Combatting DNS Hijacking Requires Improved DNS Security
DNSSEC authentication helps to ensure that a compromised DNS server won’t send you to a hijacked server when you point a browser to a specific domain name.
MARCH 20, 2019
Global DNS hijacking is becoming an increasingly troublesome security threat for the entire Internet. Calls for secure domain authentication using DNSSEC specifications have been ongoing for years. But while added security is a step in the right direction, we all must understand that a huge portion of our Internet security lays at the feet of a single, private entity called the Internet Corporation for Assignable Names and Numbers (ICANN).
The latest cry for improved domain name system (DNS) security functionally was sent out in late February — and it came directly from ICANN. For those of use in the field of IT security, we fully understand the security concern surrounding DNS. Like most early networking mechanisms, first iterations of DNS contained no security safeguards. Instead, DNS was simply built as a hierarchical, distributed database to match a hostname (such as networkcomputing.com) to a unique IP address that computer networks use to communicate. The concern is that without the necessary security protections in place, DNS can be intentionally or unintentionally altered to send people to the wrong destination. And if done properly, a session can be hijacked without the end user ever knowing it.
Moves to enforce DNSSEC are a great way to secure the various DNS servers located on the Internet that are managed by various governments, corporations and service providers. DNSSEC authentication helps to solidify the integrity of lower branches on the DNS hierarchy tree. In other words, it helps verify that a compromised DNS server won’t send you to a hijacked server when you point a browser to a specific domain name. That said, this security only goes so far up that tree — and it ends at the very top where ICANN resides. ICANN controls all the top-level domains (TLD) that we’re familiar with including .com, .net and .org. It also controls TLD’s for governments and countries including .gov, .eu and .cn. Any changes at this level – and any security enforced – is made at the organization’s sole discretion.
We’re talking about a massive amount of responsibility – while being run as a private non-profit organization. So, how did it get this way?
ICANN from the beginning
In 1983, a man named Jon Postel established the Internet Assigned Numbers Authority (IANA) at the University of Southern California. At that time, Mr. Postel created the IANA when USC was under contract with the Defense Advanced Research Project Agency (DARPA). Until 1998, IANA — and all TLD control was managed within the U.S. government itself. As the popularity of the Internet exploded in the mid-1990s from a consumer and commercial perspective, the IANA merged with several other Internet-governance groups to form ICANN. The new non-profit was then contracted to manage TLD’s for the U.S. National Telecommunications and Information Administration (NTIA) from the time it formed until October 2016. It was at this point where the US government relinquished control to ICANN. Now that the United States government is out of the picture, ICANN now considers itself a global community that supports what they call a “vision of ‘one, world, one Internet.’”
Now that the Internet is indeed a global network, some conclude that the decision to remove U.S. control over TLD’s is a correct one. Others feel that a compromised ICANN can quickly become a national security threat. That said, as users of the free and global Internet, we must make sure that necessary checks and balances are in place to make sure ICANN never becomes corrupted by groups or governments. In other words, we need to make sure protocols and transparencies are in place so we can all “watch the watchers.”