Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/23/2016
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Internet Pioneer Discusses Creation, Expectations and Security of DNS on Its 33rd Birthday

"The Internet community has let legacy infrastructure designs constrain the future."

CARLSBAD, CA--(Marketwired - Jun 23, 2016) - 33 years ago today, Paul Mockapetris, inventor of the Internet Domain Name System, watched the DNS take its first steps. This critical development would open up what may be the world's most utilized and important technological development for a mass audience. Did he understand the importance or impact that DNS would have when it was created?

"I think I saw the potential importance more clearly than the traditional ARPAnet era folks, who were busy replacing the old NCP protocols with IP and TCP," noted Mockapetris, now Chief Scientist at ThreatSTOP. "So I was very happy to take on the design job and build something quite beyond the task given me."

By 1983, he had already spent 15 years designing distributed systems at what would become the Media Lab at MIT, Draper Labs, IBM, and the Distributed Computer System at UC Irvine. So he did expect his creation to be used across the Internet to manage distributed operating systems and applications. DNS was really meant to manage a heterogeneous distributed, federated cloud and its services.

Something Mockapetris did not expect was the whole marketing and branding of names. "I guess I should have taken some classes in business and marketing," he joked. His biggest surprise was that the research agencies in the late 80s and 90s didn't see naming systems and DNS in particular as merely the first steps in an Internet naming architecture. The original design had many places where next steps and additional mechanisms were indicated, and were never taken. Recent work in named data networking has revived this field a bit.

"If I'd been told in 1988 what the DNS would eventually be used for, I would have said it wasn't possible," said Dr. Paul Vixie, Internet pioneer and CEO of Farsight Security, Inc."Almost all Internet activities, whether for good or evil, begin with a DNS lookup. Defenders who can monitor, and control, and investigate their use of DNS can by extension monitor, and control, and investigate their relationship to the Internet itself."

The DNS was introduced during the transition from the ARPAnet to the IP/TCP-based Internet, and was the largest single architectural innovation of that transition. As a critical infrastructure, DNS has been subjected to many attacks and misuse, but in today's hardened form, it is seen as an essential tool for implementing security.

Security was intentionally left out of the initial design, along with several other functions. DNSSEC is a next step, but is very heavy weight and doesn't solve current problems like DDoS.

"The Internet community has let legacy infrastructure designs constrain the future," notes Mockapetris. "For example, the 512 byte datagram limit of 1983 should be more like 500 Megabytes if we adjust for the million-fold increase in transmission speed in today's Internet, though I'd settle for 512K bytes. We are giving up on datagrams because of DDoS -- while I understand the argument, I'm not ready to surrender yet. There's a lot of room for innovation here. It's as if we are requiring DNS to support paper tape and floppy disks."

Mockapetris now provides guidance to the ongoing product innovation process for ThreatSTOP, and leads research into DNS-based security. "Effective security requires real-time threat intelligence that is distributed to all of an enterprise's enforcement devices whether they are routers, firewalls, application delivery controllers, or servers. DNS is an ideal vehicle," said Mockapetris. "Fielding powerful, scalable security tools that leverage the ubiquity of DNS to protect organizations of all sizes is critical."

About ThreatSTOP
ThreatSTOP is a network security company offering a cloud-based threat protection service that protects every device and workload on a network from cyberattacks and data theft. It can protect any network, from virtual cloud networks to branch LANs to the largest carrier networks. The service leverages market-leading threat intelligence to deflect inbound and outbound threats, including botnet, phishing and ransomware attacks, and prevents data exfiltration. For more information visit www.threatstop.com.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...