Security Featured Article

We’re pleased to launch a new column talking about DNS. The industry is certainly aware of this essential network resource but this column is a great opportunity to keep readers apprised of the latest developments and why they are important.

 

In starting a conversation about what lies ahead, it is always useful to take a moment to acknowledge the past. In fact this year marks a milestone for DNS, which is celebrating 25 years of success. At this point, depending on whose data you believe the DNS contains more than 160 million unique domains in the DNS. Estimates are that more than 100 billion queries are served per day across the Internet.

 

In fact VeriSign (News - Alert), the largest registrar for the “.com” top level domain is upgrading its infrastructure to support more than 400 billion queries per day. A single registrar anticipating growth to 400 billion queries per day — in terms of scale nothing else even comes close to the DNS! This is quite a testament to the original design, which called for distributing control by allowing enterprises, government agencies, service providers and other organizations to manage their own names and data without consulting a central authority.

 

In this column we’ll cover a whole range of issues surrounding the future of DNS. Security emerged as a critical consideration for the DNS when a highly effective new cache poisoning exploit was revealed this past summer. Cache poisoning is serious because it allows an attacker to redirect Web or application traffic for potentially thousands of subscribers without their knowledge. The initial technical response to this threat was a new feature called UDP (News - Alert) Source Port Randomization (UDP SPR) that blunts the force of an attack but does not prevent it altogether.

 

The recognition that UDP SPR is not a good long-term solution for DNS security has provoked some action and lots of discussion. Some vendors have responded with additional defenses to protect DNS servers including, among other things, secure modes of operation and careful screening of DNS query responses so that information that benefits attackers can be discarded. There are also many discussions going on in the IETF and elsewhere about additional methods to protect the DNS.

 

DNSSEC has been in development for many years but has started to receive a lot of attention recently. It allows a domain owner to digitally “sign” their DNS records. Records protected by the digital signature that are altered as they transit the network will be detected and rejected by the caching DNS server that ultimately receives them, thereby eliminating any possibility of cache poisoning. Unfortunately we have very limited deployment experience with DNSSEC and there are a lot of concerns about what it is going to take to implement across the Internet.

 

As a result other solutions for protecting DNS data are also being discussed. The possibility of encrypting communications between DNS servers rather than digitally signing DNS records is being explored. The objective is to make it as easy as possible to deploy better security so that the DNS infrastructure has the best protections available. There will be additional innovation in the area of DNS security and it is important that these capabilities are publicized, understood and ultimately deployed when their utility is validated. Both of these topics, and more, are being aired in many different forums right now and are perfect subjects for future columns.

 

Another area where there will be a lot of activity is using the DNS to enable new kinds of services. The power of the DNS results from the fact that it is used in every network and by every device and application for virtually everything that is done on the Internet. That makes it a good place to enable new kinds of services. For starters isn’t it time to re-instill trust in the Internet? No one can dispute that rampant growth in Web-based threats has made the Internet a dangerous place for consumers and businesses so why not use the DNS as part of the get well plan?

 

The DNS can be used to aggregate Web threat data (identified spam hosts, phishing sites and other kinds of malware) and make it available at various kinds of enforcement points in the network such as mail gateways or firewalls. In fact caching DNS server themselves can be transformed into real time enforcement points in the network, redirecting users to teaching pages that warn them about threats before they visit a phishing site. This is a quantum leap from where we are today with existing solutions.

 

DNS use is going to continue to grow exponentially. Mobile data is seeing explosive growth. New Internet-aware devices such as gaming consoles or televisions rely on DNS. Emerging technologies like Radio Frequency Identification (RFID) use DNS. Even basic tools like Web browsers are placing a greater burden on the DNS with new features like pre-fetch,” which resolves all of the domains on a web page when it is downloaded rather than waiting for the user to navigate to them. This has obvious implications for DNS performance, something implementers need to factor into their plans.

 

What does all this mean? For starters it’s time to stop taking the DNS for granted and time to take inventory. DNS security starts with the DNS server. Don’t assume your DNS is protected behind firewalls or Intrusion (News - Alert) Prevention Systems (IPS). Take the time to understand state of the existing defenses as well as what is coming. A small investment can pay large dividends by eliminating exposure. Watch what is happening with DNS based services. Pay attention to DNS performance; don’t wait until your users notice. Most importantly stay tuned – this will be a great place to learn about the latest developments in DNS!