Google’s announcement that its Google Public DNS resolution service now supports DNSSEC is being applauded, but experts caution that despite Google’s high profile, this only puts a slight dent in a larger issue.
“I think it’s great that Google is getting involved and supporting validation for DNSSEC; it’s a terrific move forward,” said Ram Mohan, CTO at Afilias, a managed DNS provider and registry service. “It further establishes DNSSEC going mainstream. It used to be a technology running the risk of becoming isolated. Now it’s much more of a mainstream technology.”
DNSSEC, or DNS Security Extensions, digitally signs DNS records curtailing hackers from performing cache poisoning attacks which allow them to redirect traffic to malicious sites by using forged DNS requests.
“Previously, we accepted and forwarded DNSSEC-formatted messages but did not perform validation,” explained Google Public DNS team lead Yunhong Gu. “With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains.”
Internet service provider Comcast completed its DNSSEC implementation 15 months ago, making it available as part of its Constant Guard consumer protection service. Comcast’s and Google’s efforts have significantly advanced awareness of DNSSEC and its capabilities, Mohan said, who cautioned that Google, unlike Comcast, has not turned on DNSSEC by default.
“Google is supporting validation, but it appears you have to ask for it to be turned on while with Comcast, it is turned on by default for everyone,” Mohan said. “I hope eventually Google turns it on by default. “
Nominum vice president of platforms and applications Craig Sprosts echoed the same sentiment in a statement to Threatpost: “Google support for DNSSEC validation provides more evidence of the value of protecting DNS resources. But their implementation falls short, only a tiny fraction of highly technical users benefit; in contrast far larger providers of DNS services like Comcast protect all their users with DNSSEC.”
Since Dan Kaminsky’s well-publicized bug and patching effort in 2008, DNSSEC has been much more top of mind for domain registrars and DNS operators. Some top-level domains have been signed with DNSSEC, but that’s only part of the puzzle.
“Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers. Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses,” Gu said. “Meanwhile, domain owners have to sign their domains. Today, about one-third of top-level domains have been signed, but most second-level domains remain unsigned. We encourage all involved parties to push DNSSEC deployment and further protect Internet users from DNS-based network intrusions.”
Cache poisoning attacks are particularly effective and dangerous. Users who type in the name of a legitimate website can be redirected to a site controlled by a hacker that hosts malware that can put personal or corporate information at risk. DNSSEC uses digital signatures and PKI to authenticate DNS responses.
“DNSSEC effectively prevents response tampering because in practice, signatures are almost impossible to forge without access to private keys. Also, the resolvers will reject responses without correct signatures,” Gu said.
Google Public DNS was launched in 2009 and according to the Google Online Security Blog, it serves 130 billion to 150 billion daily DNS queries from 70 million unique IP addresses. Gu said 7 percent of those queries are DNSSEC enabled, and one percent of DNS responses from name servers are signed.
“Overall DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,” Gu said.