An effort remains underway to reduce vulnerabilities and enhance security in the Internet’s Domain Name System (DNS). An understanding of the ongoing challenges involved in this initiative requires a basic knowledge of how the DNS operates.

As the address book of the Internet, the DNS translates domain names into IP addresses for online services. The DNS infrastructure consists of millions of servers that exchange information regarding the current IP address for a given named host or website. A user’s local DNS server sends queries to other DNS servers in the global system in order to find a DNS server that knows the IP address of a given website. The local DNS server then retrieves the required IP address and sends it to the user. The fundamental problem is that today’s DNS infrastructure cannot verify or authenticate the answers provided by the DNS; there is an inability to ensure information integrity within the existing DNS architecture. A service provider or a malicious entity can reroute user requests to legitimate or bogus name servers.

The DNS’s distributed structure dictates local versus global control, resulting in inadequate means to ensure a global security posture. Enterprises, government agencies and educational institutions are able to control user activity only within their spheres of influence, not across the global cyber domain. However, local DNS blocking, filtering and redirection are often considered mandatory by organizations operating in sensitive sectors that want to control user Internet activity within their domains in order to protect critical infrastructure. DNS is used as a tool to create a virtual walled garden where all activity within the established perimeter is controlled.

A common example of local control occurs when users connect to the Internet from a location other than the home or office. When users initiate searches, sometimes called “walking the namespace,” their DNS lookups are hijacked in flight by the public venue’s (hotel, coffee shop, airport, etc.) service provider and redirected to “helpful” alternatives. The service provider essentially takes control of the user experience by intercepting and redirecting DNS queries.

Local control over Internet access revolves around a protectionist mindset focused on isolating particular turfs or domains. Adhering to existing security postures, many organizations, government agencies and educational institutions are reluctant to trust any system that operates outside their firewalls.

DNSSEC Solution Validates Data Integrity

The proposed model for improved DNS security—DNS Security Extensions (DNSSEC)—delivers global protection via the introduction of industrial-strength, government-grade protocols featuring cryptographic signatures that validate the integrity and origin of DNS data across the infrastructure. The extensions ensure that the connection between a domain name and its resource records, including its IP address, has not been compromised and that an application, such as a web browser or email client, is using the correct addresses to reach servers. A hierarchical chain of signatures ensures that data received is from a valid, trusted source and has not been altered or redirected in transit. The DNSSEC secure naming mechanism reinforces the vision of one common and verifiable namespace for the Internet. If and when DNSSEC is fully implemented by a majority of organizations in the private and public sectors, it should nullify most attacks on the integrity of DNS data.

DNSSEC Features:

• Adds digital signatures to DNS responses
• Uses chain of trust to validate sources of DNS responses
• Ensures responses were not altered in transit
• Identifies bogus responses

DNSSEC Maturity Requires Awareness and Advocacy

The current state of DNSSEC indicates that a statistically significant portion of the DNS hierarchy has been signed, and more validations are starting to appear. But DNSSEC will not realize its vision unless additional data signatures in more places coupled with increased validations accelerate DNSSEC deployment. Local blocking or redirection implemented at the commercial organization, government agency or public venue level prevents DNSSEC validation, which requires access to authoritative servers that are unreachable when the user is redirected to another namespace. Current protectionist efforts to strengthen local enclaves, including the introduction by some DNS operators of new reputation systems that employ similar techniques to DNS redirection, are seen by DNSSEC proponents as counterproductive since these defenses prevent DNSSSEC validation. The only way for DNSSEC to be truly effective is through widespread adoption and implementation across the DNS hierarchy.

Global Approach Reduces Risk and Cost

Cunning, agile and well-funded cybercriminal syndicates continue to exploit inherent weaknesses in existing infrastructure, launching an alarming number of successful attacks and infecting more than 3.5 million computers in the United States alone last year. These savvy hackers employ readily available and relatively inexpensive Zeus botnet software to hijack financial accounts, intercept transactions and steal money. Unsuspecting online banking customers are invisibly redirected to bogus websites masquerading as the legitimate portals, and users are induced to reveal personal information, at which point man-in-the-middle attacks empty their accounts and transfer assets to money mules. These same tools are used to circumvent security measures in order to harvest intellectual property and finance foreign national uprisings against repressive governments. The DNS is increasingly exposed to crippling attacks that threaten the integrity of system data, reinforcing the urgent need for more aggressive cybersecurity strategies.

Current security practices limit the reach and effectiveness of law enforcement authorities. A local police department, for example, is restricted by law to operate only within its own jurisdiction versus cybercriminals who easily and frequently jump from one domain to another. The unambiguous cryptographic identifiers provided by DNSSEC would allow law enforcement entities to move beyond their own spheres of influence, enabling better cooperation and collaboration among law enforcement agencies worldwide.

Migrating to a New Paradigm for Internet Security

Taking a closer look at the financial services sector, consider the fact that most institutions today can effectively protect only their internal systems, and even that level of security is limited. Banks typically require two-factor authentication for online account access only for high-value commercial accounts, not personal accounts, due to the considerable expense of employing multi-factor verification techniques for thousands of customers. With DNSSEC and proper client validation, banks would no longer have to apply these costly measures to provide their customers with secure online services and protect them from financial fraud.

A financial institution that embraces and implements DNSSEC integrity checks across internal and external platforms by cryptographically signing all DNS data can protect its customers’ digital identities and transactions in any type of account worldwide. This substantially broadened inherent system security capability enables authentication across the global superhighway, thereby cost-effectively establishing verifiable Internet security. DNSSEC will help enterprises dramatically improve customer satisfaction and brand confidence on a global scale.