Worried About DNS Hijacking? DNSSEC Can Help

Most of the time, DNS is seen as a commodity, but the service it provides on the Internet and within enterprise networks is so crucial that any interruption will have huge impacts. In recent weeks there’s been a lot of news about DNS hijacking and massive attacks on institutional organizations. As a consequence, various pieces of advice have been offered by different media outlets, ranging from purely technical to mainstream public media. But when trying to explain DNS hijacking to readers, some shortcuts are being taken, meaning people often don’t fully understand the concept and how it can impact their daily lives.

No DNS means no communication

For now, let’s just keep in mind that DNS service is a lynchpin of the Internet and of enterprise networks. Without it functioning correctly, all communication – private or public – is impacted. In general, DNS hijacking implies information theft, with the main impact being that the user is connected not to the desired service, but to a fake one.

Therefore we can all agree that DNS security is absolutely crucial for businesses, hence effective protection of DNS is becoming increasingly recognized as being vital for ensuring global network security.

DNS hijacking attacks target mainly two levels of the whole system: 1) The registrar – which controls the domain name register, and 2) The DNS server – which controls the technical records. Countermeasures proposed by specialists (but not always applied) make perfect sense. They include strong passwords on registrar accounts, frequent password changes, multi or two-factor authentication (MFA or 2FA) and obviously close supervision of the infrastructure – in particular DNS entries and digital X.509 certificates.

DNSSEC is key for integrity, so why is it overlooked?

However, one of the most important recommendations refers to setup of the DNSSEC (DNS Security Extensions) activation on the authoritative servers on all domains and on the recursive servers installed in most organizations and Internet Service Providers (ISPs). DNSSEC protects from standard attacks (e.g. Kaminsky) and guarantees that information can be verified as not having been altered on the way from the server to the user application. Despite industry agreement that it provides valuable security enhancement to DNS, this extension is today being poorly deployed at all levels, especially at enterprise (IT department) and domain owner levels. DNSSEC has been in existence since March 2005 (specified in RFC 4033: DNS Security Introduction and Requirements), so hopefully the recent flurry of hijacking events will push most organizations to quickly take up their responsibilities on this topic.

Simplifying key management will accelerate DNSSEC uptake

The main pitfall for DNSSEC enablement is that the subject is complex from a technical standpoint, and like most security considerations is hard to directly correlate with revenue, so obtaining project financing from enterprise budget becomes a challenge. It can also be complicated to implement, relying mainly on authentication methods and certificates, public keying mechanisms, expirations and chain of certification.

In order to make it more attractive and help accelerate DNSSEC deployment, there is therefore a strong requirement to make rollout easier.

Simplifying configuration and key management is a crucial first step.

EfficientIP provides a complete solution for easily deploying and maintaining DNSSEC. This security function has been present in EfficientIP’s offering for many years and activation has been further simplified in release 7 with 1-click DNSSEC key management functionality. With these new enhancements, network managers no longer have any excuses for not making use of DNSSEC. Action must be taken now, in order to secure networks and the internet, for the good of all of our users.