Stronger DNS Security Stymies Would-Be Criminals

  /     /     /  
Publicated : 23/11/2024   Category : security


Stronger DNS Security Stymies Would-Be Criminals


2018 saw a reduced number of huge DNS-facilitated DDoS attacks. Vendors and service providers believe that malicious impact will drop with continued technology improvements.



Early numbers indicate that 2018 was a
relatively quiet year
in terms of huge distributed denial-of-service (DDoS) attacks, but does that indicate quieter times ahead in 2019? While its tricky to predict the future in cybersecurity, some experts think that improvements in DNS security are forcing criminals and vandals to change their strategies in order to keep up.
The current market isnt so much about the huge DDoS attacks, but theres an always-on behind-the-scenes battle going on, says Kris Beevers, co-founder and CEO of NS1. He says that while smaller, highly targeted DDoS attacks are a constant feature of the cybersecurity landscape, improvements and investments made since the huge Mirai-powered DDoS attacks of 2016 have made it much more difficult to use name servers as an attack tool.
Cricket Liu, executive vice president of engineering and chief DNS architect at InfoBlox, agrees with Beevers. One aspect of DNS security that is improving and making it more difficult for people to use DNS servers in DDoS attacks is the implementation of something called RRL — response rate limiting, Liu says. With RRL, a DNS server will respond a limited number of times for a request for a single domain resolution from a particular IP address, making it less likely that it will flood a victim with traffic.
The other advancement that is improving DNS security is the increasing use of DNSSEC, a system that makes it much more difficult to spoof DNS requests and responses. DNSSEC requires that servers be authenticated and signed by a trusted certificate. Liu says that adoption of DNSSEC is growing but is still uneven across different countries and top-level domains. The domains .com and .net, for example, have a very, very low adoption rate of DNSSEC among their subdomains, he says, while pointing to Sweden and Belgium as top-level domains with very high adoption rates.
For individuals and organizations that use public DNS resolution, the security news continues to improve. Beevers says that public recursive DNS servers like those hosted by Google, Open DNS, and Quad9 are using techniques like RRL and DNSSEC for all transactions. (Note: Recursive DNS servers are used to answer queries from clients about the address of particular URLs. Authoritative DNS servers, which are frequently mentioned in press accounts, are those that provide the IP address mapping, which the recursive DNS servers use to answer the queries.)
John Todd, executive director of Quad9, a nonprofit service operated by a consortium of vendors, says that the service now has servers in 137 cities spanning 82 counties. Those servers, he says, block more than 10 million malicious events a day with various techniques, with some days seeing as many as 40 million blocked events.
One of the techniques is DNSSEC for DNS query security. The other is blocking resolution to known-malicious URLs — websites, for example, that are known to host malware-laden or phishing links — by drawing on aggregated threat intelligence feeds from 19 partners.
As Internet users become more concerned about traffic, Todd says the increase in Quad9 use has begun to increase on the order of 25% per week. Beevers sees several macro trends contributing to the rise that Quad9 and other secure DNS vendors and service providers are seeing. Security is at the center of things, he says. DNSSEC, the ongoing need for redundancy, and the macro trend toward unifying the stack across public and private cloud infrastructure are the big things were seeing happen.
Moving forward, Liu sees further improvement in near-term DNS security. Im pretty excited about DANE, which stands for DNS Authentication of Named Entities, he says.
DANE
, which is described in IETF RFC 6698, allows an organization to put information about a certificate in the response to a query, so that the entity making the query will know whether the response is secured by the right certificate — or a legitimate certificate. Its a way, Liu says, of combating the relative ease of getting a bogus cert from a somewhat unscrupulous [certificate authority]. Im excited about that because its an interesting and useful application of DNS, and at the same time it would tend to drive DNSSEC adoption.
Related Content:
CERT/CC Details Critical Flaws in Microsoft Windows, Server
New Domains: A Wide-Open Playing Field for Cybercrime
3 Drivers Behind the Increasing Frequency of DDoS Attacks
7 Ways to Keep DNS Safe
10 Ways to Protect Protocols That Arent DNS

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Stronger DNS Security Stymies Would-Be Criminals