Domain Name System (DNS) and Cyber Security Vulnerability

domain name system and cyber security vulnerability

DNS - At the heart of the internet

It is safe to say that without the Domain Name System (DNS), the internet would not be the power it has today.
In the early stages of the Internet, users trying to communicate with another host on the network had to enter long IP number chains (for example, an IP address included in the Google list). As the internet grew, numeric sequences became more complicated and impossible to work with, since most users could not constantly remember the correct set of random numbers.
To simplify this process, a solution was developed based on a data solution (flat file) that linked each IP address with a relatively easy-to-remember common language address (for example,,, and Twitter). com) that was easy to remember and user-friendly.
By the end of the 1980s, the flat file had evolved to the Domain Name System (DNS) that is currently being used: a system that is open, distributed and expanded as users, companies, suppliers Internet services (ISP) and domains appear on the network. The goal was ease of use and extensibility, but since cybersecurity attacks and malware were virtually unknown, DNS security had no priority.
The DNS is very effective and works in the background of the search activity. Internet users are assured that when they write a URL or an email address, they will be connected to the website or to the correct email box. Many commercial companies developed brand strategies based on this functionality to use the reach of the Internet to develop more customers and increase sales/revenues. Most of these companies adopted the extension. The federal government adopted an extension.

Implications of the DNS brand

The DNS functionality opened the world of the brand to the Internet. The common names became common brands (for example, Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.
A completely new marketing strategy called Search Engine Marketing (SEM) was developed whereby keyword searches and positioning on search pages became an important industry. The placement of the first level on the first page of a search engine gave the receiver an advantage for more business compared to the competition.
Google became a concern for billions of dollars to develop algorithms that allowed searches for effective and powerful keywords. Web-based purchases supported by easy and convenient keyword searches now account for 20-30% of all retail businesses and the e-commerce web-based market share continues to enjoy strong growth. DNS is an integral part of this success. But as Internet traffic grew, the entire network became vulnerable to cyber attacks. A good part of this vulnerability can be attributed to the inherent vulnerability of DNS.

DNS is inherently insecure

The original design of the Domain Name System (DNS) did not include robust security features; instead, it was designed to be a scalable distributed system and attempts to add security, while maintaining compatibility with earlier versions was rudimentary and did not keep pace with the skills of malicious hackers. As a result, cyber attacks created internet chaos.
Security can top the list of network and corporate administrators, but too often the link between the security vulnerability and the DNS is not understood. To improve security and defend against cyber attacks, government agencies, business enterprises, and network administrators must recognize the importance of DNS for the safe operation of the Internet.
Consequently, any commercial enterprise that uses the Internet for sales, e-commerce, services, marketing or logistics, as well as Internet service providers (ISP) and large and strategically sensitive government networks should be aware of the vulnerability of the DNS.
As the Internet expands in terms of users, devices, and traffic, so does the opportunity for sophisticated DNS chaos, whether malicious (piracy), aggravating (spam) or illegal (accessing sites containing content that violates the legal and regulatory mandates) or devastating denial of service attacks (DoS).
It became very clear that companies and internet service providers must protect their users and networks, sometimes from the amateur hacker, but increasingly from organized crime and cyber terrorism sponsored by the state. One of the most vulnerable critical areas was DNS. Cyber attacks are expected to increase and have a greater impact as the internet grows.
The internet is also growing in an order of magnitude and almost all internet users are directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the internet. Many internet security mechanisms, including management of host access and defense against spam and phishing, depend to a large extent on the integrity of the DNS infrastructure and DNS servers.

