DNS on Blockchain: the next evolution of domain names?

DNS on Blockchain - Nameshield — *Image source: TheDigitalArtist via Pixabay*

Summary

The DNS, the Domain Name System, is a service at the heart of how the Internet operates. It is fundamental to the functioning of many services such as websites, mail servers, VoIP telephony and many others.

For more than 30 years, many extensions and functionalities have been added to the DNS, which technically translates into an increase in the complexity of the infrastructure.

The Blockchain technology could be a considerable evolution for DNS, bringing several advantages and new functionalities.

—

The DNS, a fundamental service

The DNS, the Domain Name System, is a service at the heart of how the Internet operates. It functions as a public directory that associates domain names with resources on the Internet, such as IP addresses. When a user enters an address in his browser, a DNS server translates this humanly understandable address into an IP address that is understandable by computers and networks. This is DNS resolution.

This system, created in 1983, is fundamental to the functioning of many services such as websites, mail servers, VoIP telephony and many others. It is constantly evolving to meet ever-increasing needs in terms of functionality and security. Indeed, the DNS must guarantee:

Availability: an unavailability of the DNS service would result in a service disruption.
Integrity: the data present on the DNS (associated with a domain name) must not be corrupted.
Confidentiality: to protect the privacy of users, the DNS implements various solutions that increase the confidentiality of DNS requests. If the requests are not confidential, it is possible to analyze users’ browsing information.

The domain name system is based on a centralized model of trust. It is distributed throughout the world and managed by different actors in a hierarchical manner, in several levels; a root level, a first level where extensions are managed by registries, then a second level managed by registrars. The whole thing is orchestrated by ICANN, the Internet’s regulatory authority.

Domain names - DNS on Blockchain - Nameshield

For more than 30 years, many extensions and functionalities have been added to the DNS, which technically translates into an increase in the complexity of the infrastructure.

Blockchain technology could be a considerable evolution for DNS, bringing several advantages and new functionalities.

Blockchain and decentralized registry

A Blockchain is a data structure accessible to all and distributed over a decentralized network; the data is replicated on each node of the network, there is no central authority. Everyone has the possibility to read its contents, add data and even join the network. The concept was first implemented in 2009 with Bitcoin, but today there are many different Blockchain technologies, each with their own properties.

The data is entered on a Blockchain via transactions. The transactions are grouped into blocks, each block is then validated by the network and then brought together. Thus, a Blockchain contains the history of all the transactions carried out since its creation.

The validation rules are written in the Blockchain protocol, which each member of the network respects. To ensure compliance with its rules, the Blockchain protocols are based on consensus algorithms, the best known being the Proof of Work. These algorithms guarantee the integrity, immutability and security of the data on the Blockchain.

Blockchain - DNS on Blockchain - Nameshield

The Blockchain technology meets several DNS needs:

Availability: a decentralized, peer-to-peer network cannot be stopped. It could replace or complement Anycast infrastructures.
Integrity: the consensus protocol of a Blockchain guarantees, by nature, the integrity of the data. Furthermore, the data cannot be modified. These properties would eliminate the need for DNSSEC and its famous key renewal ceremony.
Confidentiality: Requests made to read the Blockchain data can be encapsulated in an HTTPS channel in the same way as the DNS over HTTPS (DoH) protocol. There are few DoH resolvers today, so traffic is centralized around a limited number of actors. The use of a Blockchain would offer the possibility of querying any node on the network, thus limiting centralization and SPF (single point of failure).

The data included in the DNS zone files, i.e. the domain name configurations, could therefore be distributed on a Blockchain. Each player (registries, registrars) could directly interact with this Blockchain to manage the domain names. This is the idea of the DNS on Blockchain.

New needs

In recent years, with the emergence of Blockchain technologies, new means of values exchange have developed, particularly with tokenization, crypto-assets and decentralized applications (dapps); we talk about Web 3.0, or the Internet of Value.

Values exchange - DNS on Blockchain - Nameshield

Digital wallets and decentralized applications work with identifiers that are difficult to read, e.g. 0x483add28edbd9f83fb5db0289c7ed48c83f55982 for a wallet address.

Being able to associate this type of address with domain names, within a universal naming system, could be of real interest for tomorrow’s Web applications. It would be possible to have a wallet of crypto-assets or a decentralized application configured directly behind a domain name. This could also be useful for the digital identity of companies and their brands.

DNS on Blockchain, today

Many naming system projects on Blockchain are currently under development, each with an implementation of its own.

Some applications propose new domain names extensions (TLDs), such as .bit, .zil, .crypto, .eth, etc. This is particularly the case for Namecoin and UnstoppableDomains. These systems are completely independent of the traditional DNS and ICANN. Registration is managed directly by users, and names resolution is generally done through a browser extension. The Opera browser has recently natively integrated the resolution of these domain names.

These applications are functional and the names registration is not controlled. There are therefore many cases of cybersquatting. Users register names in the hope of reselling them and making a profit. This obviously poses a problem for trademark owners, and will certainly prevent the adoption of these solutions by companies.

