Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Stronger DNS Security Stymies Would-Be Criminals

2018 saw a reduced number of huge DNS-facilitated DDoS attacks. Vendors and service providers believe that malicious impact will drop with continued technology improvements.

Early numbers indicate that 2018 was a relatively quiet year in terms of huge distributed denial-of-service (DDoS) attacks, but does that indicate quieter times ahead in 2019? While it's tricky to predict the future in cybersecurity, some experts think that improvements in DNS security are forcing criminals and vandals to change their strategies in order to keep up.

"The current market isn't so much about the huge DDoS attacks, but there's an always-on behind-the-scenes battle going on," says Kris Beevers, co-founder and CEO of NS1. He says that while smaller, highly targeted DDoS attacks are a constant feature of the cybersecurity landscape, improvements and investments made since the huge Mirai-powered DDoS attacks of 2016 have made it much more difficult to use name servers as an attack tool.

Cricket Liu, executive vice president of engineering and chief DNS architect at InfoBlox, agrees with Beevers. "One aspect of DNS security that is improving and making it more difficult for people to use DNS servers in DDoS attacks is the implementation of something called RRL — response rate limiting," Liu says. With RRL, a DNS server will respond a limited number of times for a request for a single domain resolution from a particular IP address, making it less likely that it will flood a victim with traffic.

The other advancement that is improving DNS security is the increasing use of DNSSEC, a system that makes it much more difficult to spoof DNS requests and responses. DNSSEC requires that servers be authenticated and signed by a trusted certificate. Liu says that adoption of DNSSEC is growing but is still uneven across different countries and top-level domains. "The domains .com and .net, for example, have a very, very low adoption rate of DNSSEC among their subdomains," he says, while pointing to Sweden and Belgium as top-level domains with very high adoption rates.

For individuals and organizations that use public DNS resolution, the security news continues to improve. Beevers says that public recursive DNS servers like those hosted by Google, Open DNS, and Quad9 are using techniques like RRL and DNSSEC for all transactions. (Note: "Recursive" DNS servers are used to answer queries from clients about the address of particular URLs. "Authoritative" DNS servers, which are frequently mentioned in press accounts, are those that provide the IP address mapping, which the recursive DNS servers use to answer the queries.)

John Todd, executive director of Quad9, a nonprofit service operated by a consortium of vendors, says that the service now has servers in 137 cities spanning 82 counties. Those servers, he says, block more than 10 million malicious events a day with various techniques, with some days seeing as many as 40 million blocked events.

One of the techniques is DNSSEC for DNS query security. The other is blocking resolution to known-malicious URLs — websites, for example, that are known to host malware-laden or phishing links — by drawing on aggregated threat intelligence feeds from 19 partners.

As Internet users become more concerned about traffic, Todd says the increase in Quad9 use has begun to increase on the order of 25% per week. Beevers sees several macro trends contributing to the rise that Quad9 and other secure DNS vendors and service providers are seeing. "Security is at the center of things," he says. "DNSSEC, the ongoing need for redundancy, and the macro trend toward unifying the stack across public and private cloud infrastructure are the big things we're seeing happen."

Moving forward, Liu sees further improvement in near-term DNS security. "I'm pretty excited about DANE, which stands for DNS Authentication of Named Entities," he says.

DANE, which is described in IETF RFC 6698, allows an organization to put information about a certificate in the response to a query, so that the entity making the query will know whether the response is secured by the right certificate — or a legitimate certificate. It's a way, Liu says, "of combating the relative ease of getting a bogus cert from a somewhat unscrupulous [certificate authority]. I'm excited about that because it's an interesting and useful application of DNS, and at the same time it would tend to drive DNSSEC adoption."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14832
PUBLISHED: 2019-10-15
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
CVE-2017-10022
PUBLISHED: 2019-10-15
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing ...
CVE-2019-10759
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-10760
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-17397
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.