DNS servers

The DNS servers that use the software known as BIND (for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain) are one of the most commonly used DNS servers (Domain Name System) on the internet, and yet they proclaim them.
Currently, BIND is the standard de facto DNS server. It is a free software product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with considerably different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now considered technically outdated. BIND9 is a first BIND rewriting that fully supports Domain Name System Security Extensions (DNSSEC) in addition to other functions and enhancements. But even with BIND Rewriting, it remains vulnerable in all versions.
A new version, BIND 10, is being developed, but the effectiveness of the security features has not been proven. The first launch was in April 2010 and it is expected that it will be a five-year project to complete its function set.
Although BIND remains the de facto DNS software, since it is included for free in most UNIX-based server manufacturers, other developers have created a DNS Server software that addresses the inherent weaknesses of BIND.
General vulnerabilities: cache poisoning and distributed denial of service
DNS vulnerabilities open affected networks to various types of cyber attacks, but cache poisoning and DDoS attacks are often the most common.
Cache poisoning is possibly the most prominent and dangerous attack in DNS. Poisoning the DNS cache results in a DNS resolver system storing (that is, caching) invalid or malicious mappings between symbolic names and IP addresses. Because the process of resolving a name depends on authorized servers located elsewhere on the Internet, the DNS protocol is intrinsically vulnerable to cache poisoning. Cache poisoning allows the perpetrator to access confidential information, such as bank records and social security numbers.
A denial of service attack (DoS attack) or a distributed denial of service attack (DDoS attack) focuses on making computing resources unavailable to the intended users. DDoS consists of concerted efforts to prevent an Internet site or service from functioning efficiently or not at all.
The perpetrators of DoS attacks usually target sites or services hosted on high-profile web servers, such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with respect to computer networks. Of particular interest are DoS or DDoS attacks on large government networks such as the Department of Defense or Veterans Administration networks.
One way to compromise the network for a DDoS attack is through the CNS vulnerabilities.
Until effective solutions are developed that reduce DNS vulnerabilities, cyber attacks will increase, especially as new protocols increase the reach of the internet.
Internet Protocol version 6 (IPv6)
It was inevitable that the capacity of the internet would be exhausted and already so close.
The internet quickly runs out of capacity and solutions in the form of extensive internet protocols can make this problem extra vulnerable. A phenomenon known as depletion of IPv4 addresses and internet space is disappearing.
A new internet protocol, version 6 (IPv6), is a replacement for Internet Protocol version 4 (IPv4) since the most important internet protocol was operational since 1981. The driving force behind the redesign of the internet protocol was the foreseeable exhaustion of the IPv4 address. In fact, the Internet will lose its capacity without new protocols.
IPv6 has a considerably larger address space than IPv4. IPv6 uses a 128-bit address, while the current IPv4 uses 32 bits. This extension provides flexibility in addressing and routing traffic and eliminates the growing need for network address resolution (NAT), which was expanded extensively as an attempt to reduce IPv4 address depletion.
However, the extension of the IPv6 protocol also opens up new vulnerabilities for malicious cyber attacks because more and more users and applications are accessing the internet.


Some analysts believe that the Domain Name System Security Extensions (DNSSEC) offer an effective and comprehensive solution to DNS vulnerability issues. However, this is not the case.
DNSSEC allows the use of digital signatures that can be used to verify the DNS data that is returned to request the answers. This helps to combat attacks such as global warming, cache poisoning, DDoS redirection and DNS used for fraud, identity theft, and malware distribution but does not guarantee the security of the data in the system.
It is generally assumed that DNS protection is crucial for the security of the internet as a whole, but the implementation of DNSSEC was specifically hampered by various procedural problems, including the lack of universal implementation and the overcoming of perceived complexity.
Some of these issues are currently being resolved and implementation in various domains is ongoing. However, this can take a long time and DNS is still vulnerable during the process.
Even with technical limitations, progress in implementing DNSSEC has been slow, especially in the federal government. Although the federal management and budget bureau ordered all government agencies to approve DNSSEC in December 2009, thirty-nine months after the federal agencies deadline to implement DNSSEC, only 30-40% of the agencies adhered to the rules.

Government network solutions

The current complex government networks must offer maximum security and reliability to protect against potential threats to national security. A poorly designed DNS service infrastructure is one of the biggest security risks for any government network.
Similarly, choosing the wrong DNS solution can turn a well-designed service infrastructure into a compromised system that can undermine data integrity and network stability.
Protection against cyber attacks is mandatory for government networks. More than any other network, government networks demand the highest level of monitoring and visibility, reinforcement of security, alertness and blocking to ensure adequate corrective action. Without this protection, national security and other national infrastructures can be compromised.
Government networks have unique needs but are confronted with cumbersome solutions
Until recently, federal cybersecurity efforts were fragmented and cumbersome. More attention was paid to reporting requirements that take time to meet the standards. While standards are important in establishing a baseline of security and compliance with standards to limit the damage caused by cyber attacks, reporting requirements that are too restrictive to reduce their effectiveness.
In many ways, the information highway has become a virtual minefield for government organizations. Government networks are confronted with this new global problem as much as possible, if not more than other networks.
Not only must they support their users in performing the tasks necessary to complete their missions with uninterrupted internet access, but they must also ensure that this access is not compromised. Network administrators must constantly find a balance between the need for open access for critical users and the need to secure the network.
When a user of a government organization visits a website (in different types of networks), he must know that the content he receives is exactly what he expected. And just like subscribers in a network of service providers, they must be protected against known and suspected sites used for access to computers. The criticism of very large networks and the urge to connect agencies make many federal networks particularly vulnerable.
All this must be done with the highest possible level of performance and availability. Government organizations must also be absolutely certain that they can meet the DNSSEC and IPv6 mandates.
The government acknowledges that it meets cybersecurity needs. The recent step includes the establishment of Cyber Command for DOD and intelligence services, a simplification by the Office of Management and Budget of reporting requirements and an increase in cybersecurity to a priority management effort.

Next Post
« Prev Post
Previous Post
Next Post »