Other projects propose complementary solutions to DNS. In particular, Ethereum Name Service (ENS) offers a names system on Blockchain that integrates with the traditional DNS. If you are the holder of a domain name and can prove it with a DNSSEC registration, you can then register this same name on the Blockchain service. This allows you to combine the advantages of traditional DNS and DNS on Blockchain.

The .kred, .xyz and .luxe extensions already support this integration on Blockchain, and ENS plans to propose it for all DNSSEC-compatible extensions. This project is quite promising, Ethereum Name Service has recently joined the DNS-OARC (DNS Operations, Analysis, and Research Center).

The Handshake project proposes a naming protocol to manage the root level of the DNS, and provide an alternative to certification authorities. It challenges the trust and governance model of the DNS to experiment with a more decentralized, secure and resilient system based on validation of DNS zones by participants in the network.

Conclusion

The DNS on Blockchain could be a considerable evolution of the DNS; it would bring several advantages and new functionalities thanks to the Blockchain technology, which would benefit the development of the decentralized web.

Today, however, there are still no technologies and applications on which there is unanimous agreement, even though many projects and PoC are under development. They are not yet mature enough to be used on a large scale. Improvements in terms of scalability, security and usability need to be made.

The collaboration of the Internet players (ICANN, DNS-OARC, registries) seems essential for a technology to reach consensus and be adopted, in particular to set common rules. This is a subject to be followed closely over the next few years.

Are you interested in blockchain and crypto-assets topics? Don’t hesitate to consult the website of our collaborator Steve Despres: https://cryptoms.fr/

FIC 2020 – Nameshield’s DNS Premium labelled France Cybersecurity once again

During the 12^th edition of the International Cybersecurity Forum (FIC), the major event in terms of cybersecurity and digital confidence, which currently takes place from January 28 to 30 in Lille, Nameshield was given once again the France Cybersecurity Label for its DNS Premium solution.

Nameshield’s DNS Premium labelled France Cybersecurity

The DNS is at the heart of companies’ critical services: Internet, email, applications…

Exposed more and more frequently to attacks, like DDoS, Man in the Middle… it must remain available.

The Nameshield’s DNS Premium is the solution which meets DNS protection needs with a redundant, ultra-secure infrastructure with all the key DNS services (anycast, DDoS protection, DNSSEC, statistics…).

The DNS Premium solution labelled France Cybersecurity, thus allows its users to protect their digital assets from any attack and ensures a high availability of their Internet services.

France Cybersecurity Label, the guarantee of a certain level of quality in terms of cybersecurity

For reminder, the France Cybersecurity label is the guarantee for users that the Nameshield’s products and services are French and possess clear and well defined functionalities, with a certain level of quality in terms of cybersecurity, verified by an independent jury.

It answers to several needs and objectives:

Raise awareness among users and international ordering parties regarding the importance of the French origin of a Cybersecurity offer and its intrinsic qualities ;
Certify to users and ordering parties the quality and functionalities of labelled products and services ;
Promote French cybersecurity solutions and increase their international visibility ;
Certify to users and ordering parties the quality and functionalities of labelled products and services ;
Increase their overall use and the users’ security level.

This label is governed by a committee composed of representatives gathered in 3 colleges:

College of officials: representatives from the “Direction Générale de l’Armement” (DGA, the French Government Defense procurement and technology agency), the “Direction Générale des Entreprises” (DGE, the French Directorate General for Enterprise within the Ministry of Economy, Industry and Digital), and the “Agence Nationale de la Sécurité des Systèmes d’Information” (ANSSI, the French National Cybersecurity Agency).
College of industrials: representatives from the “Alliance pour la Confiance Numérique” (ACN – Alliance for digital confidence) and HEXATRUST.
College of users: representatives from groups of users, such as: CIGREF, GITSIS, CESIN, CLUSIF ISSM space.

Nameshield, a 100% French company, certified ISO 27001 on all its registrar activity, was able to bring all the necessary guarantees to obtain the France Cybersecurity Label for its offer, the DNS Premium and illustrates its engagement to always provide the best services and standards regarding cybersecurity.

For more information on our labelled solution DNS Premium, please visit Nameshield’s website.

The financial industry, the target of more and more costly attacks on the DNS

The financial services industry, the target of more and more costly attacks on the DNS — *Image source: JimBear via Pixabay*

Financial services companies are particularly affected by cyberattacks. They possess a wealth of information on the customers, protect their money and provide essential services which must be available day and night. They are a lucrative target. Among the favored lines of attacks: the DNS.

The Efficient IP’s Global DNS threat annual report shows a constant growth of the DNS attacks’ number and the financial impacts, with an average financial loss of 1.2 million euros in 2019. This amount was estimated at 513 000€ in 2017 and 806 000€ in 2018.

If all the industries are affected by cyberattacks, 82% of the companies surveyed have been affected and 63% have suffered a traffic disruption, the financial industry pays a more important price with 88% of impact. Conducted with 900 persons from nine countries of North America, Europe and Asia, the study indicates that financial companies suffered 10 attacks in average during the 12 last months, i.e. an increase of 37% compared to last year.

The increase of the costs is only one of the DNS attacks’ consequences for the financial services industry. The most common impacts are the cloud services’ downtime, experienced by 45% of financial organizations, and internal applications downtime (68%). Furthermore, 47% of financial companies have been the victims of frauds by phishing attacks aiming the DNS.

The survey clearly shows the insufficient security measures implemented for the DNS securing. The delay in applying security patches is a major problem for the organizations of this industry. In 2018, 72% of the interviewed companies admitted that a 3 days’ delay was necessary to implement a security patch in their systems, 3 days during which they are exposed to attacks.

Only 65% of the financial institutions use or plan to integrate a trusted DNS architecture, they seem to be always late and not to be sufficiently aware of the risks associated to this central point of their infrastructure. The evolution of the threats on the DNS is constant, the attacks are many and complex. It is essential to quickly react to better protect yourself.

Industry, trade, media, telecom, health, education, government, service… many others sectors are affected by the attacks. Some solutions exist. ANSSI publishes every year the guide of good practices regarding the DNS resilience, which details many recommendations in order to be protected. Relying on an Anycast network; possessing a protection system against DDoS attacks; having a monitoring of DNS traffic and a team able to take action quickly; possessing an efficient security policy … As many measures essential to the resilience and efficiency of the DNS network against these damaging attacks in terms of financial and image impact.

Hoping to see at last better figures in the 2020 report.

50 years after Arpanet, the Internet’s ancestor

Arpanet - Internet’s ancestor - Nameshield Blog — *Image source: geralt via Pixabay*

On October 29, 1969 UCLA sends the very first e-message to Stanford Research Institute through Arpanet network (Advanced Research Projects Agency Network) laying the foundation for today’s networked world.

Arpanet, the Internet’s precursor

Arpanet is the first data transfer network developed by the Advanced Research Projects Agency (ARPA) which belonged to the U.S. Defense Department.

The first Arpanet node was set up at UCLA on August 30, 1969, the second node, at the Stanford Research Institute, was set up on October 1^st 1969. The first message was sent between the two institutions on October 29 1969 by the UCLA computer science professor Leonard Kleinrock who wished to send the word “login” but the system crashed so only two letters, “l” and “o”, were transmitted, the complete word will only be transmitted 1 hour later.

Arpanet connected some universities and research institutes: first, UCLA and Stanford Research Institute, followed by UC Santa Barbara and the University of Utah. At the end of 1969, Arpanet counted 4 nodes, in 1971, 23 nodes were created and 111 nodes in 1977.

In 1983, Arpanet has been divided in two networks: one military, the MILnet (Military Network) and the other academic, the NSFnet.

On January 1^st 1983, the name “Internet” already in use to define all of Arpanet, became official.

World Wide Web turns 30 years old

In 1989, Tim Berners-Lee, a researcher working for the CERN, proposed a hypertext system working on the Internet. This system was originally developed for scientists working in universities and institutes around the world, so they could instantly share information. His vision of universal connectivity became the World Wide Web, which sent Internet usage skyrocketing.

In 1993, Mosaic, the first popular web browser was created by Marc Andreessen and Eric J.Bina, two students of the National Center for Supercomputing Applications (NCSA) of the University of Illinois. It was not the first graphical web browser but Mosaic was particularly fast and allowed the users to display images inside web pages instead of displaying images in a separate window, which has given it some popularity and contributed to increase the World Wide Web’s popularity.

Internet Protocol – From IPv4 to IPv6

The Internet Protocol (IP) is a set of communication protocols of IT networks developed to be used on the Internet. IP protocols allow a unique addressing service for all connected devices.

IPv4 the first major version was invented in the 70’s and introduced to the public in 1981. It is still the dominant protocol of the Internet today. Twenty years ago, the IETF (Internet Engineering Task Force) started predicting the depletion of IPv4 addresses and began working to create a new version of the Internet Protocol: IPv6.

IPv4 uses a 32-bit addressing scheme to support 4.3 billion devices, while IPv6 possesses a much larger address space. Indeed, IPv6 uses a 128-bit address allowing 3.4 x 10³⁸possible addresses.

DNS – Domain Name System

At the request of the Advanced Research Projects Agency of the U.S. Defense Department, the DNS (Domain Name System) was invented in 1983 by Jon Postel and Paul Mockapetris, in order to associate complex IP addresses with humanly understandable and easy-to-remember names. Thus a logical address, the domain name, is associated to a physical address, the IP address. The domain name and IP address are unique.

In 1998, is created ICANN (Internet Corporation for Assigned Names and Numbers), the regulatory authority of the Internet. Its main purpose is to allocate the Internet protocol addresses spaces, to attribute the protocol identifier (IP), to manage the domain name system of top level for generic codes (gTLD), to assign the country codes (ccTLD), and to carry out the functions of the root servers’ system management.

With 351.8 million domain names registrations in the first quarter of 2019, domain names registrations continue to climb, but with the increase of the number of threats aiming the DNS at the same time.

The emergence of cyber threats

Considered as one of the first cyberattacks and certainly the first to attract the media’s attention, the Morris Worm was launched in 1988 by a student of the Cornell University, Robert Tappan Morris. Originally, the malware developed by the student didn’t have for purpose to cause damage but simply to estimate the extent of the Internet. However this worm affected about 60 000 computers estimated connected to the Internet and the cost of the damages was about 100 000 to 10 million dollars. This event marks the turning point in the field of online security.

Today, cyberattacks are abundant, frequent and more and more sophisticated. The evolution of techniques and the arrival of new technologies make cyberattacks increasingly complex and offer new opportunities to attackers.

There are various types of cyberattack like attacks aiming the DNS: DDoS, DNS cache poisoning, DNS spoofing, Man in the Middle… (In 2019, according to IDC – International Data Corporation, 82% of companies worldwide have faced a DNS attack over the past year) or attacks directly aiming users and having for purpose to obtain confidential information to steal an identity (phishing).

The consequences for victimized companies can be significant. For example, today the cost of a data breach is 3.92 million dollars on average according to IBM Security, this cost has risen 12% over the past five years.

An IP traffic estimated in 2022 more important than the one generated from 1984 to 2016

With more than 5 billion Google searches made every day, e-commerce continuing to thrive, social media growing in popularity and the increasing number of connected objects, the traffic volume on the Internet has risen considerably.

Indeed, in 1974, daily traffic on the Internet surpassed 3 million packets per day. According to a Cisco’s research in 2017, the global IP traffic reached 122 exabytes per month, the company estimates that this volume should reach 396 exabytes by 2022.

“The size and complexity of the Internet continues to grow in ways that many could not have imagined. Since we first started the VNI Forecast in 2005, traffic has increased 56-fold, amassing a 36% CAGR (Compound Annual Growth Rate) with more people, devices and applications accessing IP networks” said Jonathan Davidson, senior vice president and general manager of Service Provider Business at Cisco.

Today, 50 years after the birth of the Internet’s ancestor, Arpanet, there are more Internet connected devices than people in the world. In 2022, the web users will represent 60% of the world’s population and more than 28 billion devices will connect to the Internet.

Attack on the domain name system: the priority is to protect your access

Cyberattack - DNS Hijacking - cyber espionage — Image source : Geralt via Pixabay

Last weekend, the media has widely communicated on the consequences of an unprecedented attack that targeted the domain names.

Indeed, during the night of 22-23 February ICANN reported the large-scale attacks on the domain names: it is DNS hijacking. These attacks consist in “replacing the authorized servers addresses” with “addresses of machines controlled by the attackers”, as explained by the organization, allowing the attackers to examine the data in order to find passwords, email addresses etc., even to completely capture the traffic towards their servers.

A wave of attacks that began in November 2018

Actually, this is not an attack but a wave of attacks that the domain names system has endured for several weeks now.

Since the end of November 2018, an attack has targeted Lebanon and the United Arab Emirates and affected .GOV domain names. In this attack, the cybercriminals have proceeded with DNS hijacking.

At the beginning of January 2019, the company FireEye reported in an article, a wave of DNS hijacking that has affected domain names belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

If the attackers were then not identified, the initial research suggested the attacks could be conducted by persons based in Iran.

Important fact regarding the attack of February 22: this time, it struck, sometimes successfully, important actors of the Internet.

What are these attacks?

The method used is the DNS hijacking deployed on a large scale. This is a malicious attack, also called DNS redirection. Its aim: overwrite the TCP/IP parameters of a computer in order to redirect it towards a fraudulent DNS server instead of the configured official DNS server. To do this, the attacker takes control of the targeted machine through different techniques to alter the DNS configurations.

The American government, among others, recently warned about these series of highly sophisticated attacks of which the aim would be to siphon a large volume of passwords. These attacks would target more specifically governments and private companies.

Between DNS hijacking and cyber espionage

According to Talos’ article of November 2018, the attackers behind these attacks would have collected emails and connection information (login credentials – passwords) by hijacking the DNS, so that the traffic of the emails and the VPN (Virtual Private Networking) of the targeted institutions would be redirected to a server controlled by the cybercriminals.

Once the connectors collected, other attacks can be launched for espionage purposes, like the Man-In-The-Middle.

Then how to effectively protect yourself?

You must be aware that if these attacks essentially aim the domain names system, we can never say it enough, the first entry point of your domain names portfolio for an attacker is your access to the management platform.

The first and utmost recommendation is to protect your access

For many years, Nameshield has developed securing measures for the access to the domain names management platform (IP filter, ACL, HTTPS) and in addition proposes the 2 factors authentication and the SSO.

If these complementary solutions are still not implemented, Nameshield strongly recommends to implement them, in particular the 2 factors authentication in order to fight against passwords thefts.

To implement the DNSSEC protocol

The implementation of DNSSEC, if it was more widely deployed, would prevent or at least lessen the impact of these attacks by limiting their consequences.

