Perimeter

Stronger DNS Security Stymies Would-Be Criminals

2018 saw a reduced number of huge DNS-facilitated DDoS attacks. Vendors and service providers believe that malicious impact will drop with continued technology improvements.

Early numbers indicate that 2018 was a relatively quiet year in terms of huge distributed denial-of-service (DDoS) attacks, but does that indicate quieter times ahead in 2019? While it's tricky to predict the future in cybersecurity, some experts think that improvements in DNS security are forcing criminals and vandals to change their strategies in order to keep up.

"The current market isn't so much about the huge DDoS attacks, but there's an always-on behind-the-scenes battle going on," says Kris Beevers, co-founder and CEO of NS1. He says that while smaller, highly targeted DDoS attacks are a constant feature of the cybersecurity landscape, improvements and investments made since the huge Mirai-powered DDoS attacks of 2016 have made it much more difficult to use name servers as an attack tool.

Cricket Liu, executive vice president of engineering and chief DNS architect at InfoBlox, agrees with Beevers. "One aspect of DNS security that is improving and making it more difficult for people to use DNS servers in DDoS attacks is the implementation of something called RRL — response rate limiting," Liu says. With RRL, a DNS server will respond a limited number of times for a request for a single domain resolution from a particular IP address, making it less likely that it will flood a victim with traffic.

The other advancement that is improving DNS security is the increasing use of DNSSEC, a system that makes it much more difficult to spoof DNS requests and responses. DNSSEC requires that servers be authenticated and signed by a trusted certificate. Liu says that adoption of DNSSEC is growing but is still uneven across different countries and top-level domains. "The domains .com and .net, for example, have a very, very low adoption rate of DNSSEC among their subdomains," he says, while pointing to Sweden and Belgium as top-level domains with very high adoption rates.

For individuals and organizations that use public DNS resolution, the security news continues to improve. Beevers says that public recursive DNS servers like those hosted by Google, Open DNS, and Quad9 are using techniques like RRL and DNSSEC for all transactions. (Note: "Recursive" DNS servers are used to answer queries from clients about the address of particular URLs. "Authoritative" DNS servers, which are frequently mentioned in press accounts, are those that provide the IP address mapping, which the recursive DNS servers use to answer the queries.)

John Todd, executive director of Quad9, a nonprofit service operated by a consortium of vendors, says that the service now has servers in 137 cities spanning 82 counties. Those servers, he says, block more than 10 million malicious events a day with various techniques, with some days seeing as many as 40 million blocked events.

One of the techniques is DNSSEC for DNS query security. The other is blocking resolution to known-malicious URLs — websites, for example, that are known to host malware-laden or phishing links — by drawing on aggregated threat intelligence feeds from 19 partners.

As Internet users become more concerned about traffic, Todd says the increase in Quad9 use has begun to increase on the order of 25% per week. Beevers sees several macro trends contributing to the rise that Quad9 and other secure DNS vendors and service providers are seeing. "Security is at the center of things," he says. "DNSSEC, the ongoing need for redundancy, and the macro trend toward unifying the stack across public and private cloud infrastructure are the big things we're seeing happen."

Moving forward, Liu sees further improvement in near-term DNS security. "I'm pretty excited about DANE, which stands for DNS Authentication of Named Entities," he says.

DANE, which is described in IETF RFC 6698, allows an organization to put information about a certificate in the response to a query, so that the entity making the query will know whether the response is secured by the right certificate — or a legitimate certificate. It's a way, Liu says, "of combating the relative ease of getting a bogus cert from a somewhat unscrupulous [certificate authority]. I'm excited about that because it's an interesting and useful application of DNS, and at the same time it would tend to drive DNSSEC adoption."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9047
PUBLISHED: 2019-02-23
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
CVE-2019-9062
PUBLISHED: 2019-02-23
PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.
CVE-2019-9063
PUBLISHED: 2019-02-23
PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount.
CVE-2019-9064
PUBLISHED: 2019-02-23
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.
CVE-2019-9065
PUBLISHED: 2019-02-23
PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount.