Researchers from UC Riverside and Tsinghua University recently announced a new attack against the Domain Name System (DNS) called SAD DNS (Side channel AttackeD DNS). The attack exploits a weakness in a temporary protection against DNS cache poisoning attacks that was applied to public DNS resolvers. While the original fix randomized port numbers to respond so that an attacker can't effectively guess what port the response is going to be sent on, the researchers discovered a way to identify which port is used and make the same basic cache poisoning attack effective again.
Several providers have already applied mitigations to prevent the SAD DNS attack by randomizing the response time to make it harder for the attacker to guess the port used or switching the response channel. But this is effectively applying more band-aids.
This new exploit is further evidence of the critical importance of DNSSEC as a basic DNS security measure and a need for wider spread adoption. DNSSEC is a more effective method for preventing attacks, such as cache poisoning, which can compromise the integrity of answers to DNS queries. This approach helps ensure DNS responses are legitimate by cryptographically signing DNS records to verify their authenticity.
With DNSSEC, when a resolver requests information from an authoritative DNS server, the response is digitally signed. This provides validation that the response comes from a trusted source and has not been altered in transit. Validation is performed all the way to the top of the DNS tree - DNS responses are signed by DNS root servers, top level domain (TLD) servers, and authoritative name servers for specific domains. This prevents resolvers from accepting fake DNS information and serving it to end users.
Although DNSSEC has been around for longer than a decade, adoption has lagged because it was viewed as optional. With traditional DNSSEC, implementation can also be cumbersome, and it can require a tradeoff between security and functionality. But this is changing. Modern DNS providers have made DNSSEC adoption easier than ever before by enabling companies to leverage the protocol across multi-provider environments while maintaining granular traffic steering options so that performance is not compromised.
As the world becomes more reliant on digital services, basic DNS security principles are more important than ever. DNS connects all aspects of IT infrastructure, applications, and online services – everything between the server and the user – which not only makes it a critical technology for all enterprises but also an extremely attractive target for cybercriminals.
Until we get to a point where DNSSEC becomes widely adopted, researchers and attackers alike will continue to find vulnerabilities in a protocol not designed with security in mind, that has largely remained the same for the last 35 years.
NS1 can help with your DNSSEC implementation.
Set up and management of DNSSEC on the NS1 platform is easy and straightforward. A zone can be signed in seconds with a couple of mouse clicks or via a single call to our API.
It is generally easier for DNS providers to implement DNSSEC using what is known as “offline signing.” Unfortunately this approach is incompatible with DNS traffic management features such as georouting, monitoring, and load balancing. NS1’s implementation of DNSSEC uses “online signing.” By securely signing DNS responses on the fly we retain support for all the real time DNS traffic management features of our platform for zones secured with DNSSEC. This enables our customers to use DNS to optimize end user experience, manage multiple CDN providers and migrate to the cloud while ensuring their zones (and by extension, their end users) are protected.DNSSEC can also complicate maintaining a redundant, dual DNS architecture. Some providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. NS1 supports dual provider configurations. We also support DNSSEC with our own Dedicated DNS solution.. This allows our customers to deploy DNSSEC in a redundant architecture while retaining full traffic management capabilities.