Could DNSSEC have protected the DNS against recent attacks?

It was recently revealed that cybercriminals had attacked the Domain Name System (DNS) with the aim of intercepting commercial and governmental internet traffic. Following the attacks, ICANN called for the adoption of DNSSEC, saying it would effectively frustrate any similar assaults in the future. The call received a mixed response, with some people questioning DNSSEC's ability to provide protection when – as in the reported cases – the attacker has the DNS provider's log-in details.

DNSSEC validates a responding name server

DNSSEC is a protocol that uses asymmetric cryptography to validate the data provided by a DNS server. Ordinarily, a computer will accept the first reply it receives, without checking that the sender is trustworthy. That's obviously a security issue, which is why DNSSEC was developed.

DNSSEC doesn't identify the server

DNSSEC doesn't confirm a server's identity, as an EV TLS certificate does. If a DNS server is hacked, the hacker can ultimately negate the benefit of DNSSEC by replacing the 'real' DNSSEC data with data that appears to be valid, but doesn't really belong to the DNS record in question. Under such circumstances, DNSSEC is merely a fire retardant: the hacker has to change a lot more data in order to redirect the traffic. What's more, the hacker's changes will soon be picked up, because the falsified data won't match the data in the zone file (e.g. the .nl zone file managed by SIDN).

Validation necessary

DNSSEC is effective only if internet users whose machines send DNS queries do actually validate the DNSSEC data that they get in response. That can be done using a service such as Google Public DNS, CloudFlare DNS or Quad9. However, many internet service providers don't yet support validation. That's down to them being unfamiliar with the standard and/or seeing validation as a low priority.

DNSSEC isn't a panacea

Conclusion: DNSSEC can certainly help to frustrate attacks on the DNS when it's used as part of a raft of measures including TLS. ICANN recognises that DNSSEC isn't an answer on its own, and describes it as part of a package of protection measures.

 

Comments

  • Thursday 13 December 2018

    News

    Now's the time for digital validation

    Thumb-digital-fingerprint

    Expert Kick Willemse on the developments surrounding digital validation

    Read more
  • Tuesday 28 November 2017

    News

    SIDN's services get the thumbs-up

    Thumb+klanttevredenheid

    Registrars give us 8 out of 10

    Read more
  • Wednesday 26 June 2019

    News

    Game over for IPv4

    Thumb-young-gamer-playing-video-game-wearing-headphones

    Multi-user gamers frustrated by aging internet technology

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.