Security people have to realise that if the design mechanisms for DNS are upgraded, the networks will have to do a series of upgrades to keep up. I'm actually speaking at an ENISA workshop in Brussels this week. And while they're an agency for a political organisation, in reality they share the fact that, while it's possible to share the art of securing internet applications, to deploy them is far from easy.
It's not easy to integrate all these new technologies with all applications. And it's not easy to get that integration to the point where it can be made seamless. In my presentation, I advocate tough love' for DNSSEC, where we can't just proclaim success over Kaminsky's DNS flaw, go away and rest on our laurels. But, instead, we must work on interfacing those patches to every application and migrating to IPv6.
How big a challenge do you feel the tough implementation and integration times ahead will be?
Half of all DNS systems haven't been upgraded, and that's including all levels of security, whether it be through 32, 64-bit, cryptographic or other means, leaving the threat of potentially turning whole sections of systems off if they are attacked. There is an issue with who signs the root too.
There's also a one in 65,000 chance of attack in an unpatched server. This rises to one in four billion in those that have been patched. But attack vectors move very quickly. Our strategy has been to slow down those attacks and to check to understand if an attack is genuine or just a misunderstanding.
Another thing to bear in mind is, if your websites and applications are high value domain targets for spoofers, you can be much more suspicious when allowing them to be updated. You can also only allow certain users to audit changes to a specific domain.
At Nominum, we have more data certified and signed for use for more applications than not. Our users are more comfortable using our DNS database, knowing it's been digitally signed and secured. This has important potential use in the example of the leery implications around VoIP [voice over IP] browsing because of DNS attacks. But, digital signature technologies in place can help scaling the quality of service. And with the right level of internet security there's a lot more you can do with other such open ended tools.
-
Why the likes of Shopify are bringing web designers to an endOpinion Modern tools like Shopify are letting small businesses create viable sites for a fraction of the price it might have once cost
-
Cloudflare fixes outage that knocked major web services offlineNews Online services such as Nord VPN, Shopify, and Steam were all inaccessible by users in most regions
-
Google Domains exits beta after seven yearsNews The service is now generally available with a 20% discount for new and returning users
-
Facebook blames faulty configuration change for hours-long outageNews The update caused a "cascading effect" that brought all of the social network's services to a halt
-
TLS Telemetry ReportWhitepaper The changing world of encryption on the web
-
Enhancing subscriber services through DNSWhitepaper Easily expand delivery of value-added security services through a cost-effective DNS-based approach
-
ICANN board blocks private equity firm’s .org purchaseNews Non-profits claimed sale could have had "dire consequences"
-
Microsoft embraces DNS over HTTPS to secure the webNews Developers advocate benefits of encrypted traffic but are likely to encounter anger from ISPs
