How DNS, the backbone of the Internet, is being shored up
Posted on | August 13, 2010 | add a comment
Two recent developments having to do with Domain Name System, or DNS, should help substantively shore up cybersecurity over the long haul.
VeriSign this week launched a new managed DNS service aimed at helping companies and organizations — especially small- and medium-sized firms — run more smoothly and better defend against denial of service attacks.
That follows the big announcement late last month at the Black Hat cybersecurity conference in Las Vegas by the Internet Corporation for Assigned Names and Numbers. ICANN rolled out a new standard the tech community has been hashing over for more than a decade, called DNS Security Extensions.
DNSSEC is being hailed as the cornerstone of the Internet of the near future, one in which it will be much more difficult for cybercriminals to redirect Internet users to web sites erected to infect visitors’ PCs with malicious programs.
DNS is the backbone of the Internet. It involves a series of steps to connect a domain name, such as lastwatchdog.com, to its actual numerical location on the Internet, all in a few moments time.
“A lot of people don’t know just how critical DNS is,” says Matt Larson, VeriSign, vice president of DNS research. “If DNS doesn’t work things come to a screeching halt.”
VeriSign runs some 140 data centers around the world that assign and keep track of the IP addresses for all .com and .net Web sites on the planet. It carries out the final step of connecting a domain name — the word preceding .com or .net in a Web address — to its actual numerical location on the Internet.
VeriSign recently sold off its Checkmark authentication unit to antivirus giant Symantec for $1.28 billion in cash, to focus on this “root-level” naming service.
However, the company launched VeriSign Managed DNS this week to directly provide businesses and organizations with a new service that will monitor their Web servers and handle the DNS traffic that occurs just before the root-level connection is made.
VeriSign is pitching it new service as an inexpensive, secure way to keep company websites, email and Web systems live and available freeing IT staff to do other things. In event of an outage or service disruption, VeriSign will quickly redirect Internet traffic to backup systems.
“DNS is what we do for a living,” says Ben Petro, VeriSign senior vice president of network intelligence and availability. “It is in our best interest to make sure .com and .net are safe and stable.”
Petro acknowledges it will be difficult to get many of the top 1,000 companies doing business on the Internet, virtually all of whom use rival Neustar UltraDNS, to switch to its new managed DNS offering. So VeriSign is gearing its marketing toward small- and medium-sized businesses, many of whom manage DNS in house. And it is offering a free three month trial, including 24-hour phone support.
The accelerating use of Internet-connected smartphones and mobile devices, like the iPad, to conduct commerce has drastically complicated the Web’s underpinnings. The fundamental steps to resolve a domain name to its numerical address is becoming increasingly complex. “Most organizations are struggling to maintain high availability of these systems,” says Petro.
As for DNSSEC, it should over time make it much more difficult for cybercriminals to spoof responses flying back and forth to resolve a domain name to an IP address. The banking Trojans now plaguing the Internet all circle back to the ability of hackers to readily create false identities within DNS.
“Today its trivial easy to spoof the DNS response,” says Larson. “That’s where man in the middle attacks can get involved. The attacker can slip in a spoofed response that beats the legitimate response back to you.”
DNSSEC incorporates digital certificates into the process. It is designed to makes it next to impossible for criminals to counterfeit. While the foundation is in place, it is expect to take years for corporations, ISPs and infrastructure entities to fully embrace and implement the new standard.
Still, Rod Beckstrom, ICANN president and CEO, uncorked several bottles of champagne for reporters and analysts at the conclusion of the Black Hat news conference unveiling DNSSEC.
“This is, by any measure, an historic development,” saidBeckstrom. “This security upgrade matters to everyone who uses a computer, and that means most of us.”
By Byron Acohido