The Domain Name System (DNS) is the backbone of the modern internet. Over the years, it has evolved to make networked computing accessible to everyday users. However, it has also introduced new DNS security threats, such as distributed denial-of-service (DDoS) attacks, schemes designed to redirect users to malicious websites and more.

Despite these risks, the current configuration of the DNS is deeply embedded into the fabric the internet as we know it. That fabric, however, is poised for a fundamental shift in the near future if certain government agencies succeed in establishing their own DNS separate from the familiar, independently operated system that powers the web today.

The Dawn of DNS

Before the DNS, navigating the internet was a laborious task. In the early days of networked computing, messages were sent from computer to computer manually. The Unix-to-Unix-Copy program used bang addressing, which took the form of “!name!name2!name3,” to specify the route in which a message was sent, going from one computer to another. It required the sender to know the map of what the internet looked like from the origin to the destination — a daunting task for all but the savviest of computing experts.

In 1984, four graduate students at the University of California, Berkeley came up with the Berkeley Internet Name Domain (BIND) program, using the Internet Engineering Task Forces (IETF) 1983 specifications. This moved the mechanism of naming internet-connected nodes away from the topological approach to a method that was based on hierarchical records. It also decentralized the mechanism so that each node was not required to keep a copy of the entire routing database.

Additionally, BIND introduced the concept of mapping the data in the namespace to the actual IP addresses of nodes. This is one of the most powerful concepts behind DNS today: Instead of dealing with an ever-changing universe of numerical addresses, people can navigate to destinations that have static and understandable names. Different users can also receive different translations of identical domain names at the same time, a key point of divergence from the traditional text-file view of the service.

It could be argued that the internet as we know it could not have happened without this element. It simplified the task of navigating the internet and made it possible for multiple users to connect to the same destination simultaneously.

The Controlled Chaos Behind DNS Requests

An individual DNS query can be nonrecursive, recursive, iterative or a combination of these. Simple lookups are possible, but it usually requires a few additional steps.

First, the top-level domain (the information to the right of the dot in an address) is discovered via a query to a root server. That root server may refer the question to another server that is dedicated to the top-level information requested.

It’s important to note that all this recursion may decrease performance. Special caches are often implemented lower down in the network to prevent unnecessary queries to the root server, which could otherwise occur when multiple elements are displayed on the same website.

The recursion process can be exploited in a DDoS attack, in which requests for a target endpoint go flying around the internet at ridiculous speeds. DDoS attackers use DNS servers to cause congestion on the target system by amplifying server response traffic. To make things worse, cybercriminals have many tricks up their sleeves to magnify DNS-based DDoS attacks. For example, an attacker might seek as much zone information as possible in the kickoff request, which would then boost the record response sent to the target, keeping it blocked with useless information.

The Evolution of DNS Security

The DNS as originally conceived was fundamentally insecure. For example, there was no real way to verify that the data found in a given cache was correct. The Domain Name System Security Extensions (DNSSEC) suite addresses this problem. It provides name service clients with origin authentication of data, authenticated denial of existence and data integrity. It is not designed to provide confidentiality of the actual served data, however.

These servers are great choke points to stop traffic from going to known malicious sites. IBM recently partnered with Packet Clearing House (PCH) and the Global Cyber Alliance (GCA) to create Quad9, a DNS service that blocks access to questionable sites. The service does not keep records of who requested to access to these sites, so user privacy is intact.

Quad9 leverages threat intelligence from IBM and other sources to prevent users from navigating to malicious sites. Name service requests are usually sent to the address, but the service kicks in when requests are sent to This system uses a go/no-go mechanism to resolve names into IP addresses based on known threats. If a request is made to access an IP address that does not have any documented problems, it gets a response. If the address is problematic, no IP address is returned.

Building a New DNS, BRIC by BRIC

The U.S. ceded DNS control to the independent Internet Corporation for Assigned Names and Numbers (ICANN) in October 2016. However, Bleeping Computer reported that the members of BRICS — Brazil, Russia, India, China and South Africa — is working to develop its own name service system by August 2018. These nations would be taken out of the worldwide system, allowing them to direct internet traffic wherever they decide. This underscores the importance of a global DNS, since the BRICS system would place a chokehold on information, allowing governments to control where data is sent and received.

The current system has been so deeply ingrained into the fabric of the internet that few have even considered what life would be like without it. As it turns out, that day of reckoning may be coming sooner than many technology specialists think.

More from Network

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…

Beyond Shadow IT: Expert Advice on How to Secure the Next Great Threat Surface

You've heard all about shadow IT, but there’s another shadow lurking on your systems: Internet of Things (IoT) devices. These smart devices are the IoT in shadow IoT, and they could be maliciously or unintentionally exposing information. Threat actors can use that to access your systems and sensitive data, and wreak havoc upon your company. A refresher on shadow IT: shadow IT comes from all of the applications and devices your employees use without your knowledge or permission to get…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

How to Compromise a Modern-Day Network

An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies have been unable to implement released patches due to a dependence on legacy technology. In just 2022 alone, X-Force Red found that 90% of all…