Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: DNSSEC is slowly making the Internet safer

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
mogs DNSSEC is slowly making the Internet safer
Expert Contributor 21st Mar, 2013 17:52
Ranking: 2265
Posts: 6,266
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
Last edited on 21st Mar, 2013 18:06

Practicing safe DNS By Steven J. Vaughan-Nichols for Networking | March 20, 2013 -- 13:19 GMT (06:19 PDT)
The Internet's a dangerous place for an innocent Web browser to be searching alone for the right Web page, so the Domain Name System Security Extensions (DNSSEC) was created to make searching safer. That's the good news. The bad news is that DNSSEC adoption has been lagging. Now, Google has announced that it's supporting DNSSEC in its Google Public DNS service.
http://www.zdnet.com/practicing-safe-dns-with-goog...

How To Add DNSSEC Support To Google Chrome
DNSSEC provides a method to authenticate that you are in fact communicating with the site you think you are. It uses a “chain of trust” and digital signatures to check the validity of the information your computer receives from DNS.
But how can you as an end-user see whether the DNS information is correct?
If you are a user of the Google Chrome browser, the good news is that the team at CZ.NIC Labs have just released a “DNSSEC Validator” extension for Chrome that is similar to the existing add-on for Firefox and available at:
https://chrome.google.com/webstore/search-extensio...
You can also visit the Czech page at: http://labs.nic.cz/page/990/rozsireni-dnssec-valid...
After installation of the extension into Google Chrome, you’ll now see a green “key” icon whenever you browse to a website with DNSSEC enabled, such as www.internetsociety.org and this Deploy360 site:

www.internetsociety.org:
Domain is secured by DNSSEC.

twitter.com:
Domain has no DNSSEC signature.

I havn't found many green "key" icons yet....and I thought I went to all the right places !! mogs

--

taffy078 RE: DNSSEC is slowly making the Internet safer
Contributor 22nd Mar, 2013 07:23
Score: 408
Posts: 1,314
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 22nd Mar, 2013 07:24
thank you mogs

[edit] It's a pity that we can't give scores to the initial post on a thread. Some forums allow that.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
mogs RE: DNSSEC is slowly making the Internet safer
Expert Contributor 23rd Mar, 2013 19:45
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 23rd Mar, 2013 20:23
Internet Corporation for Assigned Names and Numbers DNSSEC – What Is It and Why Is It Important?

To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn't have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.icann.org into the numbers – called Internet Protocol (IP) addresses. ICANN coordinates the addressing system to ensure all the addresses are unique.
Recently vulnerabilities in the DNS were discovered that allow an attacker to hijack this process of looking some one up or looking a site up on the Internet using their name. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker's own deceptive web site for account and password collection.
These vulnerabilities have increased interest in introducing a technology called DNS Security Extensions (DNSSEC) to secure this part of the Internet's infrastructure.
The questions and answers that follow are an attempt to explain what DNSSEC is and why its implementation is important.

Read more at :-
www.icann.org:
Domain is secured by DNSSEC.

http://www.icann.org/en/about/learning/factsheets/...

--
Was this reply relevant?
+4
-0
mogs RE: DNSSEC is slowly making the Internet safer
Expert Contributor 26th Mar, 2013 10:32
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 26th Mar, 2013 10:39
Google adds validation to DNSSEC

One small step by one giant foot
By Richard Chirgwin • Get more from this author
Posted in Networks, 20th March 2013 01:45 GMT
Excerpt

What's it all about?

As readers will know, DNS – the Internet's lookup system that matches a readable URL (theregister.co.uk) to an IP address (92.52.96.89) – was originally based on trust, and it assumed that trust long after bad actors learned how to exploit the DNS to direct users to malicous sites.

To get some context for the announcement, The Register spoke to APNIC chief scientist Geoff Huston, who says it's a good move, partly because his research suggests Google is gaining importance as a DNS resolver.

In research that identified 2.5 million DNS clients, Huston said Google DNS was in use by as many as 15 percent of them, making it a big enough resolver to influence the rest of the industry.

