DHS moves to strengthen domain name servers
- By Dan Campbell
- May 22, 2008
The Homeland Security Department's Science and Technology Directorate has awarded a contract to Secure64 Software to increase the security of the Internet's Domain Name Servers (DNS).
DNS is one of the most critical back-end processes on the Internet or any other IP network, but it operates somewhat transparently. DNS alleviates the burden of memorizing a Web site's IP address, instead allowing the user to type in a simple domain name such as www.dhs.gov. The Internet would not be functional from a practical perspective without DNS.
But despite its importance, most DNS implementations are not secured, leaving DNS transactions vulnerable to attacks such as pharming, cache poisoning and DNS redirection.
Pharming occurs when a hacker exploits DNS or host-file vulnerabilities on a computer to redirect the person to a Web site other than the one intended. These fraudulent sites may appear similar to the site the person was attempting to reach, confusing the person and perhaps tricking him or her into revealing sensitive information that can be used to commit identify theft or other crimes.
Cache poisoning occurs when an attacker tricks a DNS into accepting falsified IP addresses for Web sites, which are then cached or stored temporarily by the servers. Because DNS servers do not flush their caches for a set period of time, the false information may lead many users to fraudulent Web sites that contain viruses or malware.
DNS redirection plays a role in pharming and cache poisoning by providing the IP addresses of the phony Web servers during the DNS query process.
Domain Name System Security Extensions (DNSSEC) is a secure form of DNS that ensures transactions are legitimate, accurate and trustworthy. Although DNSSEC has been around for a while, it's complexity with respect to key management and zone signing ' perhaps coupled with the relative simplicity of regular DNS ' has hampered its widespread adoption. Many network administrators see the process of managing, securing and updating the keys as too great a burden. Additionally, many security administrators feel that the vulnerability in DNS server operating systems could allow the keys to be compromised. Consequently, the market for commercial DNS products is weak.
Part of the attraction of Secure64 is its Genuinely Secure SourceT micro Operating System that Secure64 said is 'immune to compromise from rootkits and malware and is resistant to denial-of-service attacks.' Secure64's product, which includes a secure DNS solution based on DNSSEC, will be supplemented with an incremental signing feature that will increase the security of DNS transactions.
The $1.2 million contract with Secure64, of Greenwood Village, Colo., will simplify and automate DNSSEC deployment. The goal is to provide a solution that serves not only the U.S. government but other organizations, businesses and service providers worldwide.
The Secure64 product is deployed as a network appliance and can fit seamlessly into an organization's existing DNS architecture. Alternatively, the product can replace an existing DNS.
The Secure64 product must also support IPv6 to comply with the Office of Management and Budget's IPv6 mandate. Secure64 supports the resolution of IPv6 DNS transactions and AAAA DNS records transported over IPv4. Support for transactions over a dual-stack IPv4 / IPv6 environment is planned for later this year, with the development to occur outside this project contract.
Dan Campbell is a freelance writer with Government Computer News and the president of Millennia Systems Inc.