DNS Security

DNS Security / Most Viewed

DNS Reflection/Amplification Attack: Proved

Last year there was a "threat" by anonymous group to black out Internet by using DNS Reflection/Amplification attack against the Internet DNS Root servers. I even wrote a little article about it: "End of the world/Internet". In the article I was questioning if this was even possible and what was needed as general interest and curiosity. Well, looking at the "stophaus" attack last week, we are getting some answers. more

Measuring Abuse: How Much COVID-Related Abuse Is There, Really?

Like measuring COVID's impact, so too measuring the impact of COVID-related abuse on the Internet is difficult, there are those that would foolishly dismiss the danger entirely, others over-state the problem, perhaps to prompt sales of tools and services. The amount and type of abuse varies from network to network, and to declare everything is fine based on one world-view you believe to be ubiquitous, or that the sky is falling based upon another, extrapolated to 'everybody else' is simply poor analysis. more

Developing Internet Standards: How Can the Engineering Community and the Users Meet?

There is currently a discussion going on between Milton Mueller and Patrik Fältström over the deployment of DNSSEC on the root servers. I think the discussion exemplifies the difficult relation between those who develop standards and those who use them. On the one hand, Milton points out that the way the signing of the root zone will be done will have a great influence on the subjective trust people and nation states will have towards the system. On the other hand, Patrik states that "DNSSEC is just digital signatures on records in this database". Both are right, of course, but they do not speak the same language... more

10th Registration Operations Workshop (ROW), June 8th, 2021, Online

The Registration Operations Workshop (ROW) was conceived as an informal industry conference that would provide a forum for discussion of the technical aspects of registration operations in the domain name system and IP addressing. The 10th ROW will be held online on Tuesday, June 8th, 2021 at 13h00-17h00 UTC. Click to learn more about the discussion topics and registration details. more

Examining Real Examples of DNS Abuse: A Summary Overview of the 2nd DNS Abuse Forum

It was not without a little trepidation that I planned the 2nd DNS Abuse Institute Forum to focus on the long-standing and often contentious definitional issues surrounding DNS Abuse. While the risk of getting stuck in the usual entrenched positions was real, it seemed to me that we had an opportunity to provide some clarity and if not change minds, at least provide perspective. more

Evolving the Internet Through COVID-19 and Beyond

As we approach four months since the WHO declared COVID-19 to be a pandemic, and with lockdowns and other restrictions continuing in much of the world, it is worth reflecting on how the Internet has coped with the changes in its use, and on what lessons we can learn from these for the future of the network. The people and companies that build and operate the Internet are always planning for more growth in Internet traffic. more

Verisign Doesn’t Think the Net Is Ready for a Thousand New TLDs

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about, It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems. more

Three Reasons Why It Makes Sense to Deploy DNSSEC Now

As many of you may know, today .ORG announced that all of its 8.5 million domains are now able to be fully DNSSEC signed - the largest set of domain names in the world so far that has access to this key security upgrade. .. The widespread publicity that the Kaminsky bug got around the world vindicated a decision made in several companies to invest time, effort and money into deploying DNSSEC. The community was split on the value of the DNSSEC effort -- many thought the deployment was quixotic, while a few others thought it was appropriate. more

The Dark Internet

I consult on communication issues for Neustar, an Internet infrastructure company. As most CircleIDers know, Neustar works behind the scenes to ensure the smooth operation of many critical systems like DNS, .us and .biz, local number portability and digital rights management. One of the cool things about working for them is the chance to attend the events they sponsor. Last week Neustar held a security briefing for senior federal IT personnel focused on Cybersecurity and Domain Name System Security Extensions (DNSSEC)... more

Network Protocols and Their Use

In June, I participated in a workshop, organized by the Internet Architecture Board, on the topic of protocol design and effect, looking at the differences between initial design expectations and deployment realities. These are my impressions of the discussions that took place at this workshop. ... In this first part of my report, I'll report on the case studies of two protocol efforts and their expectations and deployment experience. more

DDOS and the DNS

The Mirai DDOS attack happened just over a year ago, on the 21st October 2016. The attack was certainly a major landmark regarding the sorry history of "landmark" DDOS attacks on the Internet. It's up there with the Morris Worm of 1988, Slammer of 2002, Sapphine/Slammer of 2009 and of course Conficker in 2008. What made the Mirai attack so special? more

Domain Name Price Jump: Moore’s Law or Parkinson’s Laws?

As expected, VeriSign raised the price of domain names, effective in October. New prices wholesale prices (to the registrar) for .com domain names are going from $6.42 to $6.86, while .net will increase from $3.85 to $4.23. This news came a few days ago in a letter to registrars. (Hint to consumers: renew your domains now.) ...So, basically, many if not most of VeriSign's registry costs have been falling at an exponential rate. Hard disk storage, computing performance, bandwidth, RAM storage... yet the cost is going up. How is this justified? more

What Is the Domain Name Expiry Cycle and Why Should You Know About It?

Domain names are registered by the thousands every day. In July 2021, 236,336 domains were newly registered daily on average across all top-level domains (TLDs). Tens of thousands were also newly expired. Other months could be just as busy. "Newly registered" and "newly expired." Those are two terms I often get questions about. Newly registered domains are domains that someone just reserved, typically through a registrar or web hosting company. Newly expired domains, meanwhile, are those domains that someone had reserved but decided to let go for one reason or another. more

Large Volume of DNSSEC Amplification DDoS Observed, Akamai Reports

A dramatic increase in DNS reflection/amplification DDoS attacks abusing Domain Name System Security Extension (DNSSEC) configured domains have been observed in the past few months, according to a security bulletin released by Akamai’s Security Intelligence Response Team (SIRT). more

IPv6 and DNSSEC Are Respectively 20 and 19 Years Old. Same Fight and Challenges?

A few weeks ago I came across an old interview of me by ITespresso.fr from 10 years back entitled "IPv6 frees human imagination". At the time, I was talking about the contributions IPv6 was expected to make and the challenges it had to face. After reading the article again, I realized that it has become a little dusty (plus a blurred photo of the interviewee :-)). But what caught my attention the most in the interview was my assertion: "If IPv6 does not prevail in 2006, it's a safe bet that it will happen in 2007". Wow! more