It’s becoming increasingly urgent that DNSSEC is adopted on a massive scale, for both resolvers and authoritative servers.

To protect your domain names

The implementation of a registry lock on your strategic names will prevent their fraudulent modifications.

Although no perfect solution exists today to fully protect the infrastructures from cyberattacks, it is the implementation of several preventive measures combined that will allow to reduce the vulnerabilities (so) easily exploited by the pirates.

Can the DNS have an impact on the SEO?

This is a recurrent question from our customers: does the use of the DNS, whether it is good or bad, have an impact on the websites’ SEO? We have already discussed about the impact of a HTTPS website on the SEO, this is now the occasion to focus on the side of the DNS.

The DNS is an invisible process, implemented in the background, it’s difficult to comprehend why it can help or affect a website’s performance and the ranking in search engines, more particularly on Google.

This article will approach the possible impact of the DNS in response to the following questions:

Does the modification of a DNS record affect the SEO?
Does the change of the DNS provider affect the SEO?
Which part of the DNS plays in a website’s migration?
Does the change of a website’s IP address affect the website’s SEO?
Quid of the DNSSEC implementation?
Can a DNS breakdown affect the SEO?
Can a faster DNS increase the SEO?

Does the change at the DNS level affect the SEO?

1. Modification of a DNS record, be careful of the TTL

The domain name’s redirection towards the corresponding web server often passes through the creation of a A type record (IPv4 address). The A record will then direct the traffic towards the IP address of the destination web server. The modification of this record can lead to performance problems.

Indeed, to optimize the response time, the DNS system allows the information caching with the DNS resolver servers for a given time, the duration of the TTL (Time to live) defined by the technical manager of the domain name, during its configuration. The usual TTL, like the one recommended by ANSSI, is several hours for the usual uses of domain names (websites). In the case of a A record modification, this one could be taken into account only at the end of the TTL. Then web users could still access to the former record configurations for a few minutes or even several hours after the modifications.

Thus it’s important to reduce the TTL, even temporarily during these modifications.

But does that affect the SEO? Yes, it does and no, it doesn’t. In the case of users being sent towards a destination that no longer exists, Google will consider this as a 404 error. Beyond the negative user experience, this is not directly a SEO factor. However be careful of the possible existence of backlinks and the too high numbers of 404 errors. A low TTL allows to limit the impact during these modifications.

2. Modification of the DNS declared for a domain name

A domain name is associated to the name servers (NS/Name Servers) which allow the right DNS resolution. The DNS service searches the information on these NS. These NS can be modified during the change of the provider managing the domain name, or simply to pass from a DNS infrastructure to another. Will the change of the name server affect the SEO?

Depending on the provider and the chosen infrastructure, the resolution time could be more or less short with a possible impact of improvement or decrease regarding the SERP (Search Engine Result Page). Indeed, the resolution time is taken into account by Google (see after).

And like for a record change, it is recommended to reduce the lifespan of the records before modifying the name servers, so the DNS resolvers don’t keep in cache the former information.

3. Risk associated to the DNS during the website’s migration

This is the same principle discussed previously. The modifications of the DNS configurations don’t directly affect the SEO, but can lead to a bad user’s experience. The TTL should also be seen as a useful mean to take into consideration.

Which specific cases to consider?

Change of web hosting provider
Change of DNS hosting provider?
Move the traffic of www. towards a “nude domain” (without www.)
Move your domain towards a CDN (content diffusion network)

4. Change of the destination IP address

No. During the modification of a record pointing from a termination point to another, the SEO is not affected. The only (very rare) exception to this rule would be to point a domain towards a termination point that would have been already identified as a spam server (for example, the IP address of a shared server).

However, be careful of the IP address in question, one of the (many) rules of Google’s SEO is that an IP address used for a website should be located near the final user.

5. DNSSEC implementation

DNSSEC allows to authenticate the DNS resolution through a chain of trust between the different DNS servers of this resolution. Just like for the HTTPS, this is an additional security layer to implement. And like for the HTTPS, the pages’ loading time is affected, and therefore potentially the associated SEO. To put this into perspective, DNSSEC is essential to web users’ surfing and it is recommended to implement it. Most companies that propose security audit regarding domain names consider DNSSEC as necessary and then as a notation criteria.

Do faster DNS increase the SEO?

Google admitted that the loading time of a web page has an impact on the SERP results. The times of the DNS research are in general less than a second, they can nevertheless affect the loading of a webpage in the following cases:

1. Recurring breakdowns on the DNS infrastructure

When a DNS cannot resolve or takes more time than usual, it can add many seconds to the time of a page loading. In case of lack of reliability and recurring unavailability, the impact on SEO is proved… Not mentioning the user experience in front of these repetitive failures (increase of the bounce rate, decrease of customers’ retention and impact on the trust in the brand, if not revenue loss). It is important to rely on a reliable and trustworthy infrastructure.

2. Quality of the network and points of presence

This is purely and simply physics, the nearest a names server is to the final user, the less time is needed to respond to its request. The DNS networks called “anycast” (optimized addressing and routing towards “the nearest” or the “more efficient” server) with many points of presence in the world, allow to optimize the response time depending on the geographical location.

Another important point is to have at least three names servers that are authority (SOA) for a domain name, ideally based on different domain names and TLDs, in order to reduce the risk of SPOF (Single Point of Failure) of an infrastructure. Indeed, if an infrastructure relies on the same domain name, an unavailability of this domain name, for whatever the reason, leads to the unavailability of the DNS infrastructure. Likewise, at the TLDs’ level and even if it is less likely, a problem of registry availability would affect all the DNS infrastructure.

3. Be careful of “extended” DNS configurations

It’s not unusual to have DNS configurations which send towards a final destination through several steps like in the example below. As a consequence, the resolution time is affected and potentially, the performance in terms of SEO.

fr.wikipedia.org. IN CNAME text.wikimedia.org.

text.wikimedia.org. IN CNAME text.esams.wikimedia.org.

text.esams.wikimedia.org. IN A 91.198.174.232

Conclusion

The SEO is a science to consider as a whole. Thus, as we have seen through the impact of the HTTPS adoption of a website, this is a referencing factor among others and all things being equal, then this is particularly important in order to achieve a competitive edge on the first page of results.

The same applies to the impact of DNS on the SEO. Can the DNS have an impact? Yes, it clearly can in the case of incorrect configurations, or in the case that the DNS infrastructures do not allow response times fast enough. A DNS infrastructure called anycast is essential for any domain name carrying an important web traffic, even more at an international level. This is a data to integrate in a whole, and this thinking should be in a global approach of the SEO with the web marketing team.

DNS Flag Day: Are you ready?

Lately, the DNS keeps being talked about! After the first KSK rollover of October 2018, then the deactivation of the former KSK key on last January 11, here comes the time of the DNS Flag Day!

DNS Flag Day: What is it all about?

The Flag day is an expression used in IT to indicate the deadline and/or radical change.

Let us remember that when it was created, the weight of cybercrime threats affecting the DNS infrastructure didn’t exist. If the security was relegated to the background, the evolution of attacks have made it absolutely necessary: The DNS must be strengthened!

It’s in this context that the EDNS standard has been created in 1999 (updated in 2013 in the RFC6891). EDNS has particularly allowed the implementation of DNSSEC, the DNS’ geolocation and other measures aiming to strengthen the security.

This transition was not without difficulties. Abusive EDNS standard adoptions, lack of updates, bypasses have led to the creation of many patches and accommodations of the recursive servers’ code (particularly, in order to be able to differentiate DNS servers which cannot properly support EDNS from the ones unreachable for other reasons).

Two decades later, the maintenance of all these patched software has become more than difficult and leads to bugs that can compromise the DNS security. Obviously, the weight of these patches affects the speed of the response times.

It’s time for this standard to be implemented by all, or they will no longer be able to efficiently deal with new DNS attacks, like amplification or layer 7 attacks.

That’s why, major IT actors (Google, Cloudfare, Facebook, Cisco..), of which the developers of recursive servers decided as one to no longer support DNS servers that do not respect the EDNS standard as of February 1, 2019. The Flag Day arrives!

And concretely?

From the DNS Flag Day, on February 1, all the DNS servers not in compliance with the EDNS standard (or not functioning because of a firewall incompatible with EDNS), thus not responding to EDNS requests will be considered as unreachable; accommodations and other patches being removed from the new versions of the DNS software.

To simplify, not placed on compatible DNS, your domain name may no longer respond.

How to anticipate?

That is why it is important to ensure that DNS servers hosting your names‘ zones are compatible EDNS, in particular if they are not placed on Nameshield’s DNS infrastructure or if your company maintains its own infrastructure.

The DNS Flag Day website also allows to test the compliance of your name: https://dnsflagday.net/

Of course, our team is at your disposal for any question.

The DNS KSK-2010 security key revocation by ICANN, it’s this week!

Image source : TheDigitalArtist via Pixabay

After the first changing of the cryptographic key in last October, it is now, on January 11, that the old KSK key (Key Signing Key) of the root zone will be deactivated.

The process initiated in October 2018 to improve the security of the root zone, with the deployment of the Key Signing Key-2017, finds its achievement with the revoking of the root of the old key KSK-2010.

As indicated by Paul Hoffman, ICANN’s Principal Technologist, “The ICANN organization does not expect problems with the revocation. However, this is the first time a KSK in the Domain Name System (DNS) root has been revoked, so the ICANN org and the DNS technical community will be watching carefully for at least 48 hours after the publication of the revoked KSK-2010.”

To note, during the rollover on October, the negative impacts were extremely limited and it would seem that only two Internet services providers were impacted by interruptions during the process.

Of course, ICANN encourages solutions providers to no longer ship KSK-2010 in their products. ICANN should later publish a white paper about the full rollover process, including the lessons learned from this operation. ICANN communities will then be able to open discussions regarding upcoming rollovers that could happen.

DNS – the big forgotten of Internet

“DNS continues to be one of the most targeted Internet services, and it remains the Achilles heel of global Internet infrastructure. DNS was not only the most heavily abused protocol for reflection/amplification DDoS attacks this year, but an attack targeting a specific DNS provider was also the cause of the most widespread Internet outage of 2016 (Note: attack on the provider Dyn, which caused for about ten hours, the inaccessibility of a big part of Internet in the USA, particularly impacting Twitter, Ebay, Netflix, Amazon, Paypal… in October 2016).”

Arbor Network Infrastructure Security Report – June 2017

But what is the DNS?

DNS – the big forgotten of Internet

Because the human being is more apt to remember a name than a number, and because this is even more true for going on a website, between a domain name and an IP address, the human being, in order to simplify their life, have created the DNS: Domain Name System (or service).

For example: “I want to go on Google.com, my browser will ask the DNS what the IP address of the web server hosting google.com is, it will obtain it, then go on it and download the page.”

The DNS is a public database, decentralized and distributed, which associates domain names to IP addresses. It exists since 1985. It’s a part we can qualify as Internet infrastructure, essential to operate… and yet the DNS is invisible to the user.

The DNS has been massively adopted because it’s practical. It simplifies the user’s life and allows them to easily identify, differentiate, locate, memorize and transmit the domain name of a website associated to a brand. It has also been adopted on the other side of the mirror by its networks administrators to identify and differentiate servers, it is even more true with IPv6, with hosts multiplication and the arrival of the all connected. The DNS allows them, last but not least, to have the possibility to change servers and IP addresses in all transparency for the web user.

The DNS is omnipresent within the Internet. Everyone should be able to have access to it, if not, the Web would not operate anymore. This is what has happened in 2016 to our American compatriots, who had to do without Twitter or frenetically buying during almost 10 hours. The lost profit regarding revenue and impact on the brand image of the impacted companies have been significant.

But as it is invisible, everyone tends to forget it… and to realize it when it’s too late.

Strategic services relying on the DNS and the associated risks

Websites and email are two major services which systematically rely on DNS. Imagine that your website is unavailable for 1 minute, 10 minutes, 1 hour… and the consequences for your company, revenue, service discontinuity, image of the brand, customer’s loss. And what the consequences are for the absence of emails on this same period…

If these two services are the most potentially impacted, others can systematically rely on DNS:

VPN, VOIP, instant messenger… with the consequences smaller but equally regrettable for the operating of the company.

Attacks on DNS

Sadly, DNS servers are exposed to many potential attacks:

– Cache poisoning: make the DNS servers believe they receive a valid answer to their request while it is fraudulent. Once the DNS poisoned, the information in cache makes all the users vulnerable (send to a fake website).

– Man in the middle: The attacker alters the DNS server(s) of the parts in order to redirect their communication to them without the parts realizing it.

– DNS spoofing: redirect the web users without them knowing, towards hacked websites.

– DDoS: DNS are more and more targeted by DDoS attacks, in order to saturate them and prevent them to ensure the resolution of the company’s key services.

And all these attacks have the same consequences: hijack or stop the companies ‘traffic.

The big forgotten

From the user’s point of view, the DNS doesn’t exist, they use the naming system of domain names to navigate and send emails, they have only one need: that it works.

From the company’s side, the problem is different, it is usually a lack of information, a lack of conscience of the DNS importance and the consequences of a service breakdown.

In most of the cases, companies do not really pay attention. They will use an important budget to register and manage domain names, to rise their visibility and protect their brands, but will not linger on DNS servers’ strength at their disposal from their provider.

The good practices to implement: having first rate DNS infrastructure

First of all, consider whether your strategic domain names already beneficiate from a particular attention from the DNS infrastructure. Are called strategic, all domain names on which rely the key services traffic of the company: web sites, email, VPN, instant messenger…

To gain its own DNS infrastructure is a solution which presents advantages of flexibility and control, but the acquisition cost, management and maintaining on one side, complexity and necessary knowledge on the other, are often crippling or badly evaluated. It’s usually easier to go for an extern DNS infrastructure, managed by a registrar, host or specialized provider. It is then appropriate to check which availability annual rate is ensured and how it relies on the good practice for a maximum availability.

To ensure a high availability to your Internet services, it’s essential to choose a DNS solution highly available which offers:

– Necessarily functionalities to a DNS intensive use;

– A network of anycast type to reduce the DNS resolution time and ensure an optimal access time to your websites.

– A DNS infrastructure secured and staying available even in case of attack.

– Key functionalities like : GeoIP, Failover, Registry lock, DNSSEC, anti-DDoS smart filter

Conclusion

The DNS is not visible but is everywhere, it ensures the access to our key services thanks to the resolution of your strategic domain names, it is potentially exposed to many attacks with disastrous consequences and it lacks too often attention from companies. So.. Don’t forget about it and if necessary, talk about it with your Nameshield partner.

Let’s talk about DNSSEC

DNSSEC has taken shape, and has become essential in security process recommended by ANSSI as well as the web in general. And yet, it’s a barbaric term that is often scary as we don’t know how it works and what it’s used for. This article will focus on clarifying this term.

The Domain Name System Security Extensions is a standardized protocol of communication allowing to resolve security problems related to DNS. We will begin by a reminder of what is the DNS.

What is the DNS?

Simply put, the Domain Name System is quite like an Internet directory. It’s a service translating a domain name into IP addresses. It relies on a data base distributed to millions of machines. Humans identify, memorize and differentiate more easily names than series of numbers. The DNS has been defined and implemented in the 80’s and has become an essential element of Internet.

How does the DNS work?

The DNS will allow web user to inform a domain name in his web browser to access a website. The browser will then “resolve” this domain name to obtain the IP address of the web server which hosts this website and displays it. We call this the “DNS resolution”.

What are the risks related to the DNS?

If the DNS goes down, your websites and emails are going to be unavailable, which is unthinkable nowadays. Other applications can be impacted in the companies: VPN access, intranet, cloud, VOIP… all that potentially needs a names resolution to IP addresses. DNS must be protected and stay highly available.

If the DNS protocol has been created with security in mind, many security flaws of the DNS protocol have been identified since its creation. The mainly flaws of DNS have been described in the RFC 3833 published in August 2004. Queries package interception, fake answer, data corruption, DNS cache poisoning and Denial of service.

To deal with this vulnerability, DNSSEC protocol has been created.

DNSSEC issues

DNSSEC prevents these different attacks, particularly cache poisoning, by securing the integrity of the DNS resolution. DNSSEC issues are:

How to secure the data integrity and authenticate DNS (resolver, server with authority) and keep backward compatibility with the DNS at the same time.
How to secure access security at the resource asked to billions web users?
How to find a solution light enough so it won’t surcharge names servers?

DNSSEC process

To secure the integrity of the DNS resolution, DNSSEC develops a chain of trust that goes back to the DNS root (refer to the DNS root server image above). Data security is done by keys mechanism (KSK for Key Signing Key & ZSK for Zone Signing Key) which signs DNS records in its own zone. Public keys are sent to the corresponding register to be archived; the register being linked by DNSSEC to the root server, the chain of trust is developed. Each DNS parent zone ensures the keys authenticity of its child zones by signing them.

Without DNSSEC With DNSSEC

DNSSEC, Nameshield and you:

DNSSEC operates like an essential protection for your strategic names, which secures DNS’ answer authenticity. It would be advisable to identify names that need to be protected. All TLDs don’t propose DNSSEC yet. Here is a list of principal TLDs that does, it can change with many more coming:

TLDs supporting DNSSEC: .fr, .com, .be, .net, .eu, .pl, .re, .pm, .yt, .wf, .tf, .info, .li, .ch, .biz, .de, .sx, .org, .se, .nl, .in, .us, .at, .nu, .la, .ac, .cz, .me, .sh, .io, .uk, .co.uk, .me.uk, .org.uk.

All news gTLDs, like .paris, .club, .xyz, .wiki, .ink, support also DNSSEC.

DNSSEC is included without supplement in Nameshield DNS Premium offer. Nameshield supports you in this process to secure your immaterial assets and manages the integrality of the DNSSEC protocol for you, from keys creation, to storage and renewal.

It’s not the only answer to set, registry lock system, DNS Premium service, SSL certificates are complementary solutions to implement, we will have the opportunity to discuss it in other articles or in the next nameshield.cafe.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_25904574_14	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
visit	30 minutes	No description

Summary

The DNS, a fundamental service

Blockchain and decentralized registry

New needs

DNS on Blockchain, today

Conclusion

Nameshield’s DNS Premium labelled France Cybersecurity

France Cybersecurity Label, the guarantee of a certain level of quality in terms of cybersecurity

Arpanet, the Internet’s precursor

World Wide Web turns 30 years old

Internet Protocol – From IPv4 to IPv6

DNS – Domain Name System

The emergence of cyber threats

An IP traffic estimated in 2022 more important than the one generated from 1984 to 2016

A wave of attacks that began in November 2018

What are these attacks?

Between DNS hijacking and cyber espionage

Then how to effectively protect yourself?

The first and utmost recommendation is to protect your access

To implement the DNSSEC protocol

To protect your domain names

Does the change at the DNS level affect the SEO?

1. Modification of a DNS record, be careful of the TTL

2. Modification of the DNS declared for a domain name

3. Risk associated to the DNS during the website’s migration

4. Change of the destination IP address

5. DNSSEC implementation

Do faster DNS increase the SEO?

1. Recurring breakdowns on the DNS infrastructure

2. Quality of the network and points of presence

3. Be careful of “extended” DNS configurations

Conclusion

DNS Flag Day: What is it all about?

And concretely?

How to anticipate?

But what is the DNS?

Strategic services relying on the DNS and the associated risks

Attacks on DNS

The big forgotten

The good practices to implement: having first rate DNS infrastructure

Conclusion

What is the DNS?

How does the DNS work?

What are the risks related to the DNS?

DNSSEC issues

DNSSEC process

DNSSEC, Nameshield and you:

Nameshield uses cookies