DNS Abuse Forum - March 16

Home / Blogs

Another Attack, Another Reason for the Urgency of DNSSEC Adoption

News broke this week about an attack in Puerto Rico that caused the local websites of Google, Microsoft, Yahoo, Coca-Cola, PayPal, Nike, Dell and Nokia to be redirected for a few hours to a phony website. The website was all black except for a taunting message from the computer hacker responsible for the attack. These attacks were carried out just weeks after the DNS cache poisoning attack against a Brazilian Bank and ISP. As attacks on the DNS increase, the reports on large scale "scares" are becoming more prevalent. DNS attacks hitting mainstream media just highlights how serious the problem is becoming. DNS redirection, pharming, and cache poisoning are no longer viewed as sophisticated internet crimes and no longer infrequent. Any Internet security expert will tell you that tinkering with DNS is not that difficult and it happens more often that most of us are aware.

It is critical now more than ever that we secure the DNS and to do so we need DNSSEC implemented industry wide! DNSSEC thwarts online attacks such as DNS redirection, pharming, and cache poisoning that are used to commit fraud, distribute malware, or steal personal and confidential information. With Internet vandalism on the rise, it is imperative that the Internet Community takes all security precautions necessary to protect and preserve the Internet as it is integral to today's era of technology.

By Lauren Price, Sr. Product Marketing Manager, .ORG, The Public Interest Registry – Lauren Price also contributes to the .Org weblog located here. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Lauren,Can you please provide an explanation of By Mike Damm  –  May 01, 2009 12:30 pm PST


Can you please provide an explanation of why you think DNSSEC would have protected anyone in the Puerto Rico incident?

The very article you linked to points out the attackers "used a SQL injection attack to break into the Puerto Rico registrar's management system."

DNSSEC probably would have worked By Jay Daley  –  May 04, 2009 8:45 pm PST

If it was the same kind of attack as that in NZ, which I suspect it was, then DNSSEC would have helped. 
Here in NZ once the registrar was compromised the attacker used the registrar systems to request a nameserver change at the registry, which meant those zones now pointed to different nameservers.  If those zones had DNSSEC protection then the resolver clients would know straight away that those new nameservers were bogus and so not been fooled.
The only way it would not have worked is if the registrar ran the nameservers for those zones, had the crypto key online for automatic generation of sigs and if the hackers then made the change on those local nameservers.
However, certainly in the NZ case, and probably in the PR case given the nature of the companies, the registrars were not hosting the zones and so this would have been possible.  Which is why the hackers have to usurp the regstrar systems to change nameservers with the registry.

missing word By Jay Daley  –  May 04, 2009 8:47 pm PST

Penultimate sentence - should finish "… would not have been possible."

Hi and thank you for your comment. By Lauren Price  –  May 02, 2009 12:52 pm PST

Hi and thank you for your comment.  The point of the blog is high profile Internet attacks are increasing and we need to take all necessary security precautions, DNSSEC being one of them in reference the DNS cache poisoning attack in Brazil.

His point, which I do agree with, is that ... By Suresh Ramasubramanian  –  May 02, 2009 7:26 pm PST

.. DNSSEC wouldnt have protected anybody in Puerto Rico. Not under the circumstances the attacks were carried out.

These are not kaminsky style cache poisoning .. something much more old fashioned .. gain control of the resolver through sql injections or other ways to compromise the base OS, and then control DNS views.

DNSSEC is essential - but I do wish you'd pick more appropriate examples to promote it.

Hi and thank you for your comment. By Lauren Price  –  May 03, 2009 4:00 am PST

Hi and thank you for your comment.  The point of the blog is high profile Internet attacks are increasing and we need to take all neccesary security precautions, DNSSEC being one of them in reference to the cache poisoning attack in Brazil.

Sorry - but is that an autoresponder you setup? By Suresh Ramasubramanian  –  May 03, 2009 6:00 am PST

I saw your boilerplate reply the very first time. And I do appreciate the value of dnssec. Only - where there's a compromise of the sort you described, DNSSEC is useless because the bad guys just did an end run around it.

If you'd like to reply to this, I'd appreciate your thoughts rather than another repeat of the same boilerplate.

Add Your Comments

 To post your comments, please login or create an account.



Domain Names

Sponsored byVerisign


Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex