Secure Domains: The DNS Security DebateWill CloudFlare's DNSSEC Move Improve Internet Security?
The importance of improving the Internet infrastructure was a dominant theme throughout President Obama's White House Summit on cybersecurity and consumer protection last week.
Making that happen, however, isn't a straightforward proposition, information security experts warn, owing to the Web never having been designed to be secure in the first place - which may seem ironic, given its importance now as the backbone of e-commerce and the world's payments infrastructure.
Furthermore, any attempt to strengthen Internet hygiene requires the participation and buy-in of many different key players, including standards bodies, government agencies, DNS providers, Internet service providers and more. Given all of the different parties involved, disagreement often rages about the best way forward.
Take DNSSEC, which is also known as Domain Name System Security Extensions. This evolving, open standard - or specification - is designed to authenticate the origin of DNS data used on Internet protocol networks by digitally signing it. At the White House cybersecurity summit, CloudFlare, which offers services that defend against DNS and distributed-denial-of-service attacks, announced that for all of the 2 million websites it supports, it will now enable DNSSEC.
By making DNSSEC widely available, CloudFlare says it hopes to enhance the overall security of the Internet. "Our ultimate goal is that DNSSEC will be easy to deploy, and thus widely adopted, to make the Internet a better, more secure place," says Ryan Lackey, a principal in the firm's security practice. The move comes after CloudFlare in September began offering Universal SSL (secure socket layer) certification, free of charge, to all of its clients. SSL provides a secure connection for Internet browsers and websites to transmit data, and helps defend against many types of attacks.
"Both SSL and DNSSEC have a role to play in keeping users safe on the Internet, from phishing, from cybercriminals and from malicious nation states," Lackey says. "Having proven that Universal SSL is possible at our scale, we hope many other organizations will follow in turning SSL on for all their customers - and at no additional cost."
But while Lackey describes DNSSEC as being "an important, foundational security technology," in the past it has been "incredibly difficult to deploy," he acknowledges, although his firm has been trying to simplify that process. "We're working with DNS registrars and registries to simplify the process of turning DNSSEC on for a domain, and we will soon be providing simple, robust DNS for our customers, which fully supports DNSSEC."
Debate: DNSSEC Valuable?
But there's a debate over DNSSEC, and just what it might - or might not - do for Internet users. Some security experts see it as crucial technology for blocking DNS amplification DDoS attacks. But others starkly disagree, saying instead that DNSSEC can actually be abused by attackers to fuel amplification attacks.
One critic is Dan Holden, director of the security engineering and response team for online security firm Arbor Networks - which competes with CloudFlare. Holden says that Universal SSL and DNSSEC won't stop phishing, and don't address authentication concerns facing payments providers and banking institutions.
"Many people do not believe DNSSEC is a good solution at all," Holden says.
But other information security experts and government agencies have backed the standard. "Registrars should consider supporting DNSSEC," advises the EU cybersecurity agency ENISA in a recent threat report.
"The use of DNSSEC is definitely a step in the right direction," says Europol cybersecurity advisor Alan Woodward, who's a visiting professor at the department of computing at England's University of Surrey. "It does help with attacks, such as DNS poisoning. However, I think some people misunderstand what DNSSEC does for us. It basically provides authentication of the source, not encryption of the data passed. It doesn't prevent DDoS attacks per se, but it can help counter it, as it allows you to shut off untrusted DNS sources."
But DNSSEC alone won't solve the world's DNS problems, Woodward says. "It would require much more widespread adoption to make a significant dent in the problem we see in DNS use across the Web. However, it might well help CloudFlare clients to see off DDOS attacks slightly more easily if they are mounted using DNS amplification."
Financial Sector Upsides
More widespread DNSSEC adoption could also benefit financial services firms, says Al Pascual, director of fraud and security at Javelin Strategy & Research - but only if the standard is implemented properly. "DNSSEC can help prevent malicious redirection, but it is a two-part equation, as infrastructure providers and site owners need to implement it in order for the solution to function correctly," Pascual says. "While DNSSEC isn't new, financial institutions that are not taking advantage could stand to benefit from DNSSEC's ability to reduce the risk of successful phishing attacks against accountholders."
DNSSEC can also protect domain records from spoofing and "poisoning," but will not protect sites from DNS records tampering - such as registration hijacking and malware-infected sites that compromise visitors through drive-by downloads - says Greg Rosenberg, security engineer at digital forensics investigation firm Trustwave.
"Many attackers utilize hijacked DNS information to redirect unsuspecting users to malicious websites to capture sensitive data, like payment card information, log-in data and/or Social Security numbers," he says. "As hackers continue to target Web and e-commerce assets at a quickening pace, it will be critical to help protect against man-in-the-middle attacks and phishing for credentials."
But DNSSEC was never designed to stop man-in-the-middle attacks, Arbor's Holden says, adding that it also cannot solve the ongoing challenge of poor user behavior. "Phishing is preying on the person, not the machine, and that's why it's so difficult to solve from a technology standpoint," he says.
CloudFlare's willingness to offer its clients a hosted DNSSEC offering is a move into relatively uncharted territory, says Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of mobile security firm Marble Security. "However, it won't stop most DNS attacks, as those are typically phishing the DNS credentials of a website's admin, and taking over the site," he says. "But Cloudflare should be applauded for taking a leadership position with DNSSEC."
But CloudFlare's move - and DNSSEC itself - is just part of what's required, Jevans says. For the financial services industry in particular, he says that strengthening the security of the e-mail network itself, through initiatives such as DMARC - Domain-based Message Authentication, Reporting & Conformance - and the use of top-level domain names, such as ".bank," have the potential to deliver great security payoffs.