Security on the Internet's Domain Name System will be tightened today, with the addition of digital signatures and public-key encryption to the root zone. But will the deployment of DNS Security Extensions (DNSSEC) prompt more enterprises to outsource their DNS operations?
DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.
DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.
The DNS root servers will begin supporting DNSSEC on July 15. This will enable secure DNS look-ups for the top-level domains that already support this standard, including .org for non-profits, .se for Sweden, .uk for the United Kingdom, .br for Brazil and .cz for the Czech Republic. Plans are underway for additional top-level domains including .edu for universities, .net and .com for businesses to add DNSSEC support over the next six months.
With the extra layer of encryption, DNSSEC makes DNS significantly more complicated, experts say. That's why service providers believe that more enterprises will begin outsourcing their DNS.
"DNSSEC takes the complexity level and really magnifies it. It's a game changer. It's not 10% harder now; it's twice as hard to manage DNS, and it's twice as hard on the machine size and the bandwidth," says Ben Petro, senior vice president of Network Intelligence and Availability at VeriSign. "We can do all of this work for you and make DNSSEC easy."
"DNSSEC is so complicated. The protocol has worked great, but we see a lot of misconfigurations," said Sean Leach, CTO with Name.com, a domain name registrar that has dozens of customers who are testing DNSSEC. "I really do think that you're going to start seeing outsourced DNS as the norm."
VeriSign, Afilias to offer cloud-based DNS
VeriSign officials said they are developing a cloud-based DNS service that will be sold directly to enterprise customers. VeriSign hosts two of the Internet's 13 root name server clusters and is the registry for the .com and .net domains, operating a massive global DNS infrastructure that the company hopes will attract enterprise customers.
VeriSign is expanding the managed DNS services that the company has offered for several years through channel partners. VeriSign is bundling its cloud-based DNS services with distributed denial of service (DoS) and cyber-intelligence protection services that it already offers.
"The managed DNS market is very, very ripe because DNS is a service that's tough to manage, involves open source software, and the subject matter requires a lot of expertise," Petro says. "Running DNS involves networking and load balancing. We're able to remove a ton of cost from the service."
Meanwhile, DNS appliance vendor BlueCat Networks is teaming up with Afilias to provide a cloud-based DNS service that can be managed through the interface of its Proteus appliances. Afilias provides back-end registry services for the .info and .org domains and will support the hosted DNS services on its global network.
BlueCat officials said that they were integrating their appliances with the Afilias API to provide enterprises with a single interface for managing internal and external DNS services. BlueCat is calling the new service Proteus Cloud Services, which will be powered by Afilias. It will be launched in August.
"The problem we are trying to solve is to improve the customer's DNS," says John Kane, vice president of corporate services for Afilias. "We have a very globally diverse, Anycast network that we offer 100% uptime through our [service level agreements] to our customers. We offer a variety of protections...and avoid single points of failure."
Kane says the Afilias network offers enterprises the advantage of running multiple types of DNS software and multiple brands of routers for diversity.
"We have a flexible DNS network that allows a BlueCat to leverage our API, building this functionality directly into their control panel and then customers have a seamless, integrated look and feel to their management platforms," Kane adds. "We're going to do the soup-to-nuts of DNS. It will be a fully managed service for them."
Dyn adds IPv6 support
Dyn, a managed DNS service provider, recently teamed with NTT America to add support for IPv6, an upgrade to the Internet's main communications protocol.
Dyn has offered full support for DNSSEC since 2009, allowing customers of its Dynect platform to enable signing on their zones, with automated key rollover and management. Dyn officials say both DNSSEC and IPv6 add complexity to DNS and make outsourcing more attractive.
"In terms of the network load, DNSSEC adds crypto into the DNS, and crypto uses more bandwidth because it sends more bits on the wire," says Tom Daly, CTO for Dyn. "IPv6 makes DNS transactions larger. It increases the IP payload header from 32 bits to 128 bits."
With services like DNSSEC and now IPv6, Dyn has grown to support 500 customers, including Twitter, Netflix and Zappos.
"We see people moving in the direction of managed DNS as the criticality of their Web sites go up," Daly says. "They've outsourced their Web hosting. They've brought on a [content delivery network] partner. And now they need somebody to run DNS for them."
UltraDNS leads DNS outsourcing market
All of these cloud-based DNS upstarts have one vendor in their sights: UltraDNS, a division of NeuStar that is the leader in the outsