Qname minimzation blog header image

Maximizing Qname Minimization: A New Chapter in DNS Protocol Evolution

Data privacy and security experts tell us that applying the “need to know” principle enhances privacy and security, because it reduces the amount of information potentially disclosed to a service provider — or to other parties — to the minimum the service provider requires to perform a service.  This principle is at the heart of qname minimization, a technique described in RFC 7816 that has now achieved significant adoption in the DNS.

(more…)
Search Bar

Chromium’s Impact on Root DNS Traffic

This article originally appeared Aug. 21, 2020 on the APNIC blog.

Introduction

Chromium is an open-source software project that forms the foundation for Google’s Chrome web browser, as well as a number of other browser products, including Microsoft Edge, Opera, Amazon Silk, and Brave. Since Chrome’s introduction in 2008, Chromium-based browsers have steadily risen in popularity and today comprise approximately 70% of the market share.1

(more…)

DNS: An Essential Component of Cloud Computing

The evolution of the internet is anchored in the phenomenon of new technologies replacing their older counterparts. But technology evolution can be just as much about building upon what is already in place, as it is about tearing down past innovations. Indeed, the emergence of cloud computing has been powered by extending an unlikely underlying component: the more than 30-year-old global Domain Name System (DNS).

The DNS has offered a level of utility and resiliency that has been virtually unmatched in its 30-plus years of existence. Not only is this resiliency important for the internet as a whole, it is particularly important for cloud computing. In addition to the DNS’s resiliency, cloud computing relies heavily on DNS capabilities such as naming schemes and lookup mechanisms for its flexibility, usability and functionality.

(more…)

Combatting Illegal Online Opioid Sales in the COVID-19 Era

U.S. News & World Report’s June 23 article, “The Hidden Deaths of COVID-19”, details how the current novel coronavirus pandemic could cause a spike in opioid overdoses, by denying those most at risk access to support meetings or urgent medical care. It underscores that, even as we focus on mitigating this current pandemic, we cannot let up on efforts to combat the ongoing epidemic of opioid misuse and overdose.

(more…)

Verisign Expands MANRS Relationship to Strengthen Global Routing Security

Verisign has been involved with an initiative known as Mutually Agreed Norms for Routing Security, or MANRS, since its inception. MANRS, which is coordinated by the Internet Society, focuses on strengthening the security and resiliency of IP networks throughout the world by identifying and providing best practices for mitigating common routing security threats.

MANRS began as a collaboration among network operators and internet exchange providers, with Verisign formally becoming a participant in its Network Operator Program in 2017. Since then, with the help of Verisign and other MANRS participants, the initiative has grown to also include content delivery networks (CDN) and cloud providers.

(more…)

Recognizing Lessons Learned From the First DNSSEC Key Rollover, a Year Later

A year ago, under the leadership of the Internet Corporation for Assigned Names and Numbers (ICANN), the internet naming community completed the first-ever rollover of the cryptographic key that plays a critical role in securing internet traffic worldwide. The ultimate success of that endeavor was due in large part to outreach efforts by ICANN and Verisign which, when coupled with the tireless efforts of the global internet measurement community, ensured that this significant event did not disrupt internet name resolution functions for billions of end users.  

(more…)

Unexpected Effects of the 2018 Root Zone KSK Rollover

March 22, 2019 saw the completion of the final important step in the Key Signing Key (KSK) rollover – a process which began about a year and half ago. What may be less well known is that post rollover, and until just a couple days ago, Verisign was receiving a dramatically increasing number of root DNSKEY queries, to the tune of 75 times higher than previously observed, and accounting for ~7 percent of all transactions at the root servers we operate.

(more…)

Revisiting How Registrants Can Reduce the Threat of Domain Hijacking

Recent events1,2 have shown the threat of domain hijacking is very real; however, it is also largely preventable. As Verisign previously noted3, there are many security controls that registrants can utilize to help strengthen their security posture. Verisign would like to reiterate this advice within the context of the recent domain hijacking reports.

Domains are an important element of internet infrastructure; their functionality and security rely upon many factors such as their delegated name servers. Name server delegations introduce complex and subtle inter-dependencies between domains and their authoritative name servers. Compromise of any name server in the delegation hierarchy can lead to a potential hijacking scenario. Targeted name server compromises in the delegation hierarchy can facilitate a complete hijack of a domain or set of domains, while name server compromises deeper in the delegation hierarchy may result in partial hijacking, since not all name servers in the hierarchy are involved in every DNS resolution request. A compromised name server is capable of diverting DNS requests to malicious servers controlled by threat actors and can be weaponized for phishing attacks or other nefarious purposes.

Over the past several weeks, security professionals have issued reports1, 2 about the hijacking of various domains via their name server delegations. These changes were likely made using compromised registrar credentials and are believed to be backed by a foreign nation state entity1, 2. During the attacks, the threat actors used the traffic directed to their infrastructure to launch spear phishing campaigns against various government entities in northern Africa and the Middle East. These targeted spear phishing attempts were facilitated by the transitive trust4 placed on the compromised domains and their delegated name servers.

Several of the compromised domains contained hosts that were specified as name servers for numerous top-level domains (TLDs) including country code TLDs5 in the northern African and Middle East regions. Subsequently, DNS traffic resolution for corresponding reliant zones were partially/completely routed to the threat actors’ infrastructure. This redirection of DNS traffic facilitated their ability to target specific government and industry entities in the targeted countries. While the domains did not employ a domain locking tool, some were DNSSEC6 signed, which helped mitigate the attack for resolving parties that perform validation.

As part of the response to this incident, the Department of Homeland Security issued Emergency Directive 19-017 requiring federal civilian agencies to address the risks presented by this activity. The order mandated four actions to be taken: 1) Audit DNS records, 2) Change DNS account passwords, 3) Add multi-factor authentication to DNS accounts and 4) Monitor Certificate Transparency logs.

Verisign is engaged with various industry and government entities regarding this incident and has provided technical insights into the DNS ecosystem regarding the complex mechanisms and system-to-system interactions/dependencies involved. To date, there is no evidence that the scope of compromise extends beyond the sets of credentials at various registrars.

Verisign encourages registrants to research their registrar’s security offerings and to take advantage of the tools and services they offer. Techniques such as locking services offered by registrars and registries8, two-factor authentication, password strengthening, and other common security hygiene practices9 are all best practice security recommendations that Verisign encourages and promotes.

Additional security recommendations are available in the following ICANN SSAC reports:

  • SAC04010: “Measures to Protect Domain Name Registration Service Against Exploitation or Misuse”
  • SAC04411: “A Registrant’s Guide to Protecting Domain Name Registration Accounts”
  • SAC07412: “Best Practices for Preserving Security and Stability in the Credential Management Lifecycle”

1 https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

2 https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/

3http://www.circleid.com/posts/20130722_how_registrants_can_reduce_the_threat_of_domain_hijacking/ 

4https://www.usenix.org/legacy/events/imc05/tech/full_papers/ramasubramanian/ramasubramanian_html/dns.html

5 https://www.internic.net/domain/root.zone

6 https://www.verisign.com/en_US/domain-names/dnssec/how-dnssec-works/index.xhtml

7 https://cyber.dhs.gov/ed/19-01/

8 https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml

9https://www.markmonitor.com/download/checklist/MarkMonitor_Domain_Security_Best_Practices.pdf

10 https://www.icann.org/en/system/files/files/sac-040-en.pdf

11 https://www.icann.org/en/system/files/files/sac-044-en.pdf

12 https://www.icann.org/en/system/files/files/sac-074-en.pdf

Operational Update Regarding the KSK Rollover for Administrators of Recursive Name Servers

Currently scheduled for October 11, 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) plans to change the cryptographic key that helps to secure the internet’s Domain Name System (DNS) by performing a Root Zone Domain Name System Security Extensions (DNSSEC) key signing key (KSK) rollover.

(more…)

DNS-Based Threats: Cache Poisoning

The Domain Name System (DNS) is the cornerstone of communication for the internet. Navigating to the sites you access every day often starts with a DNS request. Cybercriminals recognize the value of DNS and may look for ways to abuse improperly secured DNS to compromise its uptime, integrity or overall response efficacy—which makes DNS an important area for enforcing security and protecting against threats.

One such threat: cache poisoning. (more…)