The Domain Name System (DNS), without which the web would be a mass of network numbers with no friendly server names such as example.net or nakedsecurity.sophos.com, is under threat from cyberattackers and domain overseer ICANN wants internet companies to do something about it.
That was the message in last week’s worried press release from ICANN (Internet Corporation for Assigned Names and Numbers).
This message comes hot on the heels of similarly alarming warnings from the US Department of Homeland Security (DHS), alarmed by recent series of DNS attacks. The attacks try to take over email and web domains, diverting traffic to imposter servers.
The solution, according to ICANN, is for companies providing DNS infrastructure to get on with implementing a DNS security layer called DNSSEC (Domain Name System Security Extensions) as soon as possible:
ICANN is calling for full deployment of the DNSSEC across all unsecured domain names.
Nearly 20 years after DNSSEC was first proposed, it remains a work in very slow progress that too many internet companies have chosen to ignore.
According to the APNIC registry, only around 20 per cent of the world’s DNS resolvers show any signs of using it.
Now, finally, there seems to be some urgency.
In November, Cisco Talos wrote about a large-scale cyber-campaign targeting Lebanon and the UAE at the centre of which was a DNS hijacking campaign traffic sophisticated enough not only to redirect traffic but to compromise SSL certificates and VPN tunnels.
Since then, similar campaigns have been documented by others which point to the successful compromise of the DNS infrastructure of dozens of organisations in at least 11 countries, including Sweden and the US.
Using DNSSEC, name lookups and updates are verified by cryptographic signatures, which makes the otherwise-simple DNS protocol more complex and time-consuming.
The added complexity in managing the public key infrastructure (PKI) needed to make DNNSEC work means higher costs that ISPs would rather do without for a system that might not add much security initially.
On the other hand, going through the long and difficult manual checks ICANN and others now recommend for DNS security in the absence of DNSSEC might be even worse.
What to do?
Whether you’re using DNSSEC or not, we’ll repeat the security advice issued in a recent US Department of Homeland Security emergency directive:
- Verify that all important domains are resolving to the correct IP address and haven’t been tampered with.
- Change passwords on all accounts used to manage domain records.
- Turn on multi-factor authentication to protect admin accounts.
- Monitor Certificate Transparency (CT) logs for newly issued TLS certificates that might have been issued by a malicious actor.
LISTEN NOW: LEARN MORE ABOUT DNS HIJACKING
[The section on DNS hijacking and what to do about it starts at 3’57”]
(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)
Mahhn
Question, is there something we (consumers) can do to promote the implementation of DNSSEC? and is it really ready, or just moving the exploit to another link in the chain?
Paul Ducklin
I would take the route that the US DHS did first: they told government server admins to lock down their DNS records using 2FA (it seems this would have stopped a lot of the recent hijacks because crooks were logging in with stolen, guessed or stuffed passwords). Then they said, “Oh, we really mean it – do it in 10 days.”
When it comes to improving security, deadlines can be surprisingly handy!
Ian
I’m very glad that they came out and issued a statement on DNSSEC but it’s too bad ICANN’s web server isn’t using up-to-date key exchange protocols. No ECDHE or even DHE at least? Just RSA which has been removed from TLS 1.3 due to FS vulnerabilities. Really ICANN? I can’t even connect to their site without weakening my system’s security. Makes it kinda hard to pay attention to their DNSSEC advice when they run their own site how they do. I understand that DNS != TLS but they are all components of secure web browsing and its pretty sad to see that even ICANN isn’t keeping up.
Tim
Now, if only Sophos’ XG firewall would support DNSSEC!? https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/20381515-add-support-for-dnssec-domain-name-system-securit