DNSSEC should prove toxic for cache-poisoners

The deployment of the DNSSEC public key on 15 July should be a red-letter day for anyone who cares about internet security, says Axel Pawlik

When the DNSSEC protocol public key is deployed on 15 July, it will be Black Thursday for the criminals who redirect traffic to fraudulent websites, says Axel Pawlik.

The Domain Name System, or DNS, was created in 1984 to translate website addresses — such as www.zdnet.co.uk — into an IP address that is understood by computers. It acts as a global, keyword-based redirection service.

Although it is not visible to most users, DNS is an essential component for the functionality of the internet. Despite its importance, DNS does have its faults — particularly because it was created without security features, potentially exposing internet users to attacks.

Key DNS weakness
These attacks exploit a key weakness in the DNS system, which allows hackers to put up a false DNS server that is free to intercept legitimate website addresses. This subterfuge means that when users type in the name of a legitimate website, they are instead taken to a fraudulent one that sets them up as potential victims of phishing and other scams.

To prevent hackers from continuing to attack DNS, the DNSSEC — short for Domain Name System Security Extensions — protocol was developed. This added security layer allows internet users to type a website address and be assured that the website that is being displayed is coming from an authorised server, free of security threats.

To achieve this, DNSSEC uses digital signatures that assure name servers that the DNS data they receive has not been intercepted or tampered with.

For DNSSEC to become operational, all stages such as domain-name registrars and root nameservers need to sign the root. This procedure certifies that a website is coming from a legitimate server and has not been tampered with.

Initiative leadership
The Internet Corporation for Assigned Names and Numbers (Icann) is leading the DNSSEC initiative. To achieve the introduction of the protocol, they are working with the internet community, including domain-name registrars and all root nameservers, which are the first step in translating host names into IP addresses.

In addition, to put an end to the risks posed by DNS attacks, all the 13 root nameservers have already deployed DNSSEC — including the K-root, which is operated by the Ripe NCC.

Once the trial stage has been completed, the public key will be deployed from 15 July, which will then enable website validation for all internet users. This measure will ensure that hackers are no longer able to move forward with cache-poisoning attacks, safeguarding the internet for all.

While DNSSEC does not resolve more visible hacker attacks such as Trojans and worms, it does provide an added layer of security for cache-poisoning attacks. Such attacks are particularly dangerous, as once an end-user's computer has been infected with the malicious code, all future requests by that user's computer for the compromised web address will be redirected to the bad IP address.

Dangerous attacks
Cache poisoning is especially dangerous when hackers target well-known and trusted websites, where users may be inclined to enter personal details and passwords.

Last year, for example, a prominent Brazilian bank suffered a cache-poisoning attack that redirected customers visiting its website to fraudulent portals that attempted to steal passwords and install malware. Alarmingly, attacks of this sort are becoming increasingly common.

DNSSEC is virtually invisible to end-users and does not impact the speed at which a website loads, which means that as far as user experiences, there are no impediments for its deployment.

Ultimately, DNSSEC allows the internet community to provide the responsible internet stewardship that end-users experience and value, but don't necessarily see.

Axel Pawlik is managing director of the Ripe NCC, an independent not-for-profit organisation that supports the infrastructure of the internet for Europe, the Middle East and parts of central Asia. While at the University of Dortmund, Pawlik contributed to the establishment of Unix networking as a publicly available service in Germany. He also founded EUnet Deutschland GmbH, developing it into one of the strongest EUnet networks in Europe.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All