Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Stronger DNS Security Stymies Would-Be Criminals

2018 saw a reduced number of huge DNS-facilitated DDoS attacks. Vendors and service providers believe that malicious impact will drop with continued technology improvements.

Early numbers indicate that 2018 was a relatively quiet year in terms of huge distributed denial-of-service (DDoS) attacks, but does that indicate quieter times ahead in 2019? While it's tricky to predict the future in cybersecurity, some experts think that improvements in DNS security are forcing criminals and vandals to change their strategies in order to keep up.

"The current market isn't so much about the huge DDoS attacks, but there's an always-on behind-the-scenes battle going on," says Kris Beevers, co-founder and CEO of NS1. He says that while smaller, highly targeted DDoS attacks are a constant feature of the cybersecurity landscape, improvements and investments made since the huge Mirai-powered DDoS attacks of 2016 have made it much more difficult to use name servers as an attack tool.

Cricket Liu, executive vice president of engineering and chief DNS architect at InfoBlox, agrees with Beevers. "One aspect of DNS security that is improving and making it more difficult for people to use DNS servers in DDoS attacks is the implementation of something called RRL — response rate limiting," Liu says. With RRL, a DNS server will respond a limited number of times for a request for a single domain resolution from a particular IP address, making it less likely that it will flood a victim with traffic.

The other advancement that is improving DNS security is the increasing use of DNSSEC, a system that makes it much more difficult to spoof DNS requests and responses. DNSSEC requires that servers be authenticated and signed by a trusted certificate. Liu says that adoption of DNSSEC is growing but is still uneven across different countries and top-level domains. "The domains .com and .net, for example, have a very, very low adoption rate of DNSSEC among their subdomains," he says, while pointing to Sweden and Belgium as top-level domains with very high adoption rates.

For individuals and organizations that use public DNS resolution, the security news continues to improve. Beevers says that public recursive DNS servers like those hosted by Google, Open DNS, and Quad9 are using techniques like RRL and DNSSEC for all transactions. (Note: "Recursive" DNS servers are used to answer queries from clients about the address of particular URLs. "Authoritative" DNS servers, which are frequently mentioned in press accounts, are those that provide the IP address mapping, which the recursive DNS servers use to answer the queries.)

John Todd, executive director of Quad9, a nonprofit service operated by a consortium of vendors, says that the service now has servers in 137 cities spanning 82 counties. Those servers, he says, block more than 10 million malicious events a day with various techniques, with some days seeing as many as 40 million blocked events.

One of the techniques is DNSSEC for DNS query security. The other is blocking resolution to known-malicious URLs — websites, for example, that are known to host malware-laden or phishing links — by drawing on aggregated threat intelligence feeds from 19 partners.

As Internet users become more concerned about traffic, Todd says the increase in Quad9 use has begun to increase on the order of 25% per week. Beevers sees several macro trends contributing to the rise that Quad9 and other secure DNS vendors and service providers are seeing. "Security is at the center of things," he says. "DNSSEC, the ongoing need for redundancy, and the macro trend toward unifying the stack across public and private cloud infrastructure are the big things we're seeing happen."

Moving forward, Liu sees further improvement in near-term DNS security. "I'm pretty excited about DANE, which stands for DNS Authentication of Named Entities," he says.

DANE, which is described in IETF RFC 6698, allows an organization to put information about a certificate in the response to a query, so that the entity making the query will know whether the response is secured by the right certificate — or a legitimate certificate. It's a way, Liu says, "of combating the relative ease of getting a bogus cert from a somewhat unscrupulous [certificate authority]. I'm excited about that because it's an interesting and useful application of DNS, and at the same time it would tend to drive DNSSEC adoption."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.