Use your computer fearlessly.




[ Security | Consulting | Research ]





Five-Year Delays on Critical Security Upgrades

by Brent Kirkpatrick

(Date Published: )



ISPs are delaying security upgrades to their DNS servers.



DNS functions like a distributed "phonebook" that is used by your computer to look up the IP address corresponding to the domain name of the URL that you want to visit. For example, when you type www.google.com into your web browser, your computer asks the DNS system for the IP address of Google's web server. Then your web browser is able to ask the web server for the web page and display it for your viewing pleasure.

DNS is very susceptible to exploitation by hackers. DNS is used to perform DoS attacks or DDoS attacks. These types of attacks have made the news quite frequently at times. DNS records can also be spoofed to create fraudulent IP answers to DNS queries. The fraud can be carried out multiple ways. An attacker might trick your computer into accepting a fake IP address sent to it directly from the hacker. Or, the hacker might trick the DNS server into recording a fake IP address entry which we call DNS poisoning. This type of attack is also quite frequent, although it does not receive as much press, see DNS cache poisoning attacks to steal emails are reality.

In the late nineties, the US Military was so concerned about DNS exploitation that they supported the development of DNSSEC which provides security extensions to DNS. DNSSEC adds digital signatures to the DNS records, so that the computer receiving the record can verify that it was sent from a legitimate server. The popular DNS server BIND v9 with DNSSEC support was released in September 2000.

Finland was one of the first countries to adopt DNSSEC with a major ISP offering end-point customers DNSSEC service in 2007. A full 3 years before the US was able to begin deploying DNSSEC for the root-level servers in 2010. In 2008, the federal government required that all subdomains under .gov be signed by 2010.

In 2009, Google launched its public DNS server. By early 2013, Google DNS offered DNSSEC signing, provided that clients requested it. Later that year, Google fully deployed DNSSEC by signing every response from its public DNS server. Google's public DNS server is one of the bright examples of successful deployment.

ISPs fail to support DNSSEC. In 2010, Comcast announced that it would deploy DNSSEC over the next year. This deployment is still incomplete, as of June 2016, when Intrepid Net Computing observed a lack of DNS security on the Comcast network in several major cities. As of this same time, we have observed a lack of DNS security on many ISPs, including AT&T, Charter, and CenturyLink. Many universities, who are their own ISPs, are also not supporting DNSSEC.

ISPs in the US do not provide DNSSEC, even 16 years after the software was first available, 6 years after the federal government deployed DNSSEC, and 5 years after the root level servers had deployed DNSSEC. Some ISPs provide DNSSEC with their newest installations on business accounts, but otherwise security for their customers is woefully lacking.

Why would ISPs be so reluctant to upgrade their servers? The answer seems to be that their Content Delivery Network (CDN) services will loose money. Many ISPs are using the DNS system for load-balancing of content: streaming video, streaming music, and upgrades. Because these ISPs have contracted with media and software companies to deliver their content using this DNS load-balancing approach, the ISPs are left in a catch-22. They do not sign the domains that they are serving. So, under DNSSEC deployment, they cannot follow-through on their CDN contracts.

Who pays for this content? Users. Whose security is suffering? Users. Who is making the decision to delay upgrades? ISPs and media companies.

Please lobby your ISPs, your media content providers, and your software companies to fix these security problems. Please refuse to pay for a network that lets hackers steal your financial data. Please ask your ISP to do content delivery load-balancing in a more appropriate fashion. Please refer them to the mirror systems used by open source operating systems, if they need some ideas of what is appropriate.







bbkirk@intrepidnetcomputing.com




© 2015, 2016, 2017 Intrepid Net Computing. All rights reserved.