Security Featured Article

Over the last few weeks, a series of high-profile DDOS attacks has highlighted once again how critical the Domain Name System (DNS) is to users of the Internet. However, even today, the non-technical managers of most businesses have almost no awareness or understanding of what the DNS is – and why it matters so much.

 

This article won't focus on how DNS works beyond a couple of basic points, but we will describe some of the most vulnerable areas and suggest some possible solutions.

 

Your Web presence is literally your virtual company – and the DNS brings your customers and stakeholders to your Web site and enables all online transactions. The DNS is best understood as a system of strict “ask and answer” processes that matches the Web site name address that a user types into a browser to the numeric addresses that computers recognize to route traffic to a particular site.

 

In July, when Dan Kaminsky announced a crucial vulnerability in prior versions of BIND and Microsoft (News - Alert) DNS (amongst others), the high level of confidence that your customers have in knowing that “you are who you say you are” on the Internet was critically wounded. BIND is the open source and universally available DNS software used across the Internet by over 95% of computers – and the Kaminsky vulnerability of BIND can be exploited by “bad guys” who can now contaminate the pool of “cached answers” that DNS uses to route Internet traffic and return wrong answers through this “cache poisoning” attack.

 

Just consider a few of the horrific effects for an investment bank or credit card issuer whose site is copied and "hijacked" by bad guys using cache poisoning and whose trusting customers are subsequently routed to the false site, and whose accounts are then compromised. As another example, consider the extortion threats that could be made against a large online ecommerce enterprise or electronic retailer.

 

IT professionals have been scrambling to patch the vulnerability on an ongoing basis, but criminals are clever and new DNS breaches continue to happen. Kaminsky's work also highlighted a previously ignored but fundamental problem with the DNS protocol that actually threatens all flavors of DNS – even those systems that have now been updated with the latest software patches.

 

Many leading experts assert that the only way to restore that sacred trust across the Internet will be the universal adoption of DNSSEC. Until then, the bad actors can exploit the vulnerability, set up a website that looks exactly like your site, and pretend to be you, hijacking all your visitors across the information superhighway. Until DNSSEC is ready for full deployment across the web, stayed tuned for interim solutions from NeuStar (News - Alert) that will help protect and insulate your company from cache poisoning vulnerabilities.

 

In an upcoming article, we will explore insulating your enterprise from cache poisoning.