|
The Domain Name System (DNS) has become the fundamental building block for navigating from names to resources on the internet. DNS has been employed continuously ever since its introduction in 1983, by essentially every internet-connected application and device that wants to interact online.
Emerging from an era where interconnection rather than information security was the primary motivation, DNS has gradually improved its security features. DNS has also gradually enhanced its navigational capabilities, as computing costs have decreased over the decades. And thanks to further developments that are now underway, new opportunities are available in both areas.
(Caveat: Certain concepts discussed in this document are protected by patents and patent applications assigned to Verisign.1)
The recent introduction of DNS encryption—which has focused so far primarily, and appropriately, on providing privacy and security benefits to end-users—has opened the door for further enhancements that can also provide security and navigational benefits to network operators, enterprises, applications and end-users alike.
These enhancements can add two new roles to DNS name servers that support DNS encryption:
Both technologies (collectively referred to as “AAR”) front-load operations that have conventionally been performed deeper in the transaction set (e.g., within a content delivery network, at a web server or as part of an application-layer function). They give DNS name servers an important new role in improving a network’s security and performance capabilities, providing a more efficient solution while minimizing an entity’s attack surface as well.
The technologies described here are primarily targeted for the interaction between clients and special-purpose recursive name servers (i.e., resolvers) that serve designated namespaces at the lower levels of the DNS hierarchy, such as those operated by enterprises and application providers.2
Figure 1 shows a conceptual architecture where the client—for instance, a VPN client, a browser, or an application—routes DNS queries for most domain names to an ordinary resolver. However, when the domain names belong to a designated namespace, the queries are routed to an AAR resolver that provides the additional functions described here.
The technologies may also be applied to the interaction between recursive resolvers and authoritative name servers at the lower levels of the DNS hierarchy. They are not intended for the root servers or the top-level domain (TLD) servers that Verisign currently operates.
In typical deployments, the network addresses of security control points such as firewalls and virtual private networking (VPN) gateways—or the resources they protect—are published as DNS records. This is done so that devices and applications which know their names can locate and connect to (or through) them.
With conventional DNS resolution, this means that the network addresses of externally facing control points are visible to anyone who knows the name of the control point or resource and can reach its name server—legitimate users as well as attackers. This isn’t in line with today’s zero-trust architecture, which “treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized.”
Authenticated resolution brings DNS resolution in line with zero-trust principles:
The name server returns a response to a requester if and only if the requester is authorized to receive the information or ultimately access the associated resource.
With authenticated resolution, not only will attackers and other unauthorized requesters need to find a way through traditional network control points such as VPN gateways to get into the network, they’ll also need to discover these control points (i.e., their locations in the network), because they won’t be able to learn their addresses via DNS3. Further, custom responses can be crafted based on threat level: while authorized clients are directed to the “correct” address, unauthorized requesters can be directed to a non-existent user portal, a known bad actor deception environment, etc.
With conventional DNS resolution, the process of getting from a web address to the content of a web page involves two steps:
The first step can be relatively fast thanks to high-performance DNS servers and caching of previous responses.
With conventional web optimization, the second step could in turn involve further steps:
These extra steps can introduce additional computing and communications requirements for both the client and the web server, often requiring web redirects and multiple additional DNS lookups before resolving the ultimate user-desired content.
Adaptive resolution avoids the additional processing by doing as much as possible up front, in DNS:
The requester provides the name server information about a user’s preferences, the user’s device, the information that the user is ultimately looking for, the action that the user wants to perform, and an array of other useful attributes. The name server then optimizes its response based on these details.
With adaptive resolution, clients won’t need to wait for as many, or even any, additional steps after obtaining a network address from a name server in order to get to the resource of interest. The network address returned will automatically take the client to a version of the web content that is already customized for the user and their operating environment (e.g., device, app, location, etc.).
There are many ways that authenticated resolution could be applied, such as:
Authenticated resolution can also help defend against distributed denial-of-service (DDoS) attacks by keeping the actual addresses of resources away from unauthorized requesters.
With adaptive resolution, a web server operator can help speed up authorized access to its web pages.
As an example, an application could provide the name server detail about the user’s device and browser type as well as other attributes such as location. The name server could then return the network address of a web server hosting web pages that are optimized for this environment. The application could also provide the user’s language preferences, so the name server can return the network address of a language-optimized web server instance, a function that today often occurs many transactions deep in the process.
It’s worth remembering, as noted above, that the name server implementing adaptive resolution will typically be operated under the same administrative oversight as the web server itself—so the additional details wouldn’t be provided to yet another party, they’d effectively be provided to the same party as usual, just earlier in the process.
Adaptive resolution also offers the intriguing possibility that the name server could resolve every authorized request to a unique, virtual server instance, customized to the specific user and application. This approach would provide strong isolation between interactions with different users, both from a security and a performance perspective.
The benefits offered by authenticated resolution and adaptive resolution technologies are worthy of consideration as DNS encryption enters wider use in the internet ecosystem. Here are three reasons why:
Authenticated and adaptive resolution complete the story (at least for now) of the transition of DNS practice into a modern mode of operation based on principles such as zero trust. These technologies give DNS a new role in meeting network security and performance objectives, adding both a new security control point and a new navigation capability to network operators’ portfolios.
We look forward to further discussions on the new concepts described here and welcome any feedback.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global