ack in January, the Cybersecurity and Infrastructure Security Agency, a division of Homeland Security, issued its first emergency directive requiring federal civilian agencies to secure themselves against a global hacking campaign targeting the Domain Name System (DNS) that security firm FireEye claims with “moderate confidence” was sponsored by the Iranian government.
Security firm Farsight has alleged that DNS vulnerabilities played a role in the infamous Democratic National Committee email hack. Motherboard reports that Venezuelan President Nicolás Maduro’s administration appears to have abused DNS vulnerabilities using what’s known as a homograph attack to collect names, email addresses, passwords, and other personal information from anti-Maduro activists.
For five hours on October 22, 2016, anyone who logged into an unnamed Brazilian bank’s website actually gave their login credentials to hackers who utilized weak points in the bank’s DNS infrastructure. Last April, the same thing happened to users of a cryptocurrency exchange, resulting in more than $150,000 being stolen from users of the exchange.
Most of us assume core internet infrastructure like DNS will always work as advertised. Simply type the URL for your bank’s website into your browser, and milliseconds later, you should be looking at your bank’s login page. Punch in your credentials and you’re off to the races, browsing your account activity, transferring money, and bemoaning last weekend’s ill-advised bar tab. Simple, safe, secure. But as the victims of these attacks learned the hard way, that’s not always the case.
The vast majority of DNS traffic is still verified using the honor system.
DNS is the umbrella term for the protocol and series of servers that take a “name” such as “www.medium.com” and turn it into an IP address, which is used to route requests through the internet to their destination. The system’s primary purpose has led many to describe DNS with a metaphor as dry as the source material: DNS is the internet’s yellow pages. But hidden behind its mundane facade is a veritable cornucopia of malicious opportunity.
The attacks against DNS are quite well known within the security world — DNS is ubiquitous and often poorly secured by IT professionals, making it a juicy target for hackers. The system is engaged almost every time a device sends data across the internet, meaning a single weakness at the protocol level opens literally every internet user to DNS-based attacks. The tedious and unremarkable nature of DNS lulls IT specialists into a false sense of security and makes breaching the protocol appealing to hackers. That might all be fine if the system were secure by default, but the vast majority of DNS traffic is still verified using the honor system.
The decentralized database protocol was defined in 1983 by Paul Mockapetris to help the burgeoning internet handle increasing request volume. The optimism and innate sense of trust that guided so much of the early internet’s innovation was imbued into DNS; the original specifications of DNS had no encryption and no way to verify that a name-to-address mapping wasn’t spoofed or hijacked. These shortcomings remain as part of DNS’s vestigial DNA.
There are two major kinds of DNS servers: name servers and resolvers. Name servers are the source of truth — they map names of web services, such as google.com and fbi.gov, to IP addresses. Resolvers are the concierges of the DNS world — they query all the relevant name servers on our behalf and then give us the resulting IP address.