Powerful malicious actors continue to be a substantial risk to key parts of the Internet and its Domain Name System security infrastructure, so much so that The Internet Corporation for Assigned Names and Numbers is calling for an intensified community effort to install stronger DNS security technology.
Specifically ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. DNS,often called the internet’s phonebook, is part of the global internet infrastructure that translates between common language domain names and IP addresses that computers need to access websites or send emails. DNSSEC adds a layer of security on top of DNS.
DNSSEC technologies have been around since about 2010 but are not widely deployed, with less than 20 percent of the world’s DNS registrars having deployed it, according to the Regional Internet address Registry for the Asia-Pacific region (APNIC).
DNSSEC adoption has been lagging because it was viewed as optional and can require a tradeoff between security and functionality said Kris Beevers, co-founder and CEO of DNS vendor NS1.
DNSSEC prevents attacks that can compromise the integrity of answers to DNS queries by cryptographically signing DNS records to verify their authenticity, Beevers said.
“However, most implementations are incompatible with modern DNS requirements, including redundant DNS setups or dynamic responses from DNS-based traffic-management features,” Beevers said. “Legacy DNSSEC implementations break even basic functions, such as geo-routing, and is hard to implement across multiple vendors, which means poor performance and reduced availability for end users.”
Full deployment of DNSSEC ensures end users are connecting to the actual web site or other service corresponding to a particular domain name, ICANN says “Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (https:) that protect the “conversation”, and provide a platform for yet-to-be-developed security improvements,” ICANN says.
“Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use,” ICANN stated.
“Enterprises that are potential targets – in particular those that capture or expose user and enterprise data through their applications – should heed this warning by ICANN and should pressure their DNS and registrar vendors to make DNSSEC and other domain-security best practices easy to implement and standardized. They can easily implement DNSSEC signing and other domain security best practices with technologies in the market today,” Beevers said. At the very least, they should work with their vendors and security teams to audit their implementations with respect to ICANN’s checklist and other best practices, such as DNS delivery network redundancy to protect against DDoS attacks targeting DNS infrastructure, Beevers stated.