What is the biggest threat to Domain Name System security?
23 August 2018
Vendor View: Twenty years ago, Rodney Joffe, founder of UltraDNS and fellow at Neustar, unveiled his revolutionary vision for a resilient, performance-enhancing DNS solution. Joffe discusses the evolution of DNS technology and future threats to the Internet.
The next time you do a Google search or shop on Amazon and a web page instantly appears, you might want to take a moment to thank the domain name system (DNS). It’s the technology that makes that connection possible, and is often referred to as the roadmap of the Internet. Computers understand numbers – IP addresses like 192.168.7.4 - which help to route traffic. Humans like us can remember names, like Google and Amazon. So the DNS was a foundational protocol designed in 1983 to alleviate the pain of having to remember the ever expanding number of IP addresses, and became critical to those inter-networked systems that eventually became the Internet we know today.
Initially, the Internet was created as a way for engineers and academics to share information. Those original developers couldn’t possibly have predicted a future with 250 billion emails a day or a cybercrime industry worth billions of pounds. Like many other Internet protocols at the time, DNS wasn’t created with security or operation at large scale in mind.
Twenty years ago, the Internet community looked at the Domain Name System (DNS) as a simple tool designed to route web server requests in a consistent way – not as the first line of defence against hackers. Conventional wisdom, and the Internet architects at the time believed that each DNS server had to have its own IP address, so that traffic could find its way to each unique DNS server. Because the traditional way of allocating DNS servers in those days was by rotating in sequence which DNS server was used, in order to spread the load and risk of failed systems (known as round-robin), directory requests to convert www.example.com to an IP address would sometimes cross the world – and usually across a fragile Internet.
But it was clear that performance and reliability on the World Wide Web would become increasingly important as more businesses began creating their own websites. At the same time, it became evident that DNS could do so much more than previously thought.
So I bucked conventional wisdom, went against the standards and protocols that were in place, and designed DNS technology that installed scores of DNS servers around the world, all with the same IP address. I’d realised that because DNS queries and answers almost always fitted into one packet of data, using a protocol known as UDP (Universal Datagram Protocol), the Internet routing protocol, BGP, would automatically take the user’s directory request to the closest DNS server, no matter what. And as a single packet, it wouldn’t run into problems where part of a message went to one server and the rest went to another.
And it worked.
In addition, by utilising Anycast technology to customise the DNS answer based on the source of the request, a key solution in the security professional’s toolkit was born.
When I first deployed the first Anycast DNS network in 1998, many argued as to whether it was practical or even possible to use Anycast for routing DNS. Now, of course, Anycast is the standard for how a DNS platform operates and is the reason so many Distributed Denial of Service (DDoS) attacks are stopped in their tracks.
But what does the future hold for DNS, and how is it working today to keep internet users and the many organisations that rely on it for everyday operations safe?
Also of interest: Phishing: what’s next?
The future of DNS
The next 20 years of the Internet are virtually impossible to predict. The only thing for sure is that it will need to service more; more people, more devices, more data and more security risks.
DNS has evolved in a way that it’s now become embedded in everything we do. In addition, because of the simplicity and reliability today of the DNS infrastructure, the protocol is now being used for more than just DNS. Over the next few years, we’ll begin to see DNS used for things that we couldn’t have envisioned 20 years ago, such as managing digital certificates, distributing security keys and enforcing digital rights. Indeed, it is already utilised to validate and authenticate senders of DNS through DKIM and SPF records.
And as the Internet of Things (IoT) proliferates, a mechanism will be required to manage the directory/registry information and authentication credentials for all of these devices. DNS is the logical platform to perform that function. The real changing force in the Internet, however, will come not with the ‘thingafication’ of the Internet, but the ‘Balkanisation’ of the Internet.
Also of interest: Why is malware still a threat?
Enforcing physical borders on the Internet
It’s been said that no one country can control the Internet. And while that’s still true, what you’re seeing today are countries enforcing physical borders on their own sections of the Internet. China has done this for years. Russia is in the process of doing this. The goal of these countries is to have a kind of security-hardened Internet, and this is what is meant by the ‘Balkanisation’ of the internet.
DNS will have an interesting role to play in all this, as it is the basis for directing users from point A to point B. For example, a user in China might submit a DNS query for Facebook, and the DNS server could direct them to either a state-approved social media site or a page simply stating that the requested web page has been blocked. This will fundamentally change the way the Internet works for millions of users, as we see more and more countries adopt this approach.
Also of interest: Podcast - Is bitcoin the currency of our future?
Future threats to DNS
Ironically, the biggest threat in the not too distant future to DNS security will probably be very small micro-attacks. While the large-scale DDoS attacks that capture all the headlines will still exist, we’re pretty effective as an industry at mitigating the vast majority of those.
Where we’re vulnerable is our difficulty in detecting small, targeted attacks that either corrupt the DNS response during transit or exploit a weakness in the DNS servers or software. To illustrate the point, imagine a car driving along the highway, when suddenly, the driver sees a signpost directing them on a detour down a different road. The sign looks legitimate, but unbeknownst to the driver, the sign was placed there right before they arrived and will disappear once they pass. These kinds of attacks are highly targeted to redirect a single user to a phishing site or other dangerous location, and they’re very difficult to protect against because detection and mitigation needs to happen in real-time to be effective.
While it’s impossible to stop every DNS attack, it’s imperative that we try. We spend a lot of our time at Neustar looking at how to detect these minute attacks and mitigate the damage. Much of the work we’re doing as an organisation in threat analytics today is bleeding-edge technology that will allow organisations to automate the detection and mitigation process and stop these micro-attacks in the future. It’s exciting developments like this that make working in the DNS space as exciting today as it was 20 years ago.