Powerful malicious actors continue to be a substantial risk to key parts of the Internet and its Domain Name System security infrastructure, so much so that The Internet Corporation for Assigned Names and Numbers is calling for an intensified community effort to install stronger DNS security technology.
Specifically ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. DNS,often called the internet’s phonebook, is part of the global internet infrastructure that translates between common language domain names and IP addresses that computers need to access websites or send emails. DNSSEC adds a layer of security on top of DNS.
DNSSEC technologies have been around since about 2010 but are not widely deployed, with less than 20 percent of the world’s DNS registrars having deployed it, according to the Regional Internet address Registry for the Asia-Pacific region (APNIC).
DNSSEC adoption has been lagging because it was viewed as optional and can require a tradeoff between security and functionality said Kris Beevers, co-founder and CEO of DNS vendor NS1.
DNSSEC prevents attacks that can compromise the integrity of answers to DNS queries by cryptographically signing DNS records to verify their authenticity, Beevers said.
“However, most implementations are incompatible with modern DNS requirements, including redundant DNS setups or dynamic responses from DNS-based traffic-management features,” Beevers said. “Legacy DNSSEC implementations break even basic functions, such as geo-routing, and is hard to implement across multiple vendors, which means poor performance and reduced availability for end users.”
Full deployment of DNSSEC ensures end users are connecting to the actual web site or other service corresponding to a particular domain name, ICANN says “Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (https:) that protect the "conversation", and provide a platform for yet-to-be-developed security improvements,” ICANN says.
“Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use,” ICANN stated.
“Enterprises that are potential targets – in particular those that capture or expose user and enterprise data through their applications – should heed this warning by ICANN and should pressure their DNS and registrar vendors to make DNSSEC and other domain-security best practices easy to implement and standardized. They can easily implement DNSSEC signing and other domain security best practices with technologies in the market today,” Beevers said. At the very least, they should work with their vendors and security teams to audit their implementations with respect to ICANN's checklist and other best practices, such as DNS delivery network redundancy to protect against DDoS attacks targeting DNS infrastructure, Beevers stated.
ICANN is an organization that typically thinks in decades, so the immediacy of the language – "alert", "ongoing and significant risk" – is telling. They believe it is critical for the ecosystem, industry and consumers of domain infrastructure to take urgent action to ensure DNSSEC signing of all unsigned domains, Beevers said.
“ICANN's direction drives broader policy decisions and actions for other regulatory bodies, and just as importantly, for major technology players in the ecosystem,” Beevers said. “We are likely to see pressure from major technology players like browser vendors, ISPs and others to drive behavioral change in the application-delivery ecosystem to incentivize these changes. “
ICANN’s warning comes on the heels of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warning in January that all federal agencies should bolt down their Domain Name System in the face of a series of global hacking campaigns.
CISA said in its emergency directive that it is tracking a series of incidents targeting DNS infrastructure. CISA wrote that it “is aware of multiple executive-branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”
CISA says that attackers have managed to intercept and redirect web and mail traffic and could target other networked services. The agency said the attacks start with compromising user credentials of an account that can make changes to DNS records. Then the attacker alters DNS records, like address, mail exchange or name-server, replacing the legitimate address of the services with an address the attacker controls.
These actions let the attacker direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection, CISA stated.
CISA noted that FireEye and Cisco Talos researchers had reported that malicious actors obtained access to accounts that controlled DNS records and made them resolve to their own infrastructure before relaying it to the real address. Because they could control an organization’s DNS, they could obtain legitimate digital certificates and decrypt the data they intercepted – all while everything looked normal to users.
ICANN offered a checklist of recommended security precautions that members of the domain-name industry, registries, registrars, resellers and related others shoudl take to protect their systems, their customers’ systems and information reachable via the DNS.
Thanks to Michael Cooney (see source)