The Past, Present and Future of DNS Security

The Domain Name System (DNS) is the backbone of the modern internet. Over the years, it has evolved to make networked computing accessible to everyday users. However, it has also introduced new DNS security threats, such as distributed denial-of-service (DDoS) attacks, schemes designed to redirect users to malicious websites and more.

Despite these risks, the current configuration of the DNS is deeply embedded into the fabric the internet as we know it. That fabric, however, is poised for a fundamental shift in the near future if certain government agencies succeed in establishing their own DNS separate from the familiar, independently operated system that powers the web today.

The Dawn of DNS

Before the DNS, navigating the internet was a laborious task. In the early days of networked computing, messages were sent from computer to computer manually. The Unix-to-Unix-Copy program used bang addressing, which took the form of “!name!name2!name3,” to specify the route in which a message was sent, going from one computer to another. It required the sender to know the map of what the internet looked like from the origin to the destination — a daunting task for all but the savviest of computing experts.

In 1984, four graduate students at the University of California, Berkeley came up with the Berkeley Internet Name Domain (BIND) program, using the Internet Engineering Task Forces (IETF) 1983 specifications. This moved the mechanism of naming internet-connected nodes away from the topological approach to a method that was based on hierarchical records. It also decentralized the mechanism so that each node was not required to keep a copy of the entire routing database.

Additionally, BIND introduced the concept of mapping the data in the namespace to the actual IP addresses of nodes. This is one of the most powerful concepts behind DNS today: Instead of dealing with an ever-changing universe of numerical addresses, people can navigate to destinations that have static and understandable names. Different users can also receive different translations of identical domain names at the same time, a key point of divergence from the traditional text-file view of the service.

It could be argued that the internet as we know it could not have happened without this element. It simplified the task of navigating the internet and made it possible for multiple users to connect to the same destination simultaneously.

The Controlled Chaos Behind DNS Requests

An individual DNS query can be nonrecursive, recursive, iterative or a combination of these. Simple lookups are possible, but it usually requires a few additional steps.

First, the top-level domain (the information to the right of the dot in an address) is discovered via a query to a root server. That root server may refer the question to another server that is dedicated to the top-level information requested.

It’s important to note that all this recursion may decrease performance. Special caches are often implemented lower down in the network to prevent unnecessary queries to the root server, which could otherwise occur when multiple elements are displayed on the same website.

The recursion process can be exploited in a DDoS attack, in which requests for a target endpoint go flying around the internet at ridiculous speeds. DDoS attackers use DNS servers to cause congestion on the target system by amplifying server response traffic. To make things worse, cybercriminals have many tricks up their sleeves to magnify DNS-based DDoS attacks. For example, an attacker might seek as much zone information as possible in the kickoff request, which would then boost the record response sent to the target, keeping it blocked with useless information.

The Evolution of DNS Security

The DNS as originally conceived was fundamentally insecure. For example, there was no real way to verify that the data found in a given cache was correct. The Domain Name System Security Extensions (DNSSEC) suite addresses this problem. It provides name service clients with origin authentication of data, authenticated denial of existence and data integrity. It is not designed to provide confidentiality of the actual served data, however.

These servers are great choke points to stop traffic from going to known malicious sites. IBM recently partnered with Packet Clearing House (PCH) and the Global Cyber Alliance (GCA) to create Quad9, a DNS service that blocks access to questionable sites. The service does not keep records of who requested to access to these sites, so user privacy is intact.

Quad9 leverages threat intelligence from IBM and other sources to prevent users from navigating to malicious sites. Name service requests are usually sent to the address 0.0.0.0, but the service kicks in when requests are sent to 9.9.9.9. This system uses a go/no-go mechanism to resolve names into IP addresses based on known threats. If a request is made to access an IP address that does not have any documented problems, it gets a response. If the address is problematic, no IP address is returned.

Building a New DNS, BRIC by BRIC

The U.S. ceded DNS control to the independent Internet Corporation for Assigned Names and Numbers (ICANN) in October 2016. However, Bleeping Computer reported that the members of BRICS — Brazil, Russia, India, China and South Africa — is working to develop its own name service system by August 2018. These nations would be taken out of the worldwide system, allowing them to direct internet traffic wherever they decide. This underscores the importance of a global DNS, since the BRICS system would place a chokehold on information, allowing governments to control where data is sent and received.

The current system has been so deeply ingrained into the fabric of the internet that few have even considered what life would be like without it. As it turns out, that day of reckoning may be coming sooner than many technology specialists think.

Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other...