The Challenge of Defending the Domain Name SystemCricket Liu of Infoblox Says DNS Providers Are Entering a New Era
Most people have no idea what the Domain Name System is. For technical specialists, it can elicit a groan. But the DNS is essential for the internet, because it translates domain names into IP addresses that can then be called into a browser. It underpins essentially all of the internet, which wouldn't function without it.
But as with many critical components of the internet, DNS would have a very different structure if designed today. While a redesign could solve ongoing security and privacy concerns, it would be disruptive and require wide consensus.
"It's really easy to say 'Well, yeah, we can fix all of DNS's shortcomings if we just start over,' but that 'if we just start over' is such a big if," says Cricket Liu, DNS architect and senior fellow at the networking company Infoblox. "It's a protocol that really causes us fits."
Many of the security features within DNS have had to be grafted onto it, Liu says in an interview with Information Security Media Group. It's an attractive target for hackers because attacking DNS servers can cause services to go offline.
In October, the networking company Dyn was subjected to a withering attack against its infrastructure. Dyn provides outsourced DNS management services to a long list of popular websites, including Twitter, PayPal and Spotify. The attacks, which came from digital video recorders and other internet-of-things devices, made those services difficult to reach for some users (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).
In this audio interview (see link to audio below photo), Liu discusses:
- Why the Mirai botnet will continue to affect DNS providers and other companies;
- What DNS providers will need to do to counter large botnets;
- Why defense against DNS attacks is difficult.
Liu has specialized in DNS for more than two decades. He worked at Hewlett Packard in the late 1980s and 90s before founding a DNS consulting company that VeriSign bought in 2000. As chief DNS architect with Infoblox, he studies how to protect infrastructure from disruptions.