Why I’m long DNS

By Thad Dupper, CEO of Secure64 Software Corporation

5G will drive DNS Traffic to Grow by 10x

As most know the Domain Name System (DNS) translates domain names (i.e., www.google.com) into IP addresses. This system, which has been a critical part of the internet infrastructure since the early days, is now poised to experience a dramatic increase in traffic due to emerging industry trends.

This increase is driven by our expanding and shifting technology usage patterns.  Originally voice-driven, then later text, telephony is now overwhelmingly a data-driven medium. As we prepare for the arrival of 5G, that trend will only accelerate underscored by a recent Ericsson report that predicts by 2024 95% of subscribers will consume mobile broadband. 

From a Mobile Network Operator (MNO) perspective, the migration to 5G is essential to re-ignite their business models. As we have witnessed over the past decade, subscriber growth rates have flattened. This is true in all but a few of the developing markets. Today, anyone who wants a smartphone likely has one. GSMA reports there are currently 5.1B subscribers in the world and last year’s growth rate was a tepid 2.88%. The implication — the heady days of double-digit subscribers growth are long gone. Subsequently, we are left with today’s reality of single-digit churn and zero-sum game price wars as the reality in which many MNOs find themselves. Further, many of today’s subscribers have unlimited data plans also limiting the potential for revenue growth. Suggesting if you are John Legere or any other CEO of an MNO, your ability to grow revenues is extremely limited.

Enter 5G

With its significant increase in bandwidth, 5G promises to position MNO’s to pursue new areas of growth as well as the lucrative residential market today dominated by the cable operators. As the bedrock of a successful mobile broadband strategy, 5G will allow MNOs to compete with today’s cable companies by dramatically lowering the cost of delivering a gigabyte.

A recent McKinsey report grouped the 5G use cases into three categories: enhanced mobile broadband, IoT, and mission-critical applications.

Beginning with enhanced mobile broadband. Taking my own household, for example, with two teenagers. Today we spend $253/month for broadband service and a similar amount ($260/month) for wireless service. With our business clearly in their sights, each company will vie for the other’s share of our business. With its higher bandwidth rates (projected to be 20x the rate of 4G LTE attaining download speeds of 20 Gb/s), 5G is expected to enable the MNO to pursue the “cut the cord” strategy and thereby absorb some, if not all, of our monthly $253 cable bill.

Keeping with our household example — today we routinely consume over 700 Gb/month. However, on our wireless plan we consume, on average, only 8Gb/month. The math is clear — if our wireless provider wants to capture our home business, they’ll need to handle a significant increase of data traffic – in our case on the order of 100x. 

No alt text provided for this image

For this reason alone, the DNS traffic on an MNO 5G network will dramatically increase – but that’s not the only reason.

VoIP/VoLTE

The next area driving DNS growth is the migration from the tradition circuit-switched voice traffic to IP-based communications. To be clear, this migration, known as Voice over IP or VoIP, has been underway for some time now. One of the benefits of this change is the availability of new value-added features such as follow-me services where callers can ring your desk or smartphone – or both – at the same time. The next iteration of VoIP is VoLTE (Voice over LTE) which leverages the IMS architecture which includes, among other things, the ENUM DNS protocol which allows carriers to map a telephone number to an IP address. Without getting too wonky ENUM is enabled by a special Name Authority Pointer (NAPTR) DNS record that allows phone numbers to be translated into e164 DNS record formats which enables VoLTE services. As carriers around the world accelerate their migration to VoLTE there will be a need for more DNS capacity.

IoT


Today, when we think of DNS what comes to mind is a subscriber on a browser translating a domain name into a corresponding IP address. In addition to that functionality DNS systems have evolved to provide a wide range of protections against various cyber-attacks. The most notable are denial of service, or DDoS attacks, but increasingly MNO’s are leveraging their DNS to help protect users from accessing internet locations that are known malware, phishing or bot command & control sites. In many cases, an end user might not even know their smartphone or laptop is trying to access one of these blacklisted sites. That’s because their device has become infected with a virus that attempts to hijack the device and steer it to a site where bad things are likely to occur such as trying to steal personal data – or encrypt your hard drive in a software ransomware ruse.


DNS protects against this via the use of a blacklist. DNS vendors, like Secure64, provide near real-time services to provide up-to-the-minute threat intelligence updates to populate a carrier’s DNS blacklist. These blacklists contain thousands, if not millions, of domain names that are known to be malicious. In our case, we brand our services as TotalGuard™ as our subscription-based threat intelligence feeds. 


Now getting to IoT, we know the world is becoming an ever-connected place — occurring at an ever-increasing pace. The DNS use case of an IoT device is basically the reverse of the blacklist. With IoT devices there is a whitelist which is a list of addresses the IoT device is enabled to access. Take a Nest camera installed on a driveway. As the camera detects motion an alert (usually via SMS) is sent to the owner’s smartphone notifying them of the movement with a screenshot of the activity. From a technical point of view, the IoT device — the Nest camera – is permitted to only contact a very restricted list of contacts or locations. In this case, the registered owners and the website where the streaming video is stored (a Google domain). The whitelist for this device then would be the owner, perhaps their spouse and the Google Nest domain. That’s it, and if the Nest camera tries to communicate to any other IP address then the network provider knows the device has become infected and would notify the subscriber and, in some cases, perform a remote wipe thereby cleaning the device of its infection. 

As IoT devices proliferate, so will the DNS communications and features needed to support them.


Mission-Critical Applications

Mission-critical services will be those enabled by 5G’s high-bandwidth and high-reliability. These include: autonomous driving vehicles, advanced industrial and residential controls including the connected-home and medical applications where telesurgery becomes feasible. In all these cases 5G will deliver a higher level of service where a loss of connectivity or high-latency cannot be tolerated.

Streaming/Gaming/Virtual Reality/Arcades

As we were reminded recently from Apple, companies are making enormous investments to introduce new and sophisticated streaming services. Netflix, Amazon Video, YouTube, Hulu, Roku are just a few. It is anticipated that gaming and video services under development today, with 5G networks in mind, will be highly interactive. In addition, Virtual Reality systems will rely on 5G’s speed and capacity to stream VR content with the potential to provide new services such as virtual marketing and virtual tourism.  All these services greatly increase the network traffic which in turn increases the need for additional DNS capacity.

No alt text provided for this image

Summary

DNS traffic is going to dramatically increase with the arrival of 5G driven by:

 – increasing data bandwidth and consumption

— the migration to VoIP/VoLTE

— the proliferation of IoT devices

— new 5G-enabled mission critical applications

— advances in VR and interactive gaming services

The takeaway — the future is approaching (as it always does) faster than we expect with Ericsson predicting by 2024, 5G will reach 40% worldwide coverage with 1.5 billion subscribers, making it the fastest generation ever to be rolled out on a global scale.  

At Secure64 we work with our customers – carriers, enterprises and government agencies – every day to ensure their DNS infrastructure is highly performant, extremely secure and scalable for both today’s needs as well as those for the next generation – 5G.

It is for these reasons I’m long DNS – and you should be too.

Avoid the DNS outage that could cost you the C-suite

By Steve Goodbarn

Co-founder and Chairman, Secure64

Summary of article published in The Business Journals. To read the article in its entirety, click here: 

A DNS outage will take your business offline – and potentially your job with it.  It is time to make DNS security a critical focus point for companies.

“Long taken for granted as a utility, DNS is the critical, pervasive system that touches all internet-connected devices and services, yet represents the Achilles heel in internet security today.”

In his article, Steve examines the important of the DNS and its vulnerabilities.  Beginning with a discussion about the need for capacity and both genetic and geographic diversity, he then moves to attacks on the DNS –  redirection, cache poisoning and more prevalent – distributed denial of service  (DDoS) attacks.  He then provides a checklist that companies should employ to ensure the continuity of their online business.

The threat of attack, while scary, is a real possibility—particularly for companies that have not yet taken the proper precautions to defend against attacks on the DNS. A secure, self-protecting DNS and implementation of DNS Security Extensions are critical checks for all companies conducting business online. To not secure your DNS is more than just putting business on the line: a breach in security could cost you your career.

Dyn, BIND and DNS Strategy

[vc_row][vc_column width=”2/3″][vc_column_text]

On October 21, 2016, leading websites including Twitter, Netflix and Spotify were severely interrupted by an attack on DNS hosting provider Dyn.  Many service providers experienced degradation in their DNS services because attempts to access popular web sites resulted in a SERVfail response. So is it time to review your DNS strategy?

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”3121″ img_size=”500×300″][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

Here are the reasons to do so:

#1.

DNS is the telephone directory of the internet.  If DNS performance is degraded then IP-based services degrade.  The Dyn attack clearly shows that firewalls and cloud defenses alone don’t provide enough protection to DNS. The DNS platform itself needs to be robust and self-protecting.[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2544″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_single_image image=”644″ img_size=”” alignment=”center”][/vc_column][vc_column width=”2/3″][vc_column_text css=”.vc_custom_1484340668603{margin-right: 10px !important;}”]

#2.

On November 1st  a critical vulnerability, CVE-2016-8864,  was issued that affects BIND-based DNS systems. This bug allows a remote DDoS attack.  This is the 7th such BIND  vulnerability this year, and the 25th critical BIND vulnerability in the last 4 years – which causes the need to drop everything and patch. Most DNS is based on ISC BIND or commercial varieties of BIND (eg Inblox, F5, Cisco, Huawai, ZTE, Nokia, Ericsson). BIND is basically free open-source software and you get what you paid for.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

#3.

All software has bugs and vulnerabilities, but some software is better than other software. At least having a diversified DNS technology strategy gives you an insurance policy. Cyber attacks tend to affect different DNS in different ways. Keep in mind that ISC BIND and Infoblox do not create a diversified DNS technology strategy – they are both BIND.

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”1040″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_single_image image=”1656″ img_size=”” alignment=”center”][/vc_column][vc_column width=”2/3″][vc_column_text css=”.vc_custom_1484340658251{margin-right: 10px !important;}”]

#4.

If you are scoping out a DNS review then don’t forget to consider the Operating System.  We know the internet is being attacked by IoT devices (cameras, routers and even toasters!) and this is all because the OS and passwords are neglected.  Unlike other technologies in the network, the DNS OS can be deployed in a hardened form or a genuinely secure form to resist root kits and malware.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

#5.

Secure64 offers self-protecting authority and caching servers that are built on a proprietary and highly secure micro OS, or with a secure Linux kernel – no BIND, no security devices needed.
[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2131″ img_size=”” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Isn’t it time to diversify your DNS?

[/vc_column_text][/vc_column][/vc_row]

Blocking Attacks from the Incredibly Insecure Internet of Things (IIIoT)

[vc_row][vc_column width=”1/3″][vc_single_image image=”2540″ img_size=”500×500″ alignment=”right”][/vc_column][vc_column width=”2/3″][vc_column_text]

In the wake of the massive attack against DNS provider Dyn, we as a security industry need to ask ourselves “what the hell are we going to do about the usage of dumb, secure-less IOT devices to become a bot army?”

In the fallout after the attack, security experts are tasking end users, device manufacturers, hosting providers and ISPs to prevent its recurrence.   End users need to change passwords, device manufacturers need to harden their machines, hosting providers need to grow their capability and ISPs need to detect spoofed IPs.  Potentially the easiest and fastest way to block massive DDoS attacks is to use the Domain Name System to detect and mitigate bots.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]

The DNS Knows

The DNS is an incredibly good place to detect and prevent bot activity. Because IP addresses change, every piece of malware needs to call home to get instructions and when it does so, it queries the DNS. When that query tries to link to a known Command & Control Center or phishing site, the DNS can hang up the phone, preventing the malware from getting instructions and participating in a denial of service attack.
Every network that services IOT devices could prevent their widespread usage as a botnet if they implemented this service – and Congress wants ISPs to act. The co-founder of the Senate Cybersecurity Caucus, Senator Mark Warner, asked what network management practices could be adopted by ISPs to repel traffic that might emanate from botnets.  Although using the DNS to identify and block bots would not help them repel traffic, it would prevent devices on the ISP’s network from participating in a botnet. Such a service protects the very Internet itself by using the backbone of the Internet to detect and then prevent bot activity.

To learn more about using the DNS to block bots, watch the recorded Secure64 webinar, “Defending with DNS.”[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2544″ img_size=”500×500″][/vc_column][/vc_row]

DNS Hosting – the problem with centralization

[vc_row][vc_column width=”2/3″][vc_column_text]Recently, Robert Reich argued that the centralization of DNS on the “platforms of giants” has led to the vulnerability of the internet, as witnessed by the massive assault on DNS provider Dyn.  Last Friday’s attack led to problems accessing popular sites, including Twitter, Reddit, PayPal, and Netflix, and has left the world reeling. Our dependence on the internet and the scope of this attack drives the need for answers.

Reich argues that to prevent these colossal assaults, we need to retain the original structure of the internet – a widely distributed, decentralized system, which is counter to the belief that there is safety in numbers.

DNS hosting services have led to much greater centralization than the internet was originally designed, it is true. But this service has been essential to many organizations, including small business, which lacked domain expertise and capital.  Customers of hosting services have enjoyed enterprise-level hosting, including protection against denial of service, which requires specialized expertise.

But what happens when your DNS host is unable to protect you from the attack and indeed, your customers cannot reach your website BECAUSE you are on that service – you are drug down beneath the waves with your fellow tenants to drown?  This is where Reich’s analogy makes quite a bit of sense – and it begs a series of questions.  Do you become more vulnerable as each tenant is added?  Is the risk worth the reward?  Do you have the resources to go it alone and self-host, and should you?

If you are considering this potential strategy in the wake of the attack, you should know that you will actually be able to increase your DNS security by requiring a secure architecture that provides built-in protection against high volume DDoS attacks.[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2526″ img_size=”500×600″ alignment=”center”][/vc_column][/vc_row]

Performing a signing algorithm rollover is not for the faint of heart

[vc_row][vc_column width=”2/3″][vc_column_text]We are proud of our DNSSEC heritage here at Secure64. We launched the first fully automated DNSSEC signing appliance in 2008, just weeks after security researcher Dan Kaminsky made public the flaws in the DNS protocol that DNSSEC addresses. Our goal from the very beginning was to make deploying DNSSEC simple and secure. And we are now fortunate to be trusted by many organizations including top level domains, regional internet registries, government agencies and communication service providers to secure their DNS infrastructure with DNSSEC.

So when our friends at RIPE approached us for help in performing an algorithm rollover, we jumped right in. RIPE uses our DNS Signer product to sign the reverse zones that they manage. Like other early adopters of DNSSEC, RIPE had been signing their zones for many years with the RSA SHA1 algorithm. However, this algorithm had recently been found to be insufficiently strong, and RIPE wanted to transition to the stronger RSA SHA2 algorithm.

But changing a signing algorithm without breaking the chain of trust that DNSSEC relies upon is not for the faint of heart. It is extremely complicated, as it requires signing the zones with two different algorithms, waiting for a critical period of time, publishing the second signing key, waiting again, and finally removing the old signing key from the parent zone. And if any one step is performed incorrectly, your domain could be wiped off the internet. Ouch.

At the time, our DNS Signer product was able to sign a zone with a single algorithm, but not with two, which is what is required to roll an algorithm without breaking the critical chain of trust. Our development team worked closely with RIPE throughout their well designed test process to ensure that the rollover would be successfully completed. And we all learned some important lessons on best practices when we hit an unexpected snag with other validating resolvers during testing that had to be worked through.

But thanks to RIPE’s pioneering efforts, Secure64 Signer customers can now roll their signing algorithms with confidence.[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2540″ img_size=”500×700″ alignment=”center”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

You can read more about RIPE’s experience with algorithm rollover at:

DNS Rollover

[/vc_column_text][/vc_column][/vc_row]

Blocking Bad Internet Content – do it at the DNS

[vc_row][vc_column width=”2/3″][vc_column_text]On June 9th, Ethiopia became the latest nation state to move to legislate on Internet content.  I, for one, am sold on the idea of blocking bad internet content, especially illegal content.  Give organisations, institutions and parents control over what internet content comes through their networks. It is empowering.  It is also clear that many blanket content category bans can take you towards censorship of free speech . Did anyone follow the Australian experience over the last 8 years ?  https://en.wikipedia.org/wiki/Internet_censorship_in_Australia[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”3229″ img_size=”500×300″][/vc_column][/vc_row][vc_row][vc_column width=”1/3″][vc_column_text]The flag of Ethiopia[/vc_column_text][/vc_column][vc_column width=”2/3″][vc_column_text]But this is a technology blog. So in Ethiopia, they will surely now be debating how to achieve this technically.  Two options will be discussed –  to block it on the device or  block it beforehand – in the DNS.  We may be biased, but in our opinion there is usually only one winner in such a debate – DNS.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]Every internet transaction has to be resolved by DNS – it’s the control point for the internet.  It’s easy to maintain whitelists, blacklists and regulatory compliance  at the DNS.  It is fast with low latency; it cannot be easily bypassed; and it requires nothing to be installed on the device so there are no user dependencies.

Blocking on the PC/device involves use of technology that inevitably slows performance, needs to be maintained across the enterprise and then there is the BYOD complication.

I like the elegance of DNS-based ‘decision making’.  It can be used for multiple roles in content management, authentication and user protection.[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2229″ img_size=”300×300″][/vc_column][/vc_row]

New Year, New BIND Security Vulnerabilities.

[vc_row][vc_column width=”2/3″][vc_column_text]We are barely into the new year, and BIND users have more patching to do.

Today, the Internet Software Consortium (ISC) announced the availability of patches to fix two critical BIND security vulnerabilities:

CVE-2015-8704

CVE-2015-8705

Both of these vulnerabilities Read more

The Grinch Comes Early for BIND Users

[vc_row][vc_column width=”2/3″][vc_column_text]The grinch showed up early for BIND users this year, in the form of two new critical security vulnerabilities that can crash BIND. The two vulnerabilities are:

• CVE-2015-8000

• CVE-2015-8461

ISC has released patches of its BIND software that correct the problem.

Users of BIND-based appliances from vendors such as Infoblox, Bluecat Networks, BT, Efficient IP, Radware and F5 are advised to contact their vendor for more information about the availability of a patch.

Secure64 products, which are not based on BIND, do not have these vulnerabilities.

[/vc_column_text][/vc_column][vc_column width=”1/3″][vc_single_image image=”2518″ img_size=”500×600″][/vc_column][/vc_row]

When It Rains, It Pours. More BIND Vulnerabilities.

September 2, 2015 was not a good day for BIND users. Two new critical security vulnerabilities were announced today – both of them are remotely exploitable vulnerabilities that crash the server. The two vulnerabilities are:

CVE-2015-5986

CVE-2015-5722

ISC has release patches of its BIND software that correct the problem.

Users of BIND-based appliances from vendors such as Infoblox, Bluecat Networks, BT, Efficient IP, Radware and F5 are advised to contact their vendor for more information about the availability of a patch.

Secure64 products, which are not based on BIND, are not vulnerable to these security threats.