DNS Security

Noteworthy

 Over the next few years we should expect to see applications leveraging DNSSEC in ways we cannot imagine now.

 There has been quite a bit of talk lately about the best way to secure a domain, mainly centered in two camps: SSL or DNSSEC. The answer is quite simple - you should use both.

 The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

 Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked. In this case, the answer is, "No".

DNS Security / Featured Blogs

DNS Amplification Attacks: Out of Sight, Out of Mind? (Part 1)

Geoff Huston's recent post about the rise of DNS amplification attacks offers excellent perspective on the issue. Major incidents like the Spamhaus attack Geoff mentions at the beginning of his post make headlines, but even small attacks create noticeable floods of traffic. These attacks are easy to launch and effective even with relatively modest resources and we see evidence they're occurring regularly. Although DNS servers are not usually the target of these attacks the increase in traffic and larger response sizes typically stress DNS infrastructure and require attention from operation teams. more»

The Challenge of DNS Security

When the domain name system (DNS) was first designed, security was an afterthought. Threats simply weren't a consideration at a time when merely carrying out a function - routing Internet users to websites - was the core objective. As the weaknesses of the protocol became evident, engineers began to apply a patchwork of fixes. After several decades, it is now apparent that this reactive approach to DNS security has caused some unintended consequences and challenges. more»

ICANN Chairman's Durban Roundup

Respected ICANN Chairman of the Board Steve Crocker has wrapped up his organisation's 47th International Meeting, held in Durban last week, with a message to the community. This message, reproduced here in its entirety, provides both a useful and concise summary of the Durban meeting and insights into the Chairman's view of where ICANN stands at the moment, the successes it has notched up and the challenges it faces. more»

DNS, DNSSEC and Google's Public DNS Service

For some time now we've been tracking the progress of the deployment of DNSSEC in the Internet. Its been a story of an evolution of the measurement technique... In the process we've learned perhaps more than we had wanted to about the behaviour of Flash engines, Apache web servers and FreeBSD system tuning, and also learned much more than we had anticipated about the finer details of Google's online ad presentation behaviour. But one thing we did not see in all of this was any large scale jumps in the level of client use of DNSSEC validation over this period at the start of the year. more»

First "Africa DNS Forum" To Be Streamed Live July 12 and 13 From Durban, South Africa

The first Africa DNS Forum will take place on Friday, July 12, and Saturday, July 13, 2013, in Durban, South Africa, in advance of next week's ICANN 47 meeting. Jointly organized by AfTLD, ICANN and the Internet Society, the Africa DNS Forum "aims to establish a platform for the DNS community across Africa and to advance the domain name industry and domain name registrations on the continent."  more»

What Smaller Institutions Can Learn from DDoS Attacks on Big Banks

Since last fall, several waves of distributed denial of service (DDoS) attacks have targeted major players in the U.S. banking industry. JPMorgan Chase, Wells Fargo and PNC were among the first to sustain intermittent damage. Eventually, the top 50 institutions found themselves in the crosshairs... In the months to come, security experts would praise the banks' collective response, from heightened DDoS protection to candid customer communications.. these larger institutions have learned some painful lessons that smaller firms might heed as they seek to minimize risks. more»

Internet Infrastructure: Stability at the Core, Innovation at the Edge (Part 2 of 5)

For nearly all communications on today's Internet, domain names play a crucial role in providing stable navigation anchors for accessing information in a predictable and safe manner, irrespective of where you're located or the type of device or network connection you're using. Over the past 15 years hundreds of millions of domain names have been added to the Internet's Domain Name System (DNS), and well over two billion (that's Billion!) new users, some ~34 percent of the global population, have become connected. more»

Jugaad Innovation and Applications of DNSSEC

It would be one of the ironies of global technology development that the West has effectively so far followed a Jugaad principle of "good enough" innovation for DNS security, whereas India could well embrace all the latest advances in DNS security as its Internet economy grows. Like most other protocols from the early Internet, the DNS protocol was not designed with security built in. For those protocols, security services were typically either implemented at a different layer of the protocol stack, or were added on later. more»

BIND 9 Users Should Upgrade to Most Recent Version to Avoid Remote Exploit

A remote exploit in the BIND 9 DNS software could allow hackers to trigger excessive memory use, significantly impacting the performance of DNS and other services running on the same server. A flaw was recently discovered in the regular expression implementation used by the libdns library, which is part of the BIND package. The flaw enables a remote user to cause the 'named' process to consume excessive amounts of memory, eventually crashing the process and tying up server resources to the point at which the server becomes unresponsive. more»

SIP Network Operators Conference (SIPNOC) Starts Tonight in Herndon, Virginia

Tonight begins the third annual SIP Network Operators Conference (SIPNOC) in Herndon, Virginia, where technical and operations staff from service providers around the world with gather to share information and learn about the latest trends in IP communications services - and specifically those based on the Session Initiation Protocol (SIP). Produced by the nonprofit SIP Forum, SIPNOC is an educational event sharing best practices, deployment information and technology updates. Attendees range from many traditional telecom carriers to newer VoIP-focused service providers and application developers. more»