Serg Nvns - Fotolia

DNS co-founder discusses need for a more secure DNS

Thirty years after creating the Internet's domain name system, co-creator Paul Mockapetris talks about addressing Internet challenges with a more secure DNS.

The phrase "break the Internet" appeared frequently in 2015 and usually had something to do with photos of nude celebrities or random viral videos. Many think of the Internet as an infinite resource that can't be broken, but that's not true, says Paul Mockapetris, who, along with Jon Postel, invented the Domain Name System in the 1980s. In addition to his role as chief scientist at ThreatSTOP, an Internet security company, Mockapetris' current ambition is to guide DNS and IP addressing to its next stage, emphasizing a more secure DNS. He chatted recently with Margie Semilof, editorial director of the Data Center and Virtualization Group at TechTarget.

How vulnerable is the Internet to a catastrophic attack? Could something -- like a cyberattack or DNS failure -- bring down a substantial part of the Internet?

Paul Mockapetris: Theoretically, yes. Historically, yes.

The Internet, like all human inventions, reuses key technologies and ideas over and over. If one of the technologies fails or has a security flaw that can be exploited, anything that uses that particular technology might fail or be taken over. The technology might be a protocol -- like the Domain Name System or the Border Gateway Protocol (BGP) -- a buggy software implementation of a sound protocol, or just everybody happening to choose the same prime number out of misunderstanding or laziness.

Since every computing device uses DNS, a DNS failure could theoretically be catastrophic. A BGP failure might take down all of the routers, or keep users from talking to services or users outside of their own ISP [Internet service provider]. But it's more likely that a specific implementation would be the issue, as we saw with Heartbleed, where a specific implementation of a security protocol put all servers using it at risk.

Where does that leave us? In the future, we should expect some significant failures of large chunks -- but probably not all -- of the Internet due to bugs or hacker attacks. Should cyberwar break out between the larger players, we would expect to see the simultaneous exploitation of multiple flaws, and the Internet, as we know it, would be down for an extended period.

About Paul Mockapetris

  • Co-creator of Domain Name System in 1983, with Jon Postel, as a researcher at the University of Southern California
  • More than 30 years developing Internet technologies
  • Early work on distributed systems and LAN technology led to Ethernet and Token Ring designs
  • As ARPA program manager for networking, supervised efforts including optical and gigabit networking
  • Held leadership roles in several Silicon Valley, Calif., networking startups
  • Member of Internet Hall of Fame
  • Currently chief scientist at ThreatSTOP; leads research in DNS security

How can we get a more secure DNS and Internet?

Mockapetris: Security costs time, money and inconvenience. I have three suggestions: security automation, isolation between apps and legal responsibility.

People buy firewalls, routers and email servers, which can turn away suspect traffic. But, often, they either don't configure these devices or configure them occasionally by hand. It's much better to have an automated service to configure them using the best advice possible: a combination of available public threat information, proprietary data and specifics of a user's situation. Deliver it in real time. Don't blindfold your security guards. You don't have to build it yourself: Security as a service is available today from multiple vendors.

It's terribly convenient to have apps share information, but it's often as safe as sharing a needle. There's no hope in getting people to reject convenience in general, but I should be able to run my banking app inside a protected virtual machine. We can afford the transistors, and we should allow those who want to prioritize security to do so.

Vendors prioritize market share and feature development over security. There has to be a legally enforced balance.

You've spoken in the past about how the Internet needs improve naming by combining authentication with some kind of reputation system. Are we moving in that direction?

Mockapetris: There are two parts to the answer here.

Internet security is one of the grand challenges of today: it's IoT, cloud computing, big data and federation all rolled into one.
Paul MockapetrisDNS co-founder

The DNS was first introduced over 30 years ago, and, while it has evolved quite a bit, I think there's a lot more room for new capabilities. For example, we could make it possible to instantaneously create new datatypes by describing them in the DNS itself. We could improve the reliability of the root system by distributing signed copies of the root data, rather than defending the root servers against increasing [distributed denial-of-service] DDoS attacks. We could add access control to better safeguard sensitive information. Just as the authentication provided by DNSSEC allows us to use the DNS for more sensitive applications, these features could enable new DNS applications.

Internet security is one of the grand challenges of today: it's IoT [Internet of Things], cloud computing, big data and federation all rolled into one. Since the DNS reaches every computing device and operates in near real time, it's the ideal vehicle for collecting and distributing security information. But new features would allow it to be even more powerful.

How will the DNS be impacted by IoT?

Mockapetris: The DNS has been used to register around 10 billion things so far, and I don't see why it can't be used for another 100 billion or trillion. But size isn't the only issue here: IoT needs controlled sharing of information.

I might happily let anybody read my outside thermometer, but I don't want everybody to be able to monitor my household devices and tell if I am home. I like the idea of products that come with RFID [radio frequency identification] tags so I'll always be able to find objects, but I probably want to rewrite the RFID tag as I leave the store with new things I buy so the tag is only useful to me.

If the DNS is to be a key technology in IoT, it needs new features to make this sort of controlled sharing possible. It also needs implementations suitable for home use; today's DNS servers are tailored to the needs of sophisticated users.

What might be some ways to update the current technology to create a more secure DNS?

Mockapetris: A lot of folks are working on ways to deal with DDoS attacks, etc. While that is important, I think there are three important areas to consider:

  1. Let everyone who wants a domain have one for free. Perhaps not a new TLD [top-level domain], but maybe a number under the new .FREETLD TLD
  2. Automate the coordination of data between domains, perhaps with blockchain technology, so the need for human intervention is reduced.
  3. Enable the creation of new RRTypes; i.e., ad hoc data types, via specs stored in the DNS itself. Create more powerful queries using multiple entries in the DNS question section.

All of these capabilities must solve real problems to succeed. I think the important problems facing us all need controlled sharing, or real access control for IoT or other future applications.

What are your thoughts on all the new top-level domains? Like? Dislike?

Mockapetris: I'm experimental, so while I would have preferred trying a smaller number of new TLDs 20 years ago before the marketing and legal issues of today became so important, I think it's great that we finally have the new TLDs.

I don't think there is any long-term harm, though I'm sure there are a bunch of bugs in existing software and practices that needed to be fixed. Some say we have made it easier for bad guys to get domain names or even own TLDs. But we needed to deal with that possibility anyway.

Is there benefit? There are a lot of people who want TLDs to help identify themselves as part of some community, whether that be residents of Paris or Berlin, members of some profession, or whatever. It's easy to underestimate that desire.

I think it will be a decade or so before we'll be able to clearly sort out the good and bad new TLDs, and my opinion might not be the same as yours.

Next Steps

Three DNS data-monitoring methods to determine network breaches

Network perimeter security alone can't protect the enterprise

Refresher: What makes the domain name system work?

A walk through the domain name resolution process

This was last published in January 2016

Dig Deeper on Network Security Best Practices and Products



Find more PRO+ content and other member only offers, here.

Related Discussions

Margie Semilof asks:

What steps can be taken to lead to a more secure DNS?

0  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: