{"id":9127,"date":"2020-09-15T08:39:50","date_gmt":"2020-09-15T12:39:50","guid":{"rendered":"https:\/\/www.cscdbs.com\/blog\/?p=9127"},"modified":"2021-11-09T14:26:30","modified_gmt":"2021-11-09T19:26:30","slug":"dns-vulnerabilities-and-threat-mitigations","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/dns-vulnerabilities-and-threat-mitigations\/","title":{"rendered":"The DNS Ecosystem, Its Vulnerabilities, and Threat Mitigations"},"content":{"rendered":"\n
By Letitia Thian, Marketing manager APAC<\/i> Share this post <\/strong>\n<\/a>\n<\/a>\n<\/a>\n\n\n\n

David Conrad, CTO of <\/em>The Internet Corporation for Assigned Names and Numbers (ICANN), recently presented a keynote during a webinar we collaborated on with other internet organizations. Below is a summary of his explanation of the domain name system (DNS) ecosystem, its vulnerabilities, and threat mitigations.<\/em><\/p>\n\n\n\n

The internet as we know it largely depends on DNS. It is akin to the telephone book of the internet, translating domain names into IP address, so users can easily look for websites with names instead of a string of numbers. The DNS isn\u2019t a single entity, and comprises the protocol, namespace, and service; its ecosystem extends to include software, provisioning, and others.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The DNS protocol, invented in 1983, was intended to be lightweight with a simple query response behavior. To allow the DNS to scale, it was designed with a tree-like structure; each branch and level of domains, such as top-level domains, can be independently administered. With an expanding structure and multiple segments in the DNS ecosystem\u2014software, registries, network operators, hosting providers and more\u2014the DNS\u2019 complexity adds to the challenge in security.<\/p>\n\n\n\n

David shared that \u201cthe DNS is a critical component of the internet, and the DNS ecosystem is large, complex, and has myriad players of varying levels of competence, resulting in a (very) large attack surface.\u201d<\/strong><\/p>\n\n\n\n

When the DNS was first developed and defined, with no protection against data corruption, security wasn\u2019t a focus. Below are some of the DNS ecosystem vulnerabilities and their mitigations.<\/p>\n\n\n\n

<\/tr><\/tr>
Attacks on the<\/td>Type of attack<\/td>Mitigation<\/td><\/tr>

DNS protocol<\/strong><\/td>		DNS cache poisoning

Privacy compromise<\/td>		DNS security extensions (DNSSEC)

DNS-over-HTTPS and DNS-over-TLS digital certificates<\/td><\/tr>

DNS namespace<\/strong><\/td>		Homogylphs (\u04abscdbs.com) and typosquatting (cssdbs.com)<\/td>Interfaces that make international domain names (IDNs) and unsecured sites more apparent, and end-user vigilance<\/td><\/tr>

DNS service<\/strong><\/td>		DNS hijacking

Distributed denial of services (DDoS)<\/td>		DNSSEC

DDoS mitigation services<\/td><\/tr>
Registrar or registrant<\/strong><\/td>Account breached to modify domain data<\/td>Registry and registrar lock<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

We have seen recent incidences compromising the DNS on various fronts:<\/strong><\/p>\n\n\n\n