One integral part of using the Internet is the Domain Name System (DNS). The IP address of any website or connected device is identified by a string of numbers like 188.8.131.52. Since this is not the easiest thing for people to remember, a DNS translates between IP addresses and human-friendly names like “moregold.com”. When you enter this into a browser address bar, the DNS system matches it up to the proper IP address to make the connection. Originally, DNS security was not an issue, but times change.
DNS Security Issues
When the Internet was opened up to commercial and public use cybercrime followed. DNS was not immune to these malicious attacks. One favorite tactic is cache poisoning. This involves distributing false data to DNS caching resolvers. Disguised as coming from an authoritative server, this pollutes the DNS cache with invalid information. This result in not only failed address resolutions but longer time-to-live intervals. Since the DNS response was not usually encrypted, it could be exploited. Cyber criminals became adept at redirecting legitimate requests to computers set up by the hackers themselves. Once you’re connected to a hacker’s server, they can compromise your computer to steal data or do further damage.
Often domain names are spoofed to exploit unwary users, usually as phishing attacks. These usually take the form of links to apparently legitimate sites that are actually set up to emulate the real thing and steal information. For example a link with the domain name “mybank/services.com” may sound legit but is a different IP address from the correct “mybank.com/services/”. The average Canadian user won’t realize they’re being misled. Certain characters like the lowercase letter “l” and the numeral one “1” look similar and also provide an opportunity to deceive users.
The Domain Name System Security Extensions were created to modify DNS by supporting cryptographic signing to verify responses. Newer options being proposed include DNSCurve, or TSIG. TSIG adds support for encrypted authentication between trusted computers, and is used to authorize dynamic updates or DNS zone transfers between Canada and other regions. Other dns security techniques like forward-confirmed reverse DNS can be used to validate domain names.