DNS Security

Sponsored
by

Noteworthy

The movement is on, DNSSEC, ready set go! Just make sure you are ready when you go!

DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then.

Blogs

78% of Cybersecurity Professionals Expect an Increase in DNS Threats, Yet Have Reservations

A recent survey conducted by the Neustar International Security Council confirmed the heightened interests on domain name system (DNS) security. The survey reveals that over three-quarters of cybersecurity professionals anticipate increases in DNS attacks, especially with more people shopping online amid the pandemic. Yet, close to 30% have reservations about their ability to respond to these attacks. more

An Institute to Combat DNS Abuse

Over the last few years, it's become clear that abuse of the Domain Name System -- whether in the form of malware, botnets, phishing, pharming, or spam -- threatens to undermine trust in the Internet. At Public Interest Registry, we believe that every new .ORG makes the world a better place. That means anything that gets in the way of that is a threat, and that includes DNS Abuse. more

Information Protection for the Domain Name System: Encryption and Minimization

In previous posts in this series, I've discussed a number of applications of cryptography to the DNS, many of them related to the Domain Name System Security Extensions (DNSSEC). In this final blog post, I'll turn attention to another application that may appear at first to be the most natural, though as it turns out, may not always be the most necessary: DNS encryption. (I've also written about DNS encryption as well as minimization in a separate post on DNS information protection.) more

Securing the DNS in a Post-Quantum World: Hash-Based Signatures and Synthesized Zone Signing Keys

In my last article, I described efforts underway to standardize new cryptographic algorithms that are designed to be less vulnerable to potential future advances in quantum computing. I also reviewed operational challenges to be considered when adding new algorithms to the DNS Security Extensions (DNSSEC). In this post, I'll look at hash-based signatures, a family of post-quantum algorithms that could be a good match for DNSSEC from the perspective of infrastructure stability. more

Securing the DNS in a Post-Quantum World: New DNSSEC Algorithms on the Horizon

One of the "key" questions cryptographers have been asking for the past decade or more is what to do about the potential future development of a large-scale quantum computer. If theory holds, a quantum computer could break established public-key algorithms including RSA and elliptic curve cryptography (ECC), building on Peter Shor's groundbreaking result from 1994. more

Newer Cryptographic Advances for the Domain Name System: NSEC5 and Tokenized Queries

In my last post, I looked at what happens when a DNS query renders a "negative" response -- i.e., when a domain name doesn't exist. I then examined two cryptographic approaches to handling negative responses: NSEC and NSEC3. In this post, I will examine a third approach, NSEC5, and a related concept that protects client information, tokenized queries. The concepts I discuss below are topics we've studied in our long-term research program as we evaluate new technologies. more

Cryptographic Tools for Non-Existence in the Domain Name System: NSEC and NSEC3

In my previous post, I described the first broad scale deployment of cryptography in the DNS, known as the Domain Name System Security Extensions (DNSSEC). I described how a name server can enable a requester to validate the correctness of a "positive" response to a query -- when a queried domain name exists -- by adding a digital signature to the DNS response returned. more

The Domain Name System: A Cryptographer's Perspective

As one of the earliest protocols in the internet, the DNS emerged in an era in which today's global network was still an experiment. Security was not a primary consideration then, and the design of the DNS, like other parts of the internet of the day, did not have cryptography built in. Today, cryptography is part of almost every protocol, including the DNS. And from a cryptographer's perspective, as I described in my talk at last year's International Cryptographic Module Conference (ICMC20), there's so much more to the story than just encryption. more

DNS Oblivion

Technical development often comes in short, intense bursts, where a relatively stable technology becomes the subject of intense revision and evolution. The DNS is a classic example here. For many years this name resolution protocol just quietly toiled away. The protocol wasn't all that secure, and it wasn't totally reliable, but it worked well enough for the purposes we put it to. more

97% of All Global 2000 Companies at Risk from SAD DNS Attack

There is a new threat in town known as "SAD DNS" that allows attackers to redirect traffic, putting companies at risk of phishing, data breach, reputation damage, and revenue loss. What is SAD DNS? No, it isn't the domain name system (DNS) feeling moody, but an acronym for a new-found threat -- "Side-channel AttackeD DNS" discovered by researchers that could revive DNS cache poisoning attacks. more

Holiday Shoppers Beware: Tips on Protecting Brand Owners and Consumers from Domain Security Threats

With the COVID-19 pandemic persisting, online shopping will be the preferred method for the 2020 holiday shopping season. While staying home to shop is the safest option right now, it means consumers are more vulnerable to online fraud, counterfeits, and cyber crime. Increased online activity provides opportunities for unscrupulous infringers to abuse trusted brand names to drive visitors to their own fraudulent content. more

Authenticated Resolution and Adaptive Resolution: Security and Navigational Enhancements to the DNS

