Is Your DNS Vulnerable?
By Fran Howarth, Partner
Around 20 years ago or so, the Internet was used only by a privileged few and the rest of us were still pushing paper around. Ironically, the Internet itself was, to some extent paper-based. To find an address for an Internet site, people had to phone a person who maintained a paper-based directory of Internet addresses to find the relevant number, such as 188.8.131.52, which referenced the correct Internet point and particular host server.
Internet address numbers are extremely hard to remember and, had a new system not been devised, the Internet would not be usable in the way that we know it today. The answer was the development of the domain name system (DNS). A domain name is the clear language locator that directs a user to a particular Internet site. With DNS, an Internet user can more easily find a site?for example, only having to remember ?Hurwitz? and the .com suffix that is used mainly for such commercial sites, rather than having to remember the IP address 184.108.40.206. This ?readable? version of the Internet address is really the invention that made the Internet take off.
Because of the size of the Internet today, there are millions of records of which domain names correspond to which Internet protocol (IP) addresses?and maintaining a central database is impractical. Therefore, lists of domain names and corresponding IP addresses are distributed throughout the Internet as a hierarchy of authority, making it the world?s largest distributed database.
Because DNS is responsible for routing through the Internet, it is critical. But DNS is also one of the greatest potential single points of failure?and one that is often overlooked. DNS management is never a big item in companies? security budget, as the system just keeps ticking and well-publicised attacks have been rare. But if the DNS system fails, a company?s Internet presence is lost?potentially leading to lost revenue.
Ensuring that DNS servers are not vulnerable requires that the right level of access control must be put in place so that no one can insert erroneous data into a DNS record and so that outsiders cannot attack the system. One of the most common pieces of software used for commercial DNS systems is BIND, which is open source freeware that is essentially five years old. Although changes have been made to the software, it is still known to contain vulnerabilities. Since it is open source, people are able to make contributions to the software code?meaning that there is no effective control for fixing errors or for ensuring that no backdoors have been left in the software. According to the FBI, BIND is the most vulnerable piece of software being used on Unix systems today.
If such vulnerabilities are exploited, a company?s reputation could be severely damaged. For example, to load a page on the Internet usually requires between five and ten DNS lookups for just one page. If one DNS record has had the information altered, an Internet user could potentially be directed to a different page or even a spoofed website. Publicized attacks include an online store in Sweden that had traffic to its site redirected to a porn site. But damage can be more than to a company?s reputation?DNS attacks can be used to phish for consumer details, leaving users open to identity theft.
The Perils of Pharming
Exploiting vulnerabilities in DNS server software has become so popular it has its own name. Extending the phenomenon of phishing to the acquisition of a site?s domain name and exploiting its use (by redirecting its traffic to a bogus site, for example) has garnered the name pharming.
Although such attacks receive little publicity, commercial organisations are beginning to wake up to security vulnerabilities surrounding identity theft, and phishing and pharming attacks continue to make headline news. However few realise the extent to which DNS is part of the problem. To date, attacks have been fairly small scale?but if a global denial of service attack were to be launched against root DNS servers, large parts of the world economy could be affected.
Quietly Protecting Millions
One company that has quietly been building out offerings to boost DNS security is UltraDNS. For about UltraDNS has offered managed DNS services over a network of servers located around the world. For the efficient handling that is required for fast DNS lookups, traffic is routed to the server closest to the request automatically, allowing service to be fulfilled in less than a millisecond across any of the 15 million domains that it is powering.
However in October 2005 UltraDNS launched its new DNS Shield service in conjunction with leading internet and network service providers that include AOL, Yahoo!, Verio and Earthlink, expanding its security offerings to millions of Internet domains worldwide and providing a protected environment within in each network for DNS resolution. DNS Shield offers security through obscurity?you can?t attack something if you don?t know that it is there. Each partner implementing DNS Shield places an authoritative server within the heart of their network. All traffic on each network?be it a high-level domain such as .org, an organisation such as Amazon.com, or a service provider such as AOL?is then routed through the authoritative DNS server for a DNS lookup. These private networks are then connected to UltraDNS? global network of authoritative DNS servers.
UltraDNS claims more than 7,500 customers and has more than 15 million Internet domains under its management?representing more than 20% of global DNS. It also claims to be the largest outsourced DNS service provider for Fortune 1000 companies, including flagship customers such as Amazon.com, Forbes and Oracle Corporation, as well as high-level domains such as .org and .uk. UltraDNS can hardly be accused of singing its own praises?rather, it would be more accurate to accuse it of hiding its light under a bushel. According to chairman and CTO Rodney Joffe, this is because it was critical that UltraDNS kept quiet about what it was doing until it had enough infrastructure in place so that the net was protected before the ?bad guys? figured out what they were doing.
But word is out. Since UltraDNS Shield was launched in October 2005, it has received widespread press coverage. And it came to the attention of Neustar, a provider of communications services to the global communications and internet industry, including services such as physically delivering communications destined for any telephone number. In April 2006, UtraDNS announced that it had entered into a definitive merger agreement to be acquired by Neustar.
The newly merged company will be in a strong position to cash in on growing interest in its own core markets. In addition they hope to combine their expertise to tackle newly emerging markets, including voice over Internet protocol (VoIP) technologies, as well as fax, video and other telecommunication services increasingly using IP networks. Because VoIP communications travel over IP networks, traffic is directed using IP addresses?and hence communications rely on DNS. Such traffic is also increasingly relying on ENUM?which uses IP-based technologies to match public switched telephone network (PSTN) phone numbers with domain names in the DNS. Over the next few years, all telecommunications companies are expected to replace their PSTN networks with next-generation networks based on IP. Such developments play into the hands of both of the companies involved in this merger.
Hurwitz & Associates is grateful that UltraDNS has taken the initiative to thwart DNS attacks and looks for good things to come from the Neustar merger.