Why DNSSEC Isn’t Enough

When you type a URL into the top of your browser and hit “enter,” a number of complicated things begin to happen. Somehow, the alphanumeric English language of a URL gets translated into the machine language of an IP address, allowing your browser to resolve a new webpage. The main mechanism of this alchemy is referred to as a DNS query.

A DNS query is basically a short message that your browser sends to your ISP’s server. The actual content of the message is critical. Anyone who intercepts that message can tell exactly what you’re searching for – useful information for marketers, advertisers, and hackers. Worse, it’s possible for an attacker to manipulate your DNS query. This could be used to resolve a website that you weren’t intending to go to. For example, an attacker could use DNS manipulation to send you to a website that will capture your password by looking exactly like the login page of your bank.

How is DNS Interception Still Possible?

All DNS queries are sent in the clear, unencrypted, which means that anyone who intercepts a query can read it right away. This is an aberration – the last artifact of a more naïve internet. Most of your communication between websites is now conducted over an encrypted protocol known as TLS. TLS is why many of the websites you visit have a lock icon next to your URL, and why their URLs are now prefixed with “HTTPS” instead of “HTTP.” Secure standards exist for DNS queries – we’ll get to those in a moment – but the internet has been slow to adopt them.

One of the major flaws of the internet is that it was designed without a basic security architecture in mind. Once entrenched in a low-security posture, implementing security standards is often an uphill climb. For example, the HTTPS standard was created in 1994 as part of Netscape Navigator – the direct inheritor to Mosaic, the first internet browser ever. It took until 2016 – 22 years after the standard was first created – for HTTPS to be implemented by even 50% of websites. If it took 22 years for over 50% of websites to implement HTTPS, how long will it take to implement secure DNS?

The March Towards Secure DNS Begins Now

In 2018, one thing is for certain: the citizens of the internet are tired. They’re tired of being hacked, and tired of having their information tracked en masse by unscrupulous advertisers and marketers. Implementing robust DNS security would be a quick win when it comes to regaining consumer trust, because there’s evidence to suggest that DNS interception is already being performed at scale. In other words, shutting down DNS interception would shut down a large source of malign interference.

How much do we know about DNS interception to begin with? For starters, we know – thanks to the efforts of a group of researchers based out of China and the US – that at least 0.66% of all DNS traffic is currently subject to interception. This may not seem like an impressive figure to start with, but if we assume there are approximately 3.2 billion internet users, then DNS interception is affecting over 21 million people. Even more, some DNS resolvers are being affected more than others. The Google DNS resolver – currently the most popular DNS service on the internet – is subject to many more attempts.

There are solutions to stop DNS interception, and they’re available right now. DNSSEC is a secure protocol that provides an equivalent to HTTPS security. If you own a website and want to make sure that your users can visit it without interference, you should implement DNSSEC. If you own a company and want to make sure that your users can browse the internet more securely, you should implement DNSSEC. It’s a simple, multi-step process that you can do on your own.

Safe-T: An Additional Layer of Security

Implementing DNSSEC is an important part of reinforcing the basic security architecture of the internet, but it’s also just that: basic. DNSSEC is a foundation to build on. Safe-T can be a part of what you build. DNSSEC will let you make sure that attackers don’t direct your users away from your network, but the zero trust networks that Safe-T enables will make sure that attackers can’t even see your network. For more information about the future that Safe-T will let you build, contact us today.
Zero Trust Network

*** This is a Security Bloggers Network syndicated blog from Safe-T Blog authored by Amir Mizhar. Read the original post at: