DNS Security

DNS Security / Most Viewed

3 Reasons It’s Crucial to Review Your Domain Lock Portfolio Now

Just as we started the new year, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency's (CISA) issued an alert. On January 6, 2020 , they warned of domain name system (DNS) hijacking and other cyber threats that may be used by nation-state threat actors to disrupt business activity and take control of vital internet assets. A familiar refrain heard in 2019 now repeating in 2020. more

Five Security Blind Spots from Prolonged Implementation of a Business Continuity Plan Amid COVID-19

The novel coronavirus outbreak (COVID-19) has prompted many organizations in Mainland China and Hong Kong to execute their business continuity plan (BCP). During the last epidemic in 2003, the SARS outbreak lasted for nine months – and with an infection rate that is increasing rapidly, this new coronavirus has the potential to cause prolonged periods of commercial disruption, and heavy reliance on BCPs. more

(DNS) Security Protocols Do What They Say on the Tin

DNS-over-TLS has recently become a welcome addition to the range of security protocols supported by DNS. It joins TSIG, SIG(0) and DNSSEC to add privacy, and, in the absence of validating stub resolvers, necessary data integrity on the link between a full-service resolver and the users' stub resolver. (The authenticated source feature of TLS may also offer some additional benefits for those of a nervous disposition.) Good stuff. What is not good stuff is... more

NIS 2.0 and Its Impact on the Domain Name Ecosystem

I recently appeared on the 419 Consulting podcast to discuss the European Union's NIS 2.0 Directive and its impact on the domain name ecosystem. I encourage all TLD registries, domain name registration service providers, and DNS operators to listen to the recording of that session which Andrew Campling has made available. more

DNSSEC - Let’s Stay the Course!

I don't know about you, but I'm starting to think that DNSSEC being so hot these days is a mixed blessing. Yes, it's wonderful that after so many years there is finally broad consensus for making DNSSEC happen. But being so prominent also means the protocol is taking shots from those who don't want to make the necessary software, hardware and operational modifications needed. And DNSSEC has taken some shots from those who just want to be contrarian. more

DNSSEC Signed ROOT by 1 July 2010

Mehmet Akcin writes: As announced today as part of RIPE meeting in Lisbon, Portugal by Joe Abley, DNS Group Director at ICANN, and Matt Larson, Vice President of DNS Research at VeriSign, in their presentation (Page 25), DNSSEC for the root zone is proposed to be fully deployed by July 1, 2010. The Draft Timeline suggests Root zone being signed by December 1, 2009 while initially staying internal to ICANN and VeriSign. The incremental roll out of the signed root would then take place from January until July 2010. more

Holiday Shoppers Beware: Tips on Protecting Brand Owners and Consumers from Domain Security Threats

With the COVID-19 pandemic persisting, online shopping will be the preferred method for the 2020 holiday shopping season. While staying home to shop is the safest option right now, it means consumers are more vulnerable to online fraud, counterfeits, and cyber crime. Increased online activity provides opportunities for unscrupulous infringers to abuse trusted brand names to drive visitors to their own fraudulent content. more

3 DNSSEC Sessions Happening At ICANN 50 Next Week in London

As I mentioned in a post to the Deploy360 blog today, there are three excellent sessions relating to DNSSEC happening at ICANN 50 in London next week: DNSSEC For Everybody: A Beginner's Guide; DNSSEC Implementers Gathering; DNSSEC Workshop. Find out more. more

The Promise of Multi-Signer DNSSEC

DNSSEC is increasingly adopted by organizations to protect DNS data and prevent DNS attacks like DNS spoofing and DNS cache poisoning. At the same time, more DNS deployments are using proprietary DNS features like geo-routing or load balancing, which require special configuration to support using DNSSEC. When these requirements intersect with multiple DNS providers, the system breaks down. more

Getting On Board With DNSSEC - A Personal Recount

I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn't protected them. more

CAICT Holds ICANN 59 China Internet Community Readout Session

In afternoon of 14th July, the China Academy of Information and Communication Technology (CAICT) and ICANN Beijing Engagement Center jointly held the ICANN 59 China Internet Community Readout Session. Mr. Zhang Ya, Deputy Director of Information and Communication Authority under the Ministry of Industry and Information Technology (MIIT), made his presence and gave opening remarks on the meeting. Over 40 representatives from the Cyberspace Administration, the Ministry of Foreign Affairs, domain name registries and registrars, industrial organizations, institutes and universities participated in the seminar. more

Live On Monday, 25 June - DNSSEC Workshop at ICANN 62 in Panama

With the DNSSEC Root Key Rollover coming up on October 11, how prepared are we as an industry? What kind of data can we collect in preparation? What is the cost-benefit (or not) of implementing DANE? What can we learn from an existing rollover of a cryptographic algorithm? All those questions and more will be discussed at the DNSSEC Workshop at the ICANN 62 meeting in Panama City, Panama, on Monday, June 25, 2018. more

DNS Amplification Attacks: Out of Sight, Out of Mind? (Part 3)

Previous posts (Part 1 and Part 2) offer background on DNS amplification attacks being observed around the world. These attacks continue to evolve. Early attacks focused on authoritative servers using "ANY" queries for domains that were well known to offer good amplification. Response Rate Limiting (RRL) was developed to respond to these early attacks. RRL, as the name suggests, is deployed on authoritative servers to rate limit responses to target names. more

The Recent DDoS Attacks on Banks: 7 Key Lessons

Starting in mid-September, one of the largest and most sophisticated DDoS attacks ever targeted the titans of American banking. Initially, victims included Bank of America, JPMorgan Chase, Wells Fargo, PNC Bank, and U.S. Bancorp. In the weeks to come, others would also feel the pain. Websites crashed, customers were unable to make transactions and IT professionals and PR gurus went into panic mode. Leon Panetta, U.S. Secretary of Defense, said the attacks foreshadowed a "Cyber Pearl Harbor." more

Phishing 2020: A Concentrated Dose of Badness

How much phishing is there? Where is it occurring, and why? How can it be reduced? I and my colleagues at Interisle Consulting have just published a new study called Phishing Landscape 2020, designed to answer those questions. We assembled a deep set of data from four different, respected threat intelligence providers and enriched it with additional DNS data and investigation. The result is a look at phishing attacks that occurred in May through July 2020. more