DNS stands for the domain name system of the internet. It works like a directory–rather like a phone book–that allows computer-generated addresses to be translated into words that humans can understand. This makes navigation of the internet a far easier task than remembering strings of numbers. But phone books were originally designed for ease of use and so was DNS. When it was invented more than 25 years ago, accessibility and efficiency were on everyone’s minds; security was not.
In fact, the security issues of DNS have been known for many years. It contains vulnerabilities that can be exploited by hackers, allowing them to hijack websites and perform other exploits that involved redirecting emails and website address lookups. This can cause user traffic to be directed to a bogus website where malicious code is often implanted, looking to harvest information such as passwords or bank account numbers that can be used for fraudulent purposes. This is bad not only for computer users who may be defrauded, but also for the organisation that owns the website that has been faked as they are unlikely to realise that their users are being hoodwinked, with disastrous consequences for their brand reputations.
To solve this issue, DNSSEC (DNS security extensions) was developed years ago as a set of protocols that provide secure authentication regarding the origin and integrity of DNS records, but its take up has been slow. In order for it to be successful, the root servers that form the backbone of the DNS have to be cryptographically signed–and that has only just happened. But, now that it has, deployment is picking up pace rapidly. Many of the top-level domains that we are all familiar with, such as .org, .net and .gov, have already been signed, allowing a chain of trust to be formed and providing the next-generation infrastructure for the internet that will make it a much safer place.
The extent of the problems with DNS can be seen in recent survey data from the Center for Strategic and International Studies, which released a report based on a survey of 600 organisations in 14 countries in January 2010. One of the key findings was that 57% of respondents had been victims of a DNS attack in the previous year, with nearly half of those reporting multiple monthly occurrences of such attacks.
By implementing DNSSEC, organisations that have a significant web presence will find themselves in a much better position to ward of DNS attacks that can damage their brand or credibility, or even leave them facing legal liability from customers have become victims of scams following a DNS attack. In a recent webcast by Bloor Research and F5 Networks (DNS Security: why you need to care), 22% of respondents stated that they thought DNSSEC deployment to be complex and a further 67% stated that they did not know enough about it.
A paper published recently by Bloor Research aims to demystify DNSSEC and shows the benefits that organisations will receive from deploying it to guard their web estate. The benefits are real and deployment need not be complex. The paper can be accessed here: Investing in security versus facing the consequences.