DNSSEC: Nameshield adopts ECDSA

DNSSEC is the protocol that guarantees the integrity of DNS resolution by establishing a chain of trust all the way back to the root. Data security is ensured by a mechanism of cryptographic keys that sign DNS zone records. Historically, DNS operators have used RSA keys (RSASHA256 algorithm), renowned for their robustness.

As an alternative to this asymmetric cryptographic algorithm, there are elliptic curve algorithms. In the case of DNSSEC, the “ECDSA Curve P-256 with SHA-256” algorithm (RFC 6605 and 8624) offers a higher level of security with smaller key sizes.

The ECDSA algorithm is increasingly being implemented by major players in the domain names industry, such as Verisign and AFNIC, and aims to become the standard.

This has several advantages over our current implementation:

  • Smaller signatures and smaller zone files (approx. -33%);
  • Faster zone transfer and reload;
  • Improved signing performance;
  • Potentially faster DNS requests (less reliance on IP fragmentation);
  • Reduced amplification factor of DDoS attacks based on DNS.

For all these reasons, Nameshield has chosen to use this algorithm by default to secure its own domain names and those of its customers.

Image credit : Nameshield with storyset.com

Attack on the domain name system: the priority is to protect your access

Cyberattack - DNS Hijacking - cyber espionage
Image source : Geralt via Pixabay

Last weekend, the media has widely communicated on the consequences of an unprecedented attack that targeted the domain names.

Indeed, during the night of 22-23 February ICANN reported the large-scale attacks on the domain names: it is DNS hijacking. These attacks consist in “replacing the authorized servers addresses” with “addresses of machines controlled by the attackers”, as explained by the organization, allowing the attackers to examine the data in order to find passwords, email addresses etc., even to completely capture the traffic towards their servers.

A wave of attacks that began in November 2018

Actually, this is not an attack but a wave of attacks that the domain names system has endured for several weeks now.

Since the end of November 2018, an attack has targeted Lebanon and the United Arab Emirates and affected .GOV domain names. In this attack, the cybercriminals have proceeded with DNS hijacking.

At the beginning of January 2019, the company FireEye reported in an article, a wave of DNS hijacking that has affected domain names belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

If the attackers were then not identified, the initial research suggested the attacks could be conducted by persons based in Iran.

Important fact regarding the attack of February 22: this time, it struck, sometimes successfully, important actors of the Internet.

What are these attacks?

The method used is the DNS hijacking deployed on a large scale. This is a malicious attack, also called DNS redirection. Its aim: overwrite the TCP/IP parameters of a computer in order to redirect it towards a fraudulent DNS server instead of the configured official DNS server. To do this, the attacker takes control of the targeted machine through different techniques to alter the DNS configurations.

The American government, among others, recently warned about these series of highly sophisticated attacks of which the aim would be to siphon a large volume of passwords. These attacks would target more specifically governments and private companies.

Between DNS hijacking and cyber espionage

According to Talos’ article of November 2018, the attackers behind these attacks would have collected emails and connection information (login credentials – passwords) by hijacking the DNS, so that the traffic of the emails and the VPN (Virtual Private Networking) of the targeted institutions would be redirected to a server controlled by the cybercriminals.

Once the connectors collected, other attacks can be launched for espionage purposes, like the Man-In-The-Middle.

Then how to effectively protect yourself?

You must be aware that if these attacks essentially aim the domain names system, we can never say it enough, the first entry point of your domain names portfolio for an attacker is your access to the management platform.

The first and utmost recommendation is to protect your access

For many years, Nameshield has developed securing measures for the access to the domain names management platform (IP filter, ACL, HTTPS) and in addition proposes the 2 factors authentication and the SSO.

If these complementary solutions are still not implemented, Nameshield strongly recommends to implement them, in particular the 2 factors authentication in order to fight against passwords thefts.

To implement the DNSSEC protocol

The implementation of DNSSEC, if it was more widely deployed, would prevent or at least lessen the impact of these attacks by limiting their consequences.

It’s becoming increasingly urgent that DNSSEC is adopted on a massive scale, for both resolvers and authoritative servers.

To protect your domain names

The implementation of a registry lock on your strategic names will prevent their fraudulent modifications.

Although no perfect solution exists today to fully protect the infrastructures from cyberattacks, it is the implementation of several preventive measures combined that will allow to reduce the vulnerabilities (so) easily exploited by the pirates.

Let’s talk about DNSSEC

DNSSEC has taken shape, and has become essential in security process recommended by ANSSI as well as the web in general. And yet, it’s a barbaric term that is often scary as we don’t know how it works and what it’s used for. This article will focus on clarifying this term.

The Domain Name System Security Extensions is a standardized protocol of communication allowing to resolve security problems related to DNS. We will begin by a reminder of what is the DNS.

What is the DNS?

Simply put, the Domain Name System is quite like an Internet directory. It’s a service translating a domain name into IP addresses. It relies on a data base distributed to millions of machines. Humans identify, memorize and differentiate more easily names than series of numbers. The DNS has been defined and implemented in the 80’s and has become an essential element of Internet.

 

How does the DNS work?

The DNS will allow web user to inform a domain name in his web browser to access a website. The browser will then “resolve” this domain name to obtain the IP address of the web server which hosts this website and displays it. We call this the “DNS resolution”.

 

DNS resolution 

 

What are the risks related to the DNS?

If the DNS goes down, your websites and emails are going to be unavailable, which is unthinkable nowadays. Other applications can be impacted in the companies: VPN access, intranet, cloud, VOIP… all that potentially needs a names resolution to IP addresses. DNS must be protected and stay highly available.

If the DNS protocol has been created with security in mind, many security flaws of the DNS protocol have been identified since its creation. The mainly flaws of DNS have been described in the RFC 3833 published in August 2004. Queries package interception, fake answer, data corruption, DNS cache poisoning and Denial of service.

To deal with this vulnerability, DNSSEC protocol has been created.

 

DNSSEC issues

DNSSEC prevents these different attacks, particularly cache poisoning, by securing the integrity of the DNS resolution. DNSSEC issues are:

  • How to secure the data integrity and authenticate DNS (resolver, server with authority) and keep backward compatibility with the DNS at the same time.
  • How to secure access security at the resource asked to billions web users?
  • How to find a solution light enough so it won’t surcharge names servers?

 

DNSSEC process

To secure the integrity of the DNS resolution, DNSSEC develops a chain of trust that goes back to the DNS root (refer to the DNS root server image above). Data security is done by keys mechanism (KSK for Key Signing Key & ZSK for Zone Signing Key) which signs DNS records in its own zone. Public keys are sent to the corresponding register to be archived; the register being linked by DNSSEC to the root server, the chain of trust is developed. Each DNS parent zone ensures the keys authenticity of its child zones by signing them.

 

Without DNSSEC                                  With DNSSEC

DNSSEC process

DNSSEC, Nameshield and you:

DNSSEC operates like an essential protection for your strategic names, which secures DNS’ answer authenticity. It would be advisable to identify names that need to be protected. All TLDs don’t propose DNSSEC yet. Here is a list of principal TLDs that does, it can change with many more coming:

TLDs supporting DNSSEC: .fr, .com, .be, .net, .eu, .pl, .re, .pm, .yt, .wf, .tf, .info, .li, .ch, .biz, .de, .sx, .org, .se, .nl, .in, .us, .at, .nu, .la, .ac, .cz, .me, .sh, .io, .uk, .co.uk, .me.uk, .org.uk.

All news gTLDs, like .paris, .club, .xyz, .wiki, .ink, support also DNSSEC.

DNSSEC is included without supplement in Nameshield DNS Premium offer. Nameshield supports you in this process to secure your immaterial assets and manages the integrality of the DNSSEC protocol for you, from keys creation, to storage and renewal.

It’s not the only answer to set, registry lock system, DNS Premium service, SSL certificates are complementary solutions to implement, we will have the opportunity to discuss it in other articles or in the next nameshield.cafe.