ICANN demands DNSSEC combats DNS hijacking

The Domain Name System (DNS), without which the web would be a mass of network numbers with no friendly server names such as example.net or nakedsecurity.sophos.com, is under threat from cyberattackers and domain overseer ICANN wants internet companies to do something about it.

That was the message in last week’s worried press release from ICANN (Internet Corporation for Assigned Names and Numbers).

This message comes hot on the heels of similarly alarming warnings from the US Department of Homeland Security (DHS), alarmed by recent series of DNS attacks. The attacks try to take over email and web domains, diverting traffic to imposter servers.

The solution, according to ICANN, is for companies providing DNS infrastructure to get on with implementing a DNS security layer called DNSSEC (Domain Name System Security Extensions) as soon as possible:

ICANN is calling for full deployment of the DNSSEC across all unsecured domain names.

Nearly 20 years after DNSSEC was first proposed, it remains a work in very slow progress that too many internet companies have chosen to ignore.

According to the APNIC registry, only around 20 per cent of the world’s DNS resolvers show any signs of using it.

Now, finally, there seems to be some urgency.

In November, Cisco Talos wrote about a large-scale cyber-campaign targeting Lebanon and the UAE at the centre of which was a DNS hijacking campaign traffic sophisticated enough not only to redirect traffic but to compromise SSL certificates and VPN tunnels.

Since then, similar campaigns have been documented by others which point to the successful compromise of the DNS infrastructure of dozens of organisations in at least 11 countries, including Sweden and the US.

Using DNSSEC, name lookups and updates are verified by cryptographic signatures, which makes the otherwise-simple DNS protocol more complex and time-consuming.

The added complexity in managing the public key infrastructure (PKI) needed to make DNNSEC work means higher costs that ISPs would rather do without for a system that might not add much security initially.

On the other hand, going through the long and difficult manual checks ICANN and others now recommend for DNS security in the absence of DNSSEC might be even worse.

What to do?

Whether you’re using DNSSEC or not, we’ll repeat the security advice issued in a recent US Department of Homeland Security emergency directive:

  • Verify that all important domains are resolving to the correct IP address and haven’t been tampered with.
  • Change passwords on all accounts used to manage domain records.
  • Turn on multi-factor authentication to protect admin accounts.
  • Monitor Certificate Transparency (CT) logs for newly issued TLS certificates that might have been issued by a malicious actor.


[The section on DNS hijacking and what to do about it starts at 3’57”]

(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)