The domain name system (DNS), sometimes referred to as the “phone book of the internet,†is a fundamental component of our online lives. A product of the early digital age, its structure creates unique challenges to applying security upgrades, subsequently creating large security gaps in an integral layer of the internet itself. Peter Lowe, principal security researcher, DNSFilter, discusses navigating these challenges and overcoming the gaps.
These gaps allow for DNS poisoning attacks. Sometimes called “cache poisoning†attacks, they can take advantage of DNS vulnerabilities to devastating effect. Added security can mitigate these attacks, so why isn’t more being done?
The technology exists to secure the DNS layer of the internet, but the lack of public knowledge about this issue and the requirements to secure DNS prevents the industry from maintaining a safer internet. History has shown that the cyber security market has overcome similar challenges; we need to spark a lot more interest (and tease incentives) first.
See More: Radically Enhancing SASE Orchestration through Consolidation and Automation
What is DNS Poisoning?
You’re not alone if you haven’t heard of DNS poisoning attacks. They’re seldom covered in the news, creating an awareness gap regarding their uses and potential for harm.Â
DNS poisoning routes internet traffic intended for a legitimate domain to a fake one hosted on a server chosen by the attacker. It’s often employed to fool victims into voluntarily entering credentials or sensitive information on a ‘doppelganger’ website that the attacker can collect and use for financial gains or international espionage.
Notable cyber-criminal gangs actively use DNS poisoning. For instance, the Lapsus$ Group launched DNS poisoning attacks on Portuguese-speaking companies such as Localiza, Submarino, and Americanas in January and February 2022.
In rarer and more severe cases, DNS poisoning can make websites and important information inaccessible on a massive scale. It’s been documented that authoritarian governments such as China have used DNS poisoning to enforce censorship laws by redirecting citizens to censorship pages and alternate domains.
Given the lack of headlines about DNS and the threat that DNS poisoning poses, one of the highest hills security leaders need to climb is to create a general awareness of everything I’ve explained to this point. And in fact, the awareness problem extends to the solution itself.
How Does DNSSEC Address the Gaps?
Government agencies have recently been doing a better job of generating awareness of DNS threats in a series of advisories. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its counterparts in Australia, Canada, New Zealand, and the U.K. released a joint advisory in April 2022 that detailed methods employed by alleged Russian actors in the country’s spy agency, defense ministry, and other government bodies.
However, these advisories fail to promote the security solution that the internet infrastructure and security communities have tried to deploy for a very long time.Â
The solution is called Domain Name System Security Extensions (DNSSEC). It’s a creation of the open standards organization called Internet Engineering Task Force (IETF) and is endorsed by the Internet Corporation for Assigned Names and Numbers (ICANN).Â
DNSSEC strengthens authentication in DNS by using digital signatures based on public-key cryptography. In practice, it assures internet users that they can trust the information they receive about domains and that they communicate with the intended legitimate website or send emails to the intended address.
Adoption Challenges
To achieve Internet-wide adoption of DNSSEC, however, it must be enabled manually by network operators at their recursive resolvers and domain name owners at their zone’s authoritative servers.Â
This is why the awareness and buy-in of DNSSEC as a security solution is so crucial – there are many, many companies and organizations needed to accomplish this task.Â
Beyond awareness, misconfigurations and implementation cost challenges have been enough to delay or cancel the DNSSEC upgrade for some organizations.
Misconfigurations by domain name owners can make their websites inaccessible. And for many, that risk does not justify a security investment that doesn’t produce tangible, immediate results. For resolvers implementing DNSSEC, a misconfigured domain on the opposite end can seem like a problem with the resolver rather than the domain owner.
It’s also expensive to implement and maintain DNSSEC. DNS resolvers must add servers that do DNS validation, which costs the registries money to provide that infrastructure to allow DNSSEC to be signed, but for no immediate benefit.
DNSSEC can be a hard sell to those who control the budgets because of these added costs and risks. It’s like data backups; they don’t matter to organizations until they do, but it’s undoubtedly needed nonetheless.Â
Raising DNSSEC Validation Rates
SSL certificate adoption was riddled with similar faced similar challenges several years ago – it was costly to upgrade and did not provide an immediate and visible benefit.
Just like DNSSEC, SSL had been around for years before it saw widespread adoption. It was not until Let’s Encrypt – a free, automated, and open certificate authority service provided by the Internet Security Research Group – revolutionized the configuration process and eliminated the steep costs to kickstart worldwide adoption. Now, the use of SSL/TLS is ubiquitous.
DNSSEC will need its revolution.Â
According to APNICOpens a new window , the regional internet registry administering IP addresses for the Asia Pacific, only 30% of the world has achieved DNSSEC validation. However, some countries have exceptionally high validation rates, such as Saudi Arabia (98%), Finland (94%), Iceland (88%), Norway (86%), and Sweden (86%).Â
How can we replicate the success of the high adopters? Let’s look at Finland, which went from 7% DNSSEC validation in 2019 to its current 94% in 2022.Â
In 2019, the Finnish Transport and Communications Agency Traficom announced cooperating with domain name registrars and internet service providers operating in Finland to promote DNSSEC deployment.
Registrars providing .fi domain names could offer DNSSEC to their customers, and internet service providers could activate DNSSEC support in resolvers or deploy DNSSEC themselves. The joint effort by Traficom and operators culminated in a national DNSSEC Launch Day in September 2019, when all operators deployed DNSSEC were revealed.
Traficom gave DNSSEC to registrars for free, and the country became a DNSSEC leader within just a few months.
Taking Finland’s success and the stories of like-minded countries into account, here are some recommendations for governments to consider raising their DNSSEC validation rates:
- Give it away, as Traficom did in with the Finnish registrars.
- Provide financial incentives, such as giving registrants discounts when they configure DNSSEC for a new domain.
- Offer configuration tools, such as those from Let’s Encrypt, that make it easy to configure SSL certificates. DNSSEC should be just as easy.
- Promote joint contracting efforts to increase DNSSEC usage.
See More: Identity, Access and Zero Trust in the Metaverse Era
Hope for the Future
All is not lost, however. Apple has recently announcedOpens a new window that it will be adding DNSSEC validation baked into iOS 16 and MacOS Ventura, making it the first major OS vendor to offer baked-in support for DNSSEC. It’s also making it simple for app developers to enable, which should help increase the incentive for competing companies like Microsoft and Google to follow suit.
This announcement is an encouraging sign that things are gradually changing.Â
Despite the slow adoption, DNSSEC remains the only real option for preventing cache poisoning attacks. However, its success depends on greater international awareness and adoption. We need to drive awareness of threats such as DNS poisoning and its solution through education and historical context. Only then can we follow the lead of other countries to raise DNSSEC validation rates worldwide.Â
How are you driving awareness about DNS poisoning? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!