource.org (2002b), internalreports at Microsoft revealed that Linux performed betterthan many MS products on speed and reliability. Micro-