Last month we examined the DNSSEC rollover and what it meant. What wasn’t covered was whether or not DNSSEC actually helps defend against modern hacker threats. This second article will address that question by examining what DNSSEC defends against and some of the things it doesn’t.
Over 20 years ago, Bruce Schneier introduced the model of “protection, detection, and response” to computer security professionals as a useful way of analyzing network security protections. Most security controls or products address protection, detection, or response. Just as in home protection, the vast majority of effort in cybersecurity today is spent doing “protection” or prevention. If bad things happen when black hat hackers access the network, then let’s work on protecting or preventing that. DNSSEC falls into that category. It attempts to thwart a specific attack called DNS spoofing, which can occur because the original Domain Name Service (DNS) protocol is a clear text protocol and is vulnerable to interception and fraudulent responses. By design, DNS queries (for instance, “What the IP address of cnn.com?”) are sent in the clear, not encrypted, to the default gateway (or router). A network-based attacker can observe the DNS request and then send a fraudulent reply, which would send the network user (or application) to a site of the attacker’s choosing. What kind of site? Fake login sites are popular today, but it could just as easily be a site that offers fake software updates containing malware. In normal DNS, there’s no easy way to tell a bogus DNS request from the real one.
DNSSEC addresses the problem of DNS spoofing by digitally signing DNS answer so that they can be cryptographically verified. However, as with all forms of cryptography, the devil is in the details. What happens when the legitimate DNS servers are fooled and give out incorrect answers? In such a situation, a client still gets an incorrect DNS answer even though it has been digitally signed. Or consider the issue of verifying a digitally-signed DNS answer. It’s very likely that applications like Internet of Things (IOT) devices may not have the ability to verify DNS answers correctly or even attempt to. Drawbacks like these may cause organizations struggling to keep up with security patches and bad user behavior to consider DNSSEC to much work for too little benefit. To think back to Scheier’s model, DNSSEC does some to protect against some attacks, very little in the detection realm, and nothing for response.
To dump even more cold water on DNSSEC, many security experts question whether DNS spoofing is even the most pressing cybersecurity issue facing organizations, who lack unlimited cybersecurity manpower and money. Phishing attacks, which hit most organizations every single day, are virtually unscathed by DNSSEC. And, unfortunately, most users are happy to visit fake login sites and send their credentials to attackers even without them needing to spoof DNS answers.
So why all the talk about DNSSEC? Like most cybersecurity protections, DNSSEC seeks to chip away at the overall problem of hacking and fraud. Rather than rejecting DNSSEC on the grounds that it’s imperfect, organizations wanting to improve their cybersecurity protections need to prioritize their limited resources to make the biggest improvements first. DNSSEC, or an improved version of it, will become standard over the long term. Major cloud providers are adopting DNSSEC, which will help, but not solve the problem of hacking and fraud.
By Terry Bradley, Vice President at PLEX