I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn’t protected them.
There was an intriguingly named vulnerability revealed this week: Ghost Domains. A paper describing it can be found here. A team of researchers in China discovered a way to allow a domain to remain reachable in the DNS even after it has been revoked from a TLD. It looks like they expended a lot of energy testing their new idea and discovered there are several caching DNS software releases that are vulnerable.
Your new DNS infrastructure is up and running! Here’s what to watch for, how to monitor, and tips for patches and upgrades.
After making decisions about scale, latency targets, and additional DNS based features that will be supported it’s time to define the next level of details.
The DNS is a critical component of ISP infrastructure. It’s usually described in two forms, Authoritative and Caching.
Authoritative DNS Servers host your domains like www.yourcompany.com, and associated resource records, as well as their location. It does this by mapping names of hosts to their IP-addresses.
Mobile exploits aren’t yet widespread; inherent security protections built into mobile devices, operating systems and networks have thus far largely deterred malware that gets secretly downloaded to mobile devices. But mobile users are still subjected to socially engineered attacks like phishing, and technologies (like QR codes) expose them in new ways.
The DNS has played an essential role since the earliest days of the Internet, resolving an IP address when given a domain name. Now it’s being considered for security applications. There are many fundamental reasons why it makes sense:
Today’s hackers are all about money, they constantly change the face of their exploits to maximize their returns. These agile attacks require agile defenses. Moving security protections into the network is essential to enabling more reliable updates of threat information; aggregation also provides significant scaling and manageability benefits. DNS-based security protections improve agility because DNS queries are a leading indicator of security exposure; from a strategic vantage point the DNS participates in web transactions that provide visibility into the presence of security threats.
Network operators and IT departments constantly reassess their security exposure and evaluate the best methods for protecting their networks and end users. New security solutions are always emerging to help them and one that’s starting to receive a lot of attention is the DNS. That’s raising an obvious question: “how in the world does the DNS become a security platform?”.