DNS Security

DNS Security / Most Commented

EFF: For ISPs to Retain Power to Censor the Internet, DNS Needs to Remain Leaky

EFF's Senior Legislative Counsel, Ernesto Falcon, in a post on Monday has argued that major ISPs in the U.S. -- the likes of Comcast, AT&T;, and Verizon -- are aggressively influencing legislators to stop the deployment of DNS over HTTPS (DoH), "a technology that will give users one of the biggest upgrades to their Internet privacy and security since the proliferation of HTTPS." more

The U.S. House Judiciary Committee Is Investigating Google’s Plans to Implement DNS Over HTTPS

The U.S. House Judiciary Committee is investigating Google's plans to implement DNS over HTTPS (DoH) in Chrome according to a report by the Wall Street Journal over the weekend. more

Call for Participation – ICANN DNSSEC and Security Workshop at ICANN66, Montreal, Canada

The ICANN Security and Stability Advisory Committee (SSAC) and the Internet Society Deploy360 Programme are planning a DNSSEC and Security Workshop on Wednesday, 06 November 2019, during the ICANN66 meeting held from 02-07 November 2019 in Montreal, Canada. The original DNSSEC Workshop has been a part of ICANN meetings for many years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. more

DoH Creates More Problems Than It Solves

Unlike most new IETF standards, DNS over HTTPS has been a magnet for controversy since the DoH working group was chartered on 2017. The proposed standard was intended to improve the performance of address resolutions while also improving their privacy and integrity, but it's unclear that it accomplishes these goals. On the performance front, testing indicates DoH is faster than one of the alternatives, DNS over TLS (DoT). more

DoT and DoH Guidance: Provisioning Resolvers

As part of a larger effort to make the internet more private, the IETF defined two protocols to encrypt DNS queries between clients (stub resolvers) and resolvers: DNS over TLS in RFC 7858 (DoT) and DNS over HTTPS in RFC 8484 (DoH). As with all new internet protocols, DoT and DoH will continue to evolve as deployment experience is gained, and they're applied to more use cases. more

The Promise of Multi-Signer DNSSEC

DNSSEC is increasingly adopted by organizations to protect DNS data and prevent DNS attacks like DNS spoofing and DNS cache poisoning. At the same time, more DNS deployments are using proprietary DNS features like geo-routing or load balancing, which require special configuration to support using DNSSEC. When these requirements intersect with multiple DNS providers, the system breaks down. more

What’s in Your DNS Query?

Privacy problems are an area of wide concern for individual users of the Internet -- but what about network operators? Geoff Huston wrote an article earlier this year concerning privacy in DNS and the various attempts to make DNS private on the part of the IETF -- the result can be summarized with this long, but entertaining, quote. more

Use of DNS Firewalls Could Have Prevented More Than $10B in Data Breach Losses Over the Past 5 Years

New research from the Global Cyber Alliance (GCA) released on Wednesday reports that the use of freely available DNS firewalls could prevent 33% of cybersecurity data breaches from occurring. more

Network Protocols and Their Use

In June, I participated in a workshop, organized by the Internet Architecture Board, on the topic of protocol design and effect, looking at the differences between initial design expectations and deployment realities. These are my impressions of the discussions that took place at this workshop. ... In this first part of my report, I'll report on the case studies of two protocol efforts and their expectations and deployment experience. more

A Report on DNS Operations, Analysis, and Research Center (DNS-OARC) 30th Meeting

DNS Operations, Analysis, and Research Center (DNS-OARC) held its 30th meeting in Bangkok on the 12th and 13th May. Here's what attracted my interest from two full days of DNS presentations and conversations, together with a summary of the other material that was presented at this workshop. Some Bad News for DANE (and DNSSEC): For many years the Domain Name X509 certification system, or WebPKI, has been the weak point of Internet security... more

Why More Registries Should Be Talking About DNS Security

I've been incredibly lucky in my time at Neustar to lead both the exceptional Registry and Security teams. While these divisions handle their own unique product and service offerings, it's clear that they have some obvious crossovers in their risks, opportunities and challenges. Having been closely involved in the strategy of both these teams, it strikes me that there is more we as Registry Operators and service providers can and should be doing to align the world of cybersecurity with that of domain names. more

Unexpected Effects of the 2018 Root Zone KSK Rollover

March 22, 2019, saw the completion of the final important step in the Key Signing Key (KSK) rollover - a process which began about a year and half ago. What may be less well known is that post rollover, and until just a couple days ago, Verisign was receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers we operate. more

Some Thought on the Paper: Practical Challenge-Response for DNS

Because the speed of DNS is so important to the performance of any connection on the 'net, a lot of thought goes into making DNS servers fast, including optimized software that can respond to queries in milliseconds, and connecting DNS servers to the 'net through high bandwidth links. To set the stage for massive DDoS attacks based in the DNS system, add a third point: DNS responses tend to be much larger than DNS queries. more

ICANN Makes Urgent Call for Full Deployment of Domain Name System Security Extensions (DNSSEC)

In light of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for the full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. more

Building a Secure Global Network

Recently, the DNS has come under an extensive attack. The so-called "DNSpionage" campaigns have brought to light the myriad methods used to infiltrate networks. These attacks employed phishing, system hopping via key exfiltration, and software zero day exploits, illustrating that many secure networks may not be fully protected. more