DNS Security

Blogs

Call for Participation – ICANN DNSSEC and Security Workshop for ICANN76 Community Forum

Are you doing something interesting with DNS, DNSSEC, or routing security that you would like to share with the larger DNS community at the ICANN 76 meeting in March 2023? If so, please send a brief (1 -- 3 sentence) description of your proposed presentation to [email protected] by the close of business on Friday, 20 January 2023. Are you doing something interesting with DNS, DNSSEC, or routing security that you would like to share with the larger DNS community at the ICANN 76 meeting in March 2023? more

Achieving Multi-Stakeholder Progress on DNS Abuse

DNS Abuse and how to address it has been the topic of intense, often conflictual, and rarely conclusive discussions for many years, starting with the very definition of the term and the degree of responsibility bestowed upon DNS operators. In 2018, after several months of intersessional work, the Internet & Jurisdiction Global Conference brought together in Ottawa more than 200 key stakeholders to define a roadmap to address certain jurisdictional challenges on the Internet, including DNS abuse. more

OARC-39: Notes on the Recent DNS Operations, Analysis, and Research Centre Workshop

OARC held its fall meeting in Belgrade on October 22 and 23. Here are my impressions of some of the presentations from that meeting... UI, UX, and the Registry/Registrar Landscape - One of the major reforms introduced by ICANN in the world of DNS name management was the separation of registry and registrar functions. The intent was to introduce competition into the landscape by allowing multiple registries to enter names into a common registry. more

Data, DNS Abuse and What to Do Next

To the annoyance of some, surely, the issue of abuse in the domain name system (DNS) has been high on the list of critical issues in internet governance circles. Personally, in my more than 20 years of internet governance experience, tackling DNS abuse is one of the more important issues I've participated in and seen debated. Despite this intense scrutiny, common-sense solutions (such as contract improvements) have been so far elusive, even as they fall squarely within its ICANN's remit. more

More Mysterious DNS Root Query Traffic from a Large Cloud/DNS Operator

With so much traffic on the global internet day after day, it's not always easy to spot the occasional irregularity. After all, there are numerous layers of complexity that go into the serving of webpages, with multiple companies, agencies and organizations each playing a role. That's why when something does catch our attention, it's important that the various entities work together to explore the cause and, more importantly... more

Call for Participation – ICANN DNSSEC and Security Workshop for ICANN74 Policy Forum

Do you have information about DNS security or routing security that you would like to share with the global community? Have you developed a new tool or system in this area? Do you have results from a research project that you want to share with a technical community? If so, please consider submitting a proposal to the DNSSEC and Security workshop to be held at ICANN 74 in June 2022. more

Trusted Notifier Arrangements Require Trust: Why Unpacking Misunderstandings Around Trusted Notifiers Is Important for Dealing With DNS-related Abuse

Domain Name System (DNS) Operators (Registries and Registrars) receive notices asking them to take action on a wide range of alleged technical and content-related abuses. However, there is a fundamental question of when it is appropriate to act at the DNS level and the evaluation of whether the alleged abuse meets a sufficient threshold for action at the DNS level. Additionally, given the volume of abuses occurring on the internet, existing resources, mechanisms, and protocols available in-house to Operators are in many cases insufficient to address abuses in a timely fashion. more

Routing Without Rumor: Securing the Internet’s Routing System

The Domain Name System has provided the fundamental service of mapping internet names to addresses from almost the earliest days of the internet’s history. Billions of internet-connected devices use DNS continuously to look up Internet Protocol addresses of the named resources they want to connect to - for instance, a website such as blog.verisign.com. Once a device has the resource’s address, it can then communicate with the resource using the internet’s routing system. more

The Ever-Evolving Problem of DNS Abuse

For several years, many within ICANN circles have raised concerns about the escalating nature of domain name system (DNS) abuse. While some strides were made toward a safer DNS, new data - this time from a comprehensive study of DNS abuse by the European Union - demonstrates that abuse remains a frustratingly obstinate problem that requires urgent attention. We've seen some registries and registrars testing innovative industry-led initiatives in an effort to address the issues. more

Decentralizing Cybersecurity Via DNS

Decentralization is a big trend in IT, and everyone has their own definition of what "decentralization" really means. With more organizations fully embracing a work-from-anywhere culture, decentralization has moved past being a fad and turned into a necessity. Decentralized cybersecurity is nothing new. Many of us have been doing it since before the pandemic. more

Some Thoughts on DNS4EU – the European Commission’s Intention to Support the Development of a New European DNS Resolver

The last few decades have not been a story of unqualified success for European technology enterprises. The European industrial giants of the old telephone world, such as the former stalwarts Alcatel, Siemens, Philips, Ericsson and Nokia, have found it extraordinarily difficult to translate their former dominant positions in the telco world into the Internet world. To be brutally frank, none of the current generations of major players in the digital environment are European. more

Observations on Resolver Behavior During DNS Outages

When an outage affects a component of the internet infrastructure, there can often be downstream ripple effects affecting other components or services, either directly or indirectly. We would like to share our observations of this impact in the case of two recent such outages, measured at various levels of the DNS hierarchy, and discuss the resultant increase in query volume due to the behavior of recursive resolvers. more

ICANN DNS Resolver Symposium – the Session Had Several Interesting Presentations That I Would Like to Comment On

ICANN hosted a Resolver Operator Forum in mid-December, and the session had several interesting presentations that I would like to comment on here... The first presentation in this forum was from Paul Mockapetris. He pointed to the original academic published paper, Development of the Domain Name System, by Paul Mockapetris and Kevin Dunlap, published in the proceedings of ACM SIGCOMM’88. The paper noted that by 1983 it was obvious that the shared HOSTS.TXT file was not a scalable solution... more

Ongoing Community Work to Mitigate Domain Name System Security Threats

For over a decade, the Internet Corporation for Assigned Names and Numbers (ICANN) and its multi-stakeholder community have engaged in an extended dialogue on the topic of DNS abuse, and the need to define, measure and mitigate DNS-related security threats. With increasing global reliance on the internet and DNS for communication, connectivity and commerce, the members of this community have important parts to play in identifying, reporting and mitigating illegal or harmful behavior, within their respective roles and capabilities. more

Registrar Influence on the Domain Security Posture of the Forbes Global 2000

In the 2021 Domain Security Report, we analyzed the trend of domain security adoption with respect to the type of domain registrar used, and found that 57% of Global 2000 organizations use consumer-grade registrars with limited protection against domain and DNS hijacking, distributed denial of service (DDoS), man-in-the-middle attacks (MitM), or DNS cache poisoning. On average, the adoption of domain security controls is two times higher for enterprise-class registrars than for those using consumer-grade registrars. more

News Briefs

DNS Abuse Institute Launches Centralized DNS Abuse Reporting Service

CENTR Publishes Comment on the European Commission’s DNS Abuse Study

InternetNZ Has Disclosed a Vulnerability That Can Be Weaponized Against Authoritative DNS Servers

Security Researcher Dan Kaminsky Has Died

PIR Launches New Institute to Combat DNS Abuse

DNSSEC Now Deployed in all Generic Top-Level Domains, Says ICANN

Firefox Starts the Roll Out of DNS Over HTTPS (DoH) by Default for US-Based Users

Microsoft Announces Plans to Adopt DoH in Windows

EFF: For ISPs to Retain Power to Censor the Internet, DNS Needs to Remain Leaky

Leading Domain Registries and Registrars Release Joint Document on Addressing ‘DNS Abuse’

The U.S. House Judiciary Committee Is Investigating Google’s Plans to Implement DNS Over HTTPS

Use of DNS Firewalls Could Have Prevented More Than $10B in Data Breach Losses Over the Past 5 Years

Unexpected Behaviour Observed With DNS Root Servers After Cryptographic Change

ICANN Makes Urgent Call for Full Deployment of Domain Name System Security Extensions (DNSSEC)

ISC Assesses DNS Flag Day

Global DNS Record Manipulation, Hijacking Campaign at Massive Scale Linked to Iran

ICANN Facing Critical Choice for Plan to Change DNS Cryptographic Key

Large-Scale Study by Security Researchers in China Sheds Light on the Scope of DNS Interception

Russia in Talks to Create Independent DNS

IBM Launches Quad9, a DNS-based Privacy and Security Service to Protect Users from Malicious Sites

Most Viewed

Most Commented

Industry Updates

Participants – Random Selection