The Internet Corporation for Assigned Names and Numbers (ICANN) has warned of ' an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure', and is calling for immediate and complete deployment of the Domain Name System Security Extensions (DNSSEC) to combat it.

The Domain Name System (DNS) underpins the modern internet: While computers still rely on user-unfriendly numerical Internet Protocol (IP) addresses, either decimal in the case of IPv4 or hexadecimal for its successor IPv6, users are able to use DNS to refer to sites by much friendlier domain names. These names are then sent as a DNS query to a DNS server, which responds with the corresponding IP address.

At least, that's the theory. ICANN, however, has been tracking active attacks against the internet's DNS infrastructure and warns that the system is exposed to 'an ongoing and significant risk.

'Public reports indicate that there is a pattern of multifaceted attacks utilising different methodologies. Some of the attacks target the DNS, in which unauthorised changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers,' ICANN explains. 'This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally "signing" data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorised modification to DNS information can be detected, and users are blocked from being misdirected.'

There'll be little surprise, then, that ICANN's recommendation is for complete and total deployment of DNSSEC across the internet. 'ICANN has long recognised the importance of DNSSEC and is calling for full deployment of the technology across all domains,' the organisation explains. 'Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called "man in the middle" attacks where a user is unknowingly re-directed to a potentially malicious site. DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.'

ICANN has confirmed it plans to offer support for such a deployment, beginning with an open session taking place during the ICANN64 public meeting scheduled for March 9-14th in Japan.

Discuss this in the forums
Mod of the Month March 2019 in Association with Corsair

April 9 2019 | 16:50