Home / Blogs

DNS… Wait a SEC

Elisa Cooper

DNSSEC (Domain Name System Security Extensions) is a set of specifications designed to prevent hackers from intercepting DNS queries and redirecting end users to spoofed sites through a technique known as Cache Poisoning. Complete DNSSEC implementation requires that domains are authenticated at the root by the Registry, and that DNS zones and records are authenticated as well.

Now before I go any further, let me begin by stating that I fully support the development and deployment of DNSSEC and that the vulnerabilities presented by Cache Poisoning are very real, especially for those websites collecting login credentials or other types of sensitive information.

However, DNSSEC is not the "end all, be all" Internet security solution that many believe it to be.

DNSSEC is addressing just one of the many Internet vulnerabilities that still exist today.

The impacts of Cache Poisoning are generally not as wide-spread and are considerably more difficult to detect relative to breaches that occur at the Registry-level or the Registrar-level which affect the global resolution of websites.

Take the Puerto Rican Registry as an example. In August of 2006, .PR announced that they would be the second ccTLD to deploy DNSSEC. While their deployment of DNSSEC certainly may have been helpful in thwarting potential Cache Poisoning attacks, assuming that zones and records were also signed, it did absolutely nothing to protect the .PR Registry when hackers exploited a SQL vulnerability to update and redirect name servers to politically motivated sites.

Other recent domain and DNS exploits include social engineering attacks to reset passwords, SQL attacks against registrars, and breached e-mail accounts to retrieve login credentials. Unfortunately, DNSSEC would not have prevented any of these attacks either.

So while DNSSEC certainly addresses vulnerabilities related to Cache Poisoning, I urge those with the responsibility for securing their presence online to not only implement DNSSEC for their highly-trafficked and valuable domains, but to also ensure that their domains are hardened against social engineering attacks via two-factor authentication, locked at the registry-level where available and continually monitored to remediate registry breaches when they do occur.

By Elisa Cooper, SVP Marketing and Policy at Brandsight, Inc.
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

I'm sorry but just who claimed DNSSEC is a be all end all of security? Suresh Ramasubramanian  –  Apr 15, 2010 10:51 AM PDT

People who work on operational security rather than product marketing, that is.

If anybody in such a role said so, I would be interested to hear that.

cheers
srs

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias