Stronger DNS Security Stymies Would-Be Criminals

Early numbers indicate that 2018 was a relatively quiet year in terms of huge distributed denial-of-service (DDoS) attacks, but does that indicate quieter times ahead in 2019? While it's tricky to predict the future in cybersecurity, some experts think that improvements in DNS security are forcing criminals and vandals to change their strategies in order to keep up.

"The current market isn't so much about the huge DDoS attacks, but there's an always-on behind-the-scenes battle going on," says Kris Beevers, co-founder and CEO of NS1. He says that while smaller, highly targeted DDoS attacks are a constant feature of the cybersecurity landscape, improvements and investments made since the huge Mirai-powered DDoS attacks of 2016 have made it much more difficult to use name servers as an attack tool.

Cricket Liu, executive vice president of engineering and chief DNS architect at InfoBlox, agrees with Beevers. "One aspect of DNS security that is improving and making it more difficult for people to use DNS servers in DDoS attacks is the implementation of something called RRL — response rate limiting," Liu says. With RRL, a DNS server will respond a limited number of times for a request for a single domain resolution from a particular IP address, making it less likely that it will flood a victim with traffic.

The other advancement that is improving DNS security is the increasing use of DNSSEC, a system that makes it much more difficult to spoof DNS requests and responses. DNSSEC requires that servers be authenticated and signed by a trusted certificate. Liu says that adoption of DNSSEC is growing but is still uneven across different countries and top-level domains. "The domains .com and .net, for example, have a very, very low adoption rate of DNSSEC among their subdomains," he says, while pointing to Sweden and Belgium as top-level domains with very high adoption rates.

For individuals and organizations that use public DNS resolution, the security news continues to improve. Beevers says that public recursive DNS servers like those hosted by Google, Open DNS, and Quad9 are using techniques like RRL and DNSSEC for all transactions. (Note: "Recursive" DNS servers are used to answer queries from clients about the address of particular URLs. "Authoritative" DNS servers, which are frequently mentioned in press accounts, are those that provide the IP address mapping, which the recursive DNS servers use to answer the queries.)

John Todd, executive director of Quad9, a nonprofit service operated by a consortium of vendors, says that the service now has servers in 137 cities spanning 82 counties. Those servers, he says, block more than 10 million malicious events a day with various techniques, with some days seeing as many as 40 million blocked events.

One of the techniques is DNSSEC for DNS query security. The other is blocking resolution to known-malicious URLs — websites, for example, that are known to host malware-laden or phishing links — by drawing on aggregated threat intelligence feeds from 19 partners.

As Internet users become more concerned about traffic, Todd says the increase in Quad9 use has begun to increase on the order of 25% per week. Beevers sees several macro trends contributing to the rise that Quad9 and other secure DNS vendors and service providers are seeing. "Security is at the center of things," he says. "DNSSEC, the ongoing need for redundancy, and the macro trend toward unifying the stack across public and private cloud infrastructure are the big things we're seeing happen."

Moving forward, Liu sees further improvement in near-term DNS security. "I'm pretty excited about DANE, which stands for DNS Authentication of Named Entities," he says.

DANE, which is described in IETF RFC 6698, allows an organization to put information about a certificate in the response to a query, so that the entity making the query will know whether the response is secured by the right certificate — or a legitimate certificate. It's a way, Liu says, "of combating the relative ease of getting a bogus cert from a somewhat unscrupulous [certificate authority]. I'm excited about that because it's an interesting and useful application of DNS, and at the same time it would tend to drive DNSSEC adoption."

Related Content: