DNS (short for the Domain Name System) continues to be described as “the phonebook of the Internet,” but many people, including most readers of this blog, will be more familiar with the basic workings of DNS than with the outdated phenomenon of paper phonebooks.

Moreover, DNS does a lot more than turning names (such as www.tripwire.com) into numbers (such as 192.229.182.232). It allows a domain owner to respond to questions only they can know the answer to, such as what the mail servers for the domain are or what public key is used for DKIM. Sometimes, DNS is simply used to give a specific answer, to simply prove ownership of a domain.

The security of DNS thus is vital to the functioning of the Internet today. The bad news is that out of the box, of the CIA triad (confidentiality, integrity and availability), DNS provides none.

DNS requests and responses are sent in the clear so that your ISP or any entity tapping the Internet cables can see the requests being made from your devices. They can also modify the responses or even block them altogether.

This isn’t a theoretical risk. The country I live in requires ISPs to send users trying to access an unlicensed or foreign gambling site to a government webpage by having their resolvers (the servers that handle DNS responses) return a different IP address. This can be easily bypassed by using a foreign resolver instead, but some countries force ISPs to modify or block even requests to resolvers beyond their control, thus effectively blocking access to certain websites and (Read more...)