Interview: Why DNS defences need bolstering

IT Week: As vice-president of marketing for Domain Name System [DNS] server specialist Nominum, can you describe the security threats in this field?

Albert Gouyet: Network naming and addressing is now being used as the vector in new types of attacks. Because it’s not given [a high] level of attention, [roughly] every quarter we find that people are discovering new vulnerabilities that are exploited. This has the potential to reduce people’s trust in the internet and domain names.

How will this affect firms?

It’s a worry for governments and for enterprises too because their visible web presence will be affected. And as new telephony devices will need IP addresses, everyone should be looking to the network infrastructure – the DNS and DHCP layers. However, there is still a general lack of attention paid to the DNS. [Firms] don’t spend enough time reviewing it like they do auditing the network security layer. The danger is we’ll take it for granted because we don’t look at what needs to be upgraded.

What could be done to protect companies against these threats?

DNSsec is an extension to the DNS that allows companies to cryptographically sign their DNS records. It is a way of guaranteeing [the authenticity] of IP addresses: that the one you see is the right one and not a phishing site.

How is it implemented?

It requires an upgrade to the DNS servers because they need to work harder as it requires an extra layer of cryptography on top of the normal processes, and the records are much bigger because of the signatures. It will be adopted incrementally. The Swedish government is [implementing] it for its .se domain and the US is looking at it also. We’re hearing indirectly that significant [moves could be made] on this front before the end of the year. But security is driven by the likelihood of being attacked, or the visibility [of attacks]. When we look at the market all the early signs are that awareness is getting to a tipping point.

What are the potential barriers to DNSsec adoption?

In order for DNSsec to work it takes multiple levels [of co-operation]. You must have people sign their domain names, and DNS service providers must upgrade their servers to recognise when the signatures are there and when they are not, so if a domain name comes through that should have a signature attached but doesn’t [it is recognised as a fake].

What is the probability of a major DNS attack?

We saw the first industrial-strength pharming attacks on the DNS [although we were] lucky it wasn’t the big one, because on that occasion users looking for sites like Yahoo’s were only redirected to other sites with advertising on them. We’ll either see a bigger attack [forcing organisations to take action] or a gradual proactive approach [to DNS security]. A lot of large enterprises actually provide their own DNS services because they run networks that almost look like ISP networks, so they must consider their best practices. This layer in the network shouldn’t be forgotten.