The excuses for not adopting DNS Security Extensions ‘no longer hold water’

Internet governance body ICANN has renewed calls for organizations to adopt DNSSEC as a defense, citing ongoing attacks against the web’s DNS infrastructure as its rationale.

DNSSEC – DNS Security Extensions – is designed to authenticate web lookups through the use of public-key encryption technology. The technology has been around as an internet standard in one form or another for 20 years, but uptake has been slow.

The security specification is designed to prevent miscreants from interfering with domain name lookups. The approach guards against domain name cache poisoning attacks, famously highlighted by security researcher Dan Kaminsky back in 2008, as well as other exploits, such as ongoing attempts to hijack DNS infrastructure.

As previously reported by The Daily Swig, the DNS records of government, telcos, and internet infrastructure organizations are all being hacked in a multi-pronged campaign, which has been running since January 2017.

Three different techniques – one of which relies, in part, on fraudulent SSL certificates – are at play, FireEye warned last month.

In response to this malfeasance, the US Department of Homeland Security last month advised sysadmins to make greater use of authentication in repelling a series of ongoing and multifaceted attacks, suspected by some (with modest levels of confidence) as the work of Iranian state-sponsored hackers.

Hackers are targeting DNS infrastructure on an industrial scale, making unauthorized changes to replace the addresses of intended servers with addresses of machines controlled by the attackers, using the compromised credentials of sysadmins.

“This particular type of attack, which targets the DNS, only works when DNSSEC is not in use,” according to an alert issued by ICANN late last week, advocating greater DNSSEC adoption in response to the attacks.

“DNSSEC is a technology developed to protect against such changes by digitally ‘signing’ data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.”

Chain of trust

DNSSEC works by putting together a chain of trust between a user’s machine, a DNS resolver service, and a domain supporting the technology.

Somewhat akin to IPv6, the full benefit of DNSSEC can only be realized when all parties in the chain support it. Almost all of the root and top-level zones are signed up and enrolled to DNSSEC, but it’s still the case that very few companies use DNSSEC validation on their domains.

“In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names,” ICANN said.

“The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the internet’s global identifier systems.”

Cricket Liu, chief DNS architect at Infoblox, told The Daily Swig that there’s evidence that DNSSEC adoption would indeed offer protection against the latest DNS hijacking attacks.

“In Brian Krebs’s article, Bill Woodcock from PCH (one of the organizations targeted in the attack) reported that DNSSEC helped mitigate the attack,” Liu explained. “The only two PCH employees affected were using recursive DNS servers that didn’t perform DNSSEC validation (because they were traveling).”

Liu went on to offer reasons as to why overall DNSSEC adoption is low. “DNSSEC is complex and poorly understood, and it took some time for DNS tools and platforms to support it well,” he said. “But many vendors, including Infoblox and others, have invested in DNSSEC and automated the management of DNSSEC-signed zones.

“I think most of the excuses for not adopting DNSSEC no longer hold water.”

Canary in a coal mine

ICANN’s advice for organizations to adopt DNSSEC is merited, given the “brazenness of what appears to be nation-state connected attackers” attacking DNS infrastructures, security researcher Dan Kaminsky told The Daily Swig.

“It’s tempting for some to dismiss DNSSEC as a solution to these threats,” Kaminsky explained. “DNSSEC, after all, secures your relationship to the world, not to your DNS registrar or registry. This purely technical analysis is myopic.

“These new attacks are operational in nature; they involve ‘socially engineering’ businesses in acts of identity theft. DNS addresses such attacks by allowing you to seamlessly port your names to new registrars with better operational procedures.”

“Only some attackers are compromising business relationships. Others are injecting traffic maliciously – something DNSSEC actually does mitigate well,” Kaminsky added.

“DNSSEC is a sort of canary in a coal mine here. Registrars unable to manage the information flows required for DNSSEC to function – and domain holders who have no individuals tasked with ownership of those flows – aren’t going to be in any position to survive a confident, well informed, and quite malicious attacker set on hijacking a domain.”

“The core of the Internet’s identity model is not HTTPS, it’s DNS. HTTPS leans, somewhat circuitously on DNS (via Common Names and Subject Alternate Names, both very pointedly *DNS* Names),” he said.

Last mile

DNSSEC has been around for so long that it might be tempting to think more recently ratified and related standards for secure DNS – such as DNS over TLS (DoT) and DNS over HTTPS (DoH) – ought to be prioritized for deployment.

Liu, however, said that it would be better to roll out the technologies in parallel, in order to properly safeguard DNS deployments.

“DNSSEC is really complementary to DoT and DoH,” he explained. “DoT and DoH secure DNS’s ‘last mile’: The communication between the stub resolver (i.e., DNS client) and the recursive DNS server,”

“DNSSEC handles validation of DNS data returned by other DNS servers, ensuring its authenticity and integrity, but doesn’t address the last mile.”

Historically compared to a phone book, DNS is the distributed naming service for the internet. It maps domain names that surfers might type into a browser to IP addresses. The same technology is also used to route emails.

DNS queries resolve domain names into IP addresses – a vital function for surfing the web, routing emails and much more besides.

The majority of DNS traffic remains unauthenticated and unencrypted, making it easier for hackers to forge results in order to misdirect users or to run man-in-the-middle-style attacks, among other potential attacks.

RELATED ‘Middle-aged’ DNS tech still has legs to kick on