DNSSEC (Domain Name System Security Extensions) is a set of specifications designed to prevent hackers from intercepting DNS queries and redirecting end users to spoofed sites through a technique known as Cache Poisoning. Complete DNSSEC implementation requires that domains are authenticated at the root by the Registry, and that DNS zones and records are authenticated as well.
Now before I go any further, let me begin by stating that I fully support the development and deployment of DNSSEC and that the vulnerabilities presented by Cache Poisoning are very real, especially for those websites collecting login credentials or other types of sensitive information.
However, DNSSEC is not the "end all, be all" Internet security solution that many believe it to be.
DNSSEC is addressing just one of the many Internet vulnerabilities that still exist today.
The impacts of Cache Poisoning are generally not as wide-spread and are considerably more difficult to detect relative to breaches that occur at the Registry-level or the Registrar-level which affect the global resolution of websites.
Take the Puerto Rican Registry as an example. In August of 2006, .PR announced that they would be the second ccTLD to deploy DNSSEC. While their deployment of DNSSEC certainly may have been helpful in thwarting potential Cache Poisoning attacks, assuming that zones and records were also signed, it did absolutely nothing to protect the .PR Registry when hackers exploited a SQL vulnerability to update and redirect name servers to politically motivated sites.
Other recent domain and DNS exploits include social engineering attacks to reset passwords, SQL attacks against registrars, and breached e-mail accounts to retrieve login credentials. Unfortunately, DNSSEC would not have prevented any of these attacks either.
So while DNSSEC certainly addresses vulnerabilities related to Cache Poisoning, I urge those with the responsibility for securing their presence online to not only implement DNSSEC for their highly-trafficked and valuable domains, but to also ensure that their domains are hardened against social engineering attacks via two-factor authentication, locked at the registry-level where available and continually monitored to remediate registry breaches when they do occur.
By Elisa Cooper, Director of Product Marketing at MarkMonitor. Elisa Cooper also contributes to the MarkMonitor weblog located here.
Related topics: Cyberattack, Cybercrime, DNS, DNS Security, Domain Names, Registry Services, Security
To post comments, please login or create an account.
Top-Level DomainsSponsored byMinds + Machines | |
DNS SecuritySponsored byAfilias | |
IPv6Sponsored byNominum | |
MobileSponsored bydotMobi | |
DNSSponsored byNeustar UltraDNS | |
SecuritySponsored byVerisign |
People who work on operational security rather than product marketing, that is.
If anybody in such a role said so, I would be interested to hear that.
cheers
srs