Home / Blogs

DNS Insecurity

The Internet as we know it and use it today—is broken, badly broken. Yes broken so much so that we are really crazy to have any expectations of privacy or security. Yes, really. The Internet was conceived as somewhat of a utopian environment, one where we all keep our doors, windows and cars unlocked and we trust all the people and machines out there to “do the right thing…”. Because of the way it (the Internet) started, we did not have a need, nor an expectation that the information flowing on might need security, further and more extreme was the fact that the mechanics of the Internet did not take security into account. This is not the fault of those who invented the Internet. It was not part of the design spec. Having said that, whose fault is our situation? It is those people who are using the Internet for commerce and exchange of and access to critical data. Suitability of design is one of the most important concepts. Recently at the checkout at Home Depot I saw a key ring that looked like a carabiner hook, but it very clearly said, stamped directly into the metal “NOT FOR CLIMBING”—the Internet (as it is today) should have very clearly stamped into it “NOT FOR PRIVACY OR COMMERCE, USE AT YOUR OWN RISK”.

So lets talk a little bit about DNS. DNS is an amazing invention (born twenty five years ago). It is the largest distributed dynamic database ever built and it works day-in and day-out. It has scaled beyond any expectations. DNS has the somewhat simple task of converting human readable domain names (i.e. www.amazon.com) and hosts into IP addresses ( So what is wrong with it if it works so well? Specifically, it was not designed with security in mind. When you ask a question of a DNS server you implicitly trust the answer it gives you. Malicious people can manipulate the system to give you bad answers, directing you to a bad site that could steal your data. DNSSEC attempts to fix this by helping to authenticate the source of the data you get. This helps but does not address all of the issues.

Next time, what specifically is broken and how do we fix it…

By Paul Parisi, Chief Technology Officer at DNSstuff.com

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com