The Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofit organization dedicated to collaboration towards a secure and globally unified internet, has reacted to increasing reports of attacks on DNS infrastructure by urging registrars to adopt DNSSEC.
What is ICANN?
An internationally organized corporation that has responsibility for IP address space allocation, protocol identifier assignment, gTLD (generic Top-Level Domain) and ccTLD (country code Top-Level Domain) name system management, and root server system management functions whose motto is “One World. One Internet.”.
“As a private-public partnership, ICANN is dedicated to preserving the operational stability of the Internet; to promoting competition; to achieving broad representation of global internet communities; and to developing policy appropriate to its mission through bottom-up, consensus-based processes.” ICANN’s website explains.
ICANN also hosts the popular domain information lookup service WHOIS for gTLD’s, which is often utilized by TLS/SSL Certificate issuers to verify domain details.
What is DNS?
Short for Domain Name Servers, DNS is the internet’s equivalent of a phonebook.
Internet users access websites using domain names such as Trustico.com whereas web browsers access websites using IP addresses, for example 18.104.22.168.
DNS translates a domain name to its corresponding IP address so that web browsers connect internet users to their desired websites.
This eliminates the need for internet users to memorize IP addresses, which would be highly inefficient given the sheer amount of websites accessed daily.
Unfortunately, DNS was designed in the 1980s when online security was not as important due to the internet’s much smaller userbase, and hasn’t significantly changed since.
Nikolai Hampton, who holds a Master’s Degree in Cyber Security, explains in a blog post that “DNS works by sending a record request for a domain or host and then listening for a reply.”
“Because the system is distributed, most likely the initial query will need to be sent to another server to be fulfilled. DNS queries chain together until a server can be located that explicitly declares “I am the authority for the domain you requested!”.” Hampton says.
“Unfortunately, these DNS interactions don’t happen over controlled connections… The query is broadcast into the void, and the response is blindly sent back with no authentication or verification.”
DNSSEC was designed to amend this by securing these communications, better equipping DNS for usage in the current internet landscape.
DNS Security Extensions (DNSSEC) can be added to DNS to authenticate its data by adding chains of trust that are validated to the DNS.
This helps to protect against malicious attacks, such as man-in-the-middle attacks, in which the attacker receives, and possibly alters, information being exchanged between parties.
A common example of a man-in-the-middle attack is the intercepting of the login information (E-Mail and password) of an internet user logging on to a website.
Increasingly, nation’s governments, internet services, insurance companies and other unidentified sectors are being targeted by malicious attackers in an ongoing campaign to steal private and confidential information.
Some of this information even concerns the national security of these nations.
This is not surprising, as DNSSEC currently sees extremely low rates of usage, with less than 20 percent of the world’s DNS registrars implementing it.
This is especially concerning as DNSSEC has been available for roughly a decade.
It is the increasingly reported attacks on DNS infrastructures coupled with low global DNSSEC implementation that prompted ICANN to make their public statement advocating its widespread implementation.
ICANN says in their statement that they have long recognized the importance of DNSSEC and are calling for full deployment of the technology across all domains.
“Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination…” ICANN says.
“DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.”
ICANN also states that DNS can become a foundation for other protocols that require a way to store data securely, beginning with DNSSEC.
“New protocols have been developed that rely on DNSSEC and thus only work in zones that are signed.” ICANN says in a separate post.
“In the coming years, ICANN hopes to see greater adoption of DNSSEC, both by resolver operators and zone owners.”
“This would mean that more users everywhere could benefit from DNSSEC’s strong cryptographic assurance that they are getting authentic DNS answers to their queries.”
Mitchell has a Bachelor of Arts with Majors in Journalism and Foreign Relations; and a Diploma of Digital Design.