The Domain Name System (DNS) has become the fundamental building block for navigating from names to resources on the internet. DNS has been employed continuously ever since its introduction in 1983, by essentially every internet-connected application and device that wants to interact online. Emerging from an era where interconnection rather than information security was the primary motivation, DNS has gradually improved its security features. more

Phishing 2020: A Concentrated Dose of Badness

How much phishing is there? Where is it occurring, and why? How can it be reduced? I and my colleagues at Interisle Consulting have just published a new study called Phishing Landscape 2020, designed to answer those questions. We assembled a deep set of data from four different, respected threat intelligence providers and enriched it with additional DNS data and investigation. The result is a look at phishing attacks that occurred in May through July 2020. more

Maximizing Qname Minimization: A New Chapter in DNS Protocol Evolution

Data privacy and security experts tell us that applying the "need to know" principle enhances privacy and security, because it reduces the amount of information potentially disclosed to a service provider -- or to other parties -- to the minimum the service provider requires to perform a service. This principle is at the heart of qname minimization, a technique described in RFC 7816 that has now achieved significant adoption in the DNS. more

New CSC Research Finds Significant Lack of Redundancy for Enterprise DNS

As outlined in CSC's recent 2020 Domain Security Report: Forbes Global 2000 Companies, cybercriminals are disrupting organizations by attacking the protocol responsible for their online presence -- their domain name system (DNS). When a DNS is overwhelmed with traffic due to a distributed denial of service (DDoS) attack or configuration error, content and applications become inaccessible to users, affecting both revenue and reputation. more

News Briefs

PIR Launches New Institute to Combat DNS Abuse

DNSSEC Now Deployed in all Generic Top-Level Domains, Says ICANN

Firefox Starts the Roll Out of DNS Over HTTPS (DoH) by Default for US-Based Users

Microsoft Announces Plans to Adopt DoH in Windows

EFF: For ISPs to Retain Power to Censor the Internet, DNS Needs to Remain Leaky

Leading Domain Registries and Registrars Release Joint Document on Addressing 'DNS Abuse'

The U.S. House Judiciary Committee Is Investigating Google's Plans to Implement DNS Over HTTPS

Use of DNS Firewalls Could Have Prevented More Than $10B in Data Breach Losses Over the Past 5 Years

Unexpected Behaviour Observed With DNS Root Servers After Cryptographic Change

ICANN Makes Urgent Call for Full Deployment of Domain Name System Security Extensions (DNSSEC)

ISC Assesses DNS Flag Day

Global DNS Record Manipulation, Hijacking Campaign at Massive Scale Linked to Iran

ICANN Facing Critical Choice for Plan to Change DNS Cryptographic Key

Large-Scale Study by Security Researchers in China Sheds Light on the Scope of DNS Interception

Russia in Talks to Create Independent DNS

IBM Launches Quad9, a DNS-based Privacy and Security Service to Protect Users from Malicious Sites

ICANN Delays Plans to Change DNS Cryptographic Key, Says Near 750 Million People at Risk if Rushed

NIST Publishes Guide for DNS-Based Email Security, Draft Open for Public Comments

Sweden Makes its TLD Zone File Publicly Available

Large Volume of DNSSEC Amplification DDoS Observed, Akamai Reports

Most Viewed

Most Commented

Afilias Updates – Sponsor

Combating COVID-19 Cybercrime – What Internet Infrastructure Providers Like Afilias Are Doing

The ongoing Coronavirus pandemic has been fertile ground for scams and misinformation. Social platforms have been in the news for their efforts to protect users from such problems. What are Internet infrastructure providers like Afilias doing to keep spammers, phishers and other criminals from preying on Internet users? more

Afilias Appoints Ram Mohan as Chief Operating Officer

Afilias today announced that it has promoted Ram Mohan to the newly created position of Chief Operating Officer, responsible for most of the day-to-day operations of Afilias and its global subsidiaries. more

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

IDG's Computerworld announces Ram Mohan, Afilias' executive vice president and chief technology officer, as a 2016 Premier 100 Technology Leaders honoree. This year's Premier 100 spotlights 100 leaders of companies for their exceptional technology leadership and innovative approaches to business challenges. more

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

IONs are part of the Internet Society's Deploy360 Programme, which aims to foster the global adoption of key Internet technology standards such as IPv6, DNSSEC, and secure routing protocols. more

Being a .PRO When Choosing a Registry Services Partner

We're excited to bring a new top-level domain into the Afilias family and help grow the use of it. I also think it shows that the top-level domain business is a unique one -- and it's not one to be entered into lightly. more

Afilias Says "No" to SOPA

The Stop Online Piracy Act (SOPA) is the subject of substantial controversy in the United States, and the domain name industry is squarely in the middle of the debate. Many DNS service providers and technology developers in the industry oppose SOPA, Afilias among them. Here's why. more

Afilias Secures .GI, .MN, and .SC Domains with DNSSEC

Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for .GI, the country code Top Level Domain (ccTLD) for Gibraltar, .MN for Mongolia, and .SC for the Seychelles. more

Industry Updates

Participants – Random Selection