So, let’s go back to the birds and the bees of DNS security, shall we? Let’s talk about what we know and what we don’t know.
1. Today, customers cannot be certain that they are coming to your site.
In other words, they don’t know if the site they are visiting is actually a legitimate website or if it’s a spoof site. Currently, a DNS resolver sends a query out to the Internet and then accepts the first response it receives, without questioning the integrity of the response. If a malicious system were to send back an incorrect response, the resolver would use the information in the response until its cache expired. This situation is bad enough if it's a single user's computer that gets this bad data. As you can imagine, it's much worse if it's a recursive resolver that answers queries for all the users of an ISP – therefore, affecting thousands of users.
So, how do we fix this? Hint: DNSSEC.
2. Today, email is an unprotected service.
What does that mean? Simply, it cannot be used securely to communicate with your customers because there’s no way to prevent spoofing. Ask yourself…when you receive an email from your bank asking you to log-in to review the latest monthly statement, how do you really know that the email is legit?
So, how do we fix this? Hint: DNSSEC in conjunction with DKIM.
3. Today, like it or not, your site is at greater risk of contributing to the following Internet threats:
- * Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or "zombies," or to direct denial-of-service attacks (DDoS attacks).
- * Fast flux hosting: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR
- * Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. It can include computer viruses, worms, trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software.
- * Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning.
- * Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data.
So, how do we fix these? Well, while DNSSEC and other safe DNS measures do not provide direct protection to most of these threats, they do provide forensic value to the real domain owners and mitigation towards distribution of botnet and malware.