Dunbar Digital Armor proudly welcomes Adam Suri, President of Community DNS, LLC, as this week’s guest blogger. Through the partnership of Dunbar Digital Armor and Community DNS, we are bringing the DDoS protection and Authoritative DNS of the world’s largest resolver of domain names to the Americas.
On March 15, another high profile DNS hijacking was reported in Brazil and Venezuela: Google DNS. For 22 minutes last Saturday, Google DNS (220.127.116.11/32) was hijacked with a BGP Prefix of /24 and a different Origin AS. Recently, more and more incidents of high profile DNS hijacking have been perpetrated for nefarious reasons, i.e. redirection to a fake bank login page in Eastern Europe to garner accounts and passwords, or rogue DNS servers in a Fortune 100 data center announcing false DNS records…(we won’t discuss ISPs intentionally doing it for data collection or inserting their own advertisements).
How do we stop it?
We have to remember that the Internet is based upon “best available,” so there are no guarantees. If someone were to insert a rogue server (for example) that announced a different IP address authoritatively before the actual server, then the bad address would be used. This is known as a Man in the Middle Attack (MiTM). Unless you have tools and techniques in place, it’s pretty difficult to detect. Even so, some damage will be done.
The fundamental issue is that you are relying on and trusting the Internet for DNS Resolution. Secondly, when someone is trying to reach you (website, email, etc.), you have to ensure that no one can intercept your resolution or change your data.
There are many solutions out there, from DNSSEC, to encrypted VPNs to the recursive servers. The most scalable and simplest method is to push the Authoritative DNS data as close to edge or desktop as possible for internal resolution of external websites. For example, you could insert an instance of the Internet’s Authoritative Data within a network. This would eliminate an entire Attack Surface. Secondly, to ensure that your addressing is announced correctly, you must have as many instances of your data globally as possible so that the resolution is faster and there is Resiliency against attacks.