Mobile exploits aren’t yet widespread; inherent security protections built into mobile devices, operating systems and networks have thus far largely deterred malware that gets secretly downloaded to mobile devices. But mobile users are still subjected to socially engineered attacks like phishing, and technologies (like QR codes) expose them in new ways.
The DNS has played an essential role since the earliest days of the Internet, resolving an IP address when given a domain name. Now it’s being considered for security applications. There are many fundamental reasons why it makes sense:
Today’s hackers are all about money, they constantly change the face of their exploits to maximize their returns. These agile attacks require agile defenses. Moving security protections into the network is essential to enabling more reliable updates of threat information; aggregation also provides significant scaling and manageability benefits. DNS-based security protections improve agility because DNS queries are a leading indicator of security exposure; from a strategic vantage point the DNS participates in web transactions that provide visibility into the presence of security threats.
Network operators and IT departments constantly reassess their security exposure and evaluate the best methods for protecting their networks and end users. New security solutions are always emerging to help them and one that’s starting to receive a lot of attention is the DNS. That’s raising an obvious question: “how in the world does the DNS become a security platform?”.
Everyone agrees protecting Internet users from malware and social engineering exploits like phishing is a valuable thing to do. At minimum these attacks are a nuisance because they degrade the Internet experience, worst case they can be costly and dangerous. But protecting networks and end users is becoming more difficult because attackers are making their exploits more dynamic and thus harder to detect. This is stressing some solutions, like client software, that have been a primary means of protecting end systems.
Just as it’s important for service providers and enterprises to maximize the performance and availability of their caching DNS servers, it’s important for brand owners and IT departments to ensure the robustness of their Authoritative DNS. Some of the issues are similar, but ensuring security of Authoritative data also has to be considered.
An earlier post talked about how important it is to maximize the responsiveness and availability of caching DNS in order to maintain a good user experience. It focused on the benefits of using Anycast. There are several other things worth considering for caching DNS as covered below:
For network operators, recursive (caching) DNS is a critical service. Without good, fast DNS service, the Internet service appears slow and unresponsive. Caching DNS systems must also be capable of absorbing “spikes” in traffic which can occur for a multitude of reasons – peak loads, Internet events, DoS etc.
Service providers everywhere are executing on IPv6 transition strategies, some with more urgency than others. Numerous approaches to enable the transition are being implemented, with a goal of maximizing the utility of IPv4 addresses while ensuring 100% connectivity to the small but rapidly growing base of IPv6 addressed hosts. Regardless of technologies being deployed it’s important not to overlook the DNS since new stresses will be placed on it during the transition. Since every service provider has allocated budget for IPv6 readiness, now’s a great time to ensure the DNS is really “ready”. A couple of simple steps will ensure customers continue to enjoy fast response times and high service levels.