Half the internet lacks DNS security extensions

News by Tony Morbin

Failure to use domain name system security extensions opens up those TLD users to spoofing

Just under half of the internet (47 percent) remains insecure insofar as many top level domains (TLDs) have failed to sign up to use domain name system security extensions (DNSSEC), including intensive internet using countries such as Italy (.it), Spain (.es) and South Africa (.za), leaving millions of internet users open to malicious redirect to fake websites, reports Ultra Electronics AEP.  

Sonia Freed, Managing Director at cyber security company Ultra Electronics AEP, which issued the warning, commented to SCMagazineUK.com: “This is an issue that affects every Internet user in the world … unless the top level domain is signed, every single website operating under a national domain can have its DNS spoofed, potentially directing Internet users straight into the hands of cyber criminals via fake websites that often look just like the real thing.”

Bob Tarzey, analyst/founder at QuoCirca told SCMagazineUK.com, “DNS is known to be one of the easiest things to target in a distributed denial of service (DDoS) attack.” DNSSEC uses public key cryptography to digitally sign DNS data. It means that responses to DNS queries are digitally signed by the DNS server using private keys and are automatically verified by the client using the corresponding public key.

Whilst many familiar TLDs such as .com, co.uk .org, com, .net are secure, Freed comments: “It's increasingly common for websites to use extensions from other countries even when they do not have a local presence. Many popular file sharing sites for instance use unsecured domains from tiny Caribbean islands and are using them as a ‘flag of convenience'. With this fragmentation, comes potential confusion and an environment in which cyber criminals can thrive.”

Richard Lamb at the Internet Corporation for Assigned Names and Numbers (ICANN) adds: “It is now three and a half years since the root of the Domain Name System was signed, however our figures show there is still a great deal of work to do. DNSSEC is a leap forward in preventing attackers from redirecting end users to websites under their own control (for account and password collection). We urge the owners of the 200 TLDs (60 per cent of total) to work with ICANN and help develop a safer web to protect the world's internet users.”

The Syrian Electronic Army (SEA) is among those known to have exploited DNS weaknesses to modify DNS entries and redirect users accessing The New York Times and Twitter to propaganda pages, and Freed also notes how users of Google's Malaysian domains (www.google.com.my and www.google.my) were directed to a fake website in Pakistan.

Freed notes: “Securing the TLD is a major first step but it's also necessary for responsible individual domain name owners to ensure the integrity of their zone data and hence the integrity of their associated web services by implementing a DNSSEC solution and signing their zone DNS resource records.”

Reasons given for the laxity in sign up include cost, and the fact that many organisations will sign up to a secure TLD. “Individual organisations can manage their own. But who is responsible within a country? You need to get some public body to take it on, which depends on the communications infrastructure of the county,” says Tarzey.

Martin McDonald, business development director at Ultra Electronics AEP commented to SCMagazine.com, "Australia is a country with a lot of energy and mineral wealth, which is internationally targeted data, and while companies there have firewalls and endpoint security on their networks, when they sent information from A to B it was often not secure, and a spoof site could then get users' details. But awareness of this issue is growing and Australia is signing up to DNSSEC in March”.  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews