DNS Security

DNS Security / Featured Blogs

Industry Makes Rapid Progress on DNSSEC

Dec 17, 2010

DNSSEC is being rolled out quickly in top-level domain registries around the world, but there's still some way to go to encourage other Internet stakeholders to adopt the new security technology. That was one of the key takeaways from a day-long, comprehensive session on Domain Name System Security Extensions implementation worldwide, held during ICANN's public meeting in Cartagena, Colombia, last week.

The Christmas Goat and IPv6 (Year 1)

Dec 14, 2010

The city of Gävle in Sweden have a special Christmas tradition for which it is quite famous. Every year in December a giant Christmas Goat in straw is put in to place in one of the central town squares. In relation to this tradition a sub-tradition has emerged which the city is even more renowned for -- to burn down the poor Christmas Goat. This is of course an "illegal" act, but still of quite some interest! Web-cameras showing the status of the Christmas Goat have been put up by the city of Gävle, primarily in a purpose of control. However, when someone sets fire to the poor Goat, the traffic and need for bandwidth tend to go sky-high for these cams.

Why DNS Blacklists Don’t Work for IPv6 Networks

Nov 29, 2010

All effective spam filters use DNS blacklists or blocklists, known as DNSBLs. They provide an efficient way to publish sets of IP addresses from which the publisher recommends that mail systems not accept mail. A well run DNSBL can be very effective; the Spamhaus lists typically catch upwards of 80% of incoming spam with a very low error rate. DNSBLs take advantage of the existing DNS infrastructure to do fast, efficient lookups. A DNS lookup typically goes through three computers...

Dan Kaminsky Releases Phreebird for Easy DNSSEC

Nov 11, 2010

Today marks another key step in DNSSEC deployment. Congrats to Dan Kaminsky, chief scientist at Doxpara and one of our partners on the Practice Safe DNS campaign, on the release of his new code Phreebird. Announced today at Black Hat Abu Dhabi, Phreebird Suite 1.0 is a free, easy-to-use toolkit that lets organizations "test-drive" DNSSEC deployment.

DNSSEC vs DDoS Protection: Is It Really a Choice?

Sep 30, 2010

Within the last year or two, I've heard people express an opinion to the effect that if the domain name industry put as much focus on preventing distributed denial of service attacks as we have on implementing DNSSEC, the Internet would be a safer place. While there may be a grain of truth there, I suggest that this kind of thinking presents us with something of a false dichotomy.

DNS Clients Do Request DNSSEC Today

Sep 06, 2010

After the DNS root zone was finally signed and a number of Top-Level Domains (TLDs) began signing their zones, we were curious to see how many clients actually request DNSSEC information. We looked at the RIPE NCC server that provides secondary service to several country code top-level domains (ccTLDs).

Ensuring Maximum Resilience to the DNS?

Aug 26, 2010

Yesterday CommunityDNS noticed a sudden, heavy spike in traffic through its Anycast node in Hong Kong. While comfortably processing queries at 863,000 queries per second for close to 2 hours the occurrence was undeniable. While we can't say the increase in traffic was specifically due to DDoS, its sudden increase is suspicious and reminds us that DDoS is still a popular tool used by the malicious community.

DNSSEC Taking Center Stage at 2010 Black Hat

Aug 03, 2010

On July 28th DNSSEC took center stage at the 2010 Black Hat Conference in Las Vegas. Two years ago, at the same conference, Dan Kaminsky unveiled the infamous DNS bug that many believe became a major catalyst for DNSSEC implementation. To kick things off, Jeff Moss -- founder of Black Hat -- in his opening speech called out the fact that "we have not solved any fundamental problems" and noted that the technical community must catch up.

Moving DNSSEC Forward: Help for Registries, Registrars, ISPs/Hosting, Enterprises, and Name Owners

Jul 20, 2010

DNSSEC adoption has been slow, but is now picking up speed, thanks to organizations leading the way. ... While some registries have already signed, some have announced plans to sign and others are still trying to figure out their plan. Either way, DNSSEC is here. How can we make DNSSEC adoption quicker and easier not only for the registry but for individual name owners?

DNSSEC Happy Talk Enters a New Era

Jul 18, 2010

So we finally have a signed root zone. Now when is someone going to answer the question I first asked over five years ago and have still not had an answer to: How do the domain name owner's keys get into the TLD? Before we have a system people can use there have to be technical standards, validation criteria and a business model. Where are they?

Industry Updates

New RomCom Variant Spotted: A Comparative and Expansion Analysis of IoCs

Global Domain Activity Trends Seen in Q3 2024

A DNS Investigation into Mamba, the Latest AitM Phishing Player

A DNS Investigation of the 32 Doppelganger Websites Seized by the U.S. Government

Investigating the Proliferation of Deepfake Scams

Examining the DNS Underbelly of the Voldemort Campaign

2024 Domain Intelligence Study of 6 APT Groups Notorious for Targeting Europe

Stripping Down the BlackSuit Ransomware Network Aided by DNS Data

A DNS Deep Dive into the NetSupport RAT Campaign

Tracking the DNS Footprint of the Polyfill Supply Chain Attackers

Study by WhoisXML API Explores IDNs, Native-Language Characters, and Homograph Attacks

The Extended Reach of the Extension Trojan Campaign in the DNS

Inspecting Konfety’s Evil Twin Apps through the DNS Lens

Hunting for U.S. Presidential Election-Related Domain Threats in the DNS

A Closer Look at the Meduza Stealer through a DNS Deep Dive

View More