Prior to this announcement, he explained, an address might resolve even though Google had not tested the DNS signature key against the site's certificate. With validation in place, Google is committing itself to signature-checking all responses. If there's a mismatch – which Huston noted could just as easily be because of an error rather than malice – Google will return a SERVFAIL (the impact of which is that the end user will get a "site not found" error).

“I've seen some very big sites that only worked by accidental glue”, he remarked. “Anyone doing proper DNSSEC on them will get a SERVFAIL from Google.

“You can't do DNS at 4.59 on a Friday afternoon! You have to follow the instructions to the letter, no shortcuts, no crap – because otherwise you will have a badly signed domain and a large amount of the internet won't see you any more. DNSSEC validation means anything wrong with a domain certificate, or the parent, all the way back to the root, makes a SERVFAIL.”

That, he said, will ultimately be a good thing because it will encourage sites to lift their game.

Huston believes any site that's entrusted with customer data should already be using DNSSEC. “I would expect all banks, all government sites, to use signed domains … if you haven't locked the DNS, it's close to negligence”.

There is, however, a hole in the local industry which may well be common worldwide. It's still very uncommon for companies selling domain name services to offer usable tools for site owners to create their own site signatures. That needs to change to become a basic part of the service, “because the beneficiary of DNSSEC signing is everybody”. ®
http://www.theregister.co.uk/2013/03/20/google_add...
www.theregister.co.uk:
Domain has no DNSSEC signature.

There's a lovely warm feel-good factor when finding one with the green key icon......mogs.

--
Was this reply relevant?
+1
-0
mogs RE: DNSSEC is slowly making the Internet safer
Expert Contributor 27th Mar, 2013 11:04
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 27th Mar, 2013 11:41
More information. Google starts supporting DNSSEC
Kevin Murphy, March 21, 2013, 14:05:39 (UTC), Domain Tech
Google has started fully supporting DNSSEC, the domain name security standard, on its Public DNS service.

According to a blog post from the company, while the free-to-use DNS resolution service has always passed on DNSSEC requests, now its resolvers will also validate DNSSEC signatures.

What does this mean?

Well, users of Public DNS will get protected from DNS cache poisoning attacks, but only for the small number of domains (such as domainincite.com) that are DNSSEC-signed.

It also means that if a company borks its DNSSEC implementation or key rollover, it’s likely to cause problems for Public DNS users. Comcast, an even earlier adopter, sees such problems pretty regularly.

But the big-picture story is that a whole bunch of new validating resolvers have been added to the internet, providing a boost to DNSSEC’s protracted global roll-out.

Google said:

Currently Google Public DNS is serving more than 130 billion DNS queries on average (peaking at 150 billion) from more than 70 million unique IP addresses each day. However, only 7% of queries from the client side are DNSSEC-enabled (about 3% requesting validation and 4% requesting DNSSEC data but no validation) and about 1% of DNS responses from the name server side are signed. Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment.

One has to wonder whether Google’s participation in the ICANN new gTLD program ( see ref. below ) — with its mandatory DNSSEC at the registry level — encouraged the company to adopt the technology.

http://domainincite.com/12344-google-starts-suppor...

domainincite.com:
Domain is secured by DNSSEC.

Reference :-
Icann launches brand database for trademarks
Firms are concerned that new web addresses will damage their brands
Net address regulator Icann has launched a database to allow businesses to register their brands, ahead of the release of a raft of new domain names.
It is hoped the Trade Mark Clearing House (TMCH) will mitigate concerns about cyber-squatting and trademark infringement.
Nearly 2,000 new suffixes, known as generic top-level domains (gTLD), will be introduced later this year.
http://www.bbc.co.uk/news/technology-21938359
www.bbc.co.uk:
Domain has no DNSSEC signature.

--
Was this reply relevant?
+1
-0
mtodorov RE: DNSSEC is slowly making the Internet safer
Member 27th Mar, 2013 14:11
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Last edited on 27th Mar, 2013 14:13
Hi, @mogs,

I've read three articles about DNSSEC and I failed to learn about the size of keys and performance penalty of signing each DNSSEC request.

