ICANN this week called for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.
On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take to protect their systems, their customers’ systems and information reachable via the DNS:
- Ensure all system security patches have been reviewed and have been applied;
- Review log files for unauthorized access to systems, especially administrator access;
- Review internal controls over administrator (“root”) access;
- Verify integrity of every DNS record, and the change history of those records;
- Enforce sufficient password complexity, especially the length of the password;
- Ensure that passwords are not shared with other users;
- Ensure that passwords are never stored or transmitted in clear text;
- Enforce regular and periodic password changes;
- Enforce a password lockout policy;
- Ensure that DNS zone records are DNSSEC signed and your DNS resolvers are performing DNSSEC validation;
- Ideally ensure multi-factor authentication is enabled to all systems, especially for administrator access; and
- Ideally ensure your email domain has a DMARC policy with SPF and/or DKIM and that you enforce such policies provided by other domains on your email system.
How attacks to DNS work?
According to ICANN, public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally ‘signing’ data to assure its validity. ICANN says that although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.
ICANN is calling for full deployment of the DNSSEC across all domains. It aims to assure that Internet users reach their desired online destination by helping to prevent so-called “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site. DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.
Read more about the DNS Server