Do you think that average DNS server will be able to satisfy DNSSEC requests with existing hardware?

Thanks,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
mogs RE: DNSSEC is slowly making the Internet safer
Expert Contributor 27th Mar, 2013 16:58
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@mtodorov

Thanks for the reply/querie.
I'm learning a little more about it myself each day as I find the articles......more from the perspective/viewpoint of an unparanoid individual...(The Internet's a dangerous place for an innocent Web browser to be searching alone for the right Web page)....than the corporate/enterprise situation.
It "sounds" to me like you may have already had some experience in setting things up from that standpoint.....already aware of aspects of it that I havn't got to yet.....or may never need to, personally.
My posts are intended to raise some awareness as to recent/current events concerning.
I am not ignorant of the fact that there might be financial considerations/restraints which may inhibit DNSSEC adoption/progress....but the costs of not doing so may far outweigh ?
How safe it could be.....yet how so very far away ?
Obviously it's possibly easier for Google to implement advantages/strategies etcetera ; than a small business.....but it also affects everybody when they get home at the end of the day ?

Regards.....mogs


--
Was this reply relevant?
+2
-0
mogs RE: DNSSEC is slowly making the Internet safer
Expert Contributor 27th Mar, 2013 19:02
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 27th Mar, 2013 19:04

African TLDs, ISPs implement DNSSEC to attract more users
The move is meant to increase Internet use by ensuring better security

By Rebecca Wanjiku | 27 March 13
Africa's country code top-level domains and Internet service providers have implemented DNSSEC (Domain Name System Security Extensions) in order to attract more users.

DNSSEC is a security protocol that guards against online fraud, identity theft and hijacking of websites. It ensures users that the communication between an application and organization is trustworthy and is not susceptible to eavesdropping, tampering and other online threats.

Tanzania, Uganda and Gabon are the latest TLDs to implement DNSSEC, while Namibia and Seychelles had implemented earlier. In some countries, ISPs have also put in place DNS-aware servers that allow end users to validate sites with DNSSEC. For instance, Egypt TLD has not implemented DNSSEC but Linkdotnet, offers DNSSEC validation. Other countries with ISPs offering validation are Libya, Equatorial Guinea, Djibouti, Algeria, Zambia, Angola and South Africa.

"People buying .Tz domain will be assured of security especially when doing business online -- DNSSEC implementation has added an extra layer of security, increasing the value of .Tz," said Abibu Ntahigiye, TZNIC (.tz domain registry) manager.

Read more: http://www.pcadvisor.co.uk/news/security/3437481/a...

--
Was this reply relevant?
+1
-0
mogs RE: DNSSEC is slowly making the Internet safer
Expert Contributor 2nd Apr, 2013 13:39
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Information

CENTR.ORG secured with DNSSEC
(First) Published on:Friday, December 14, 2012 - 00:52
CENTR, the European ccTLD organization, and its site & domain hosting partner Openminds deployed DNSSEC on the centr.org domain name.
DNSSEC significantly improves the security of the Internet user by reducing the risks that information can be changed or tampered with during its transfer over the Internet, for example between an online-banking website and the client.

CENTR’s request to sign centr.org was the impetus for Openminds to prioritize the planned upgrade of its infrastructure and so become one of the first Belgian hosting companies allowing its clients to add security extensions to their domain names.
92% of European ccTLD registries – the companies responsible for the management of national domains such as .nl for the Netherlands or .be for Belgium – are offering or are preparing their systems to soon start offering DNSSEC signed names. Simple online tools such as the Swedish dnscheck.iis.se allow users to check if a domain name is signed with DNSSEC.

More about DNSSEC:
http://www.internetsociety.org/deploy360/dnssec/
http://www.dnssec.nl (in Dutch)

About CENTR
CENTR, the European ccTLD organization, is the world’s largest Internet Domain Name Association. CENTR has over 50 members which together account for roughly 80% of country code domain name registrations worldwide.
More about CENTR at www.centr.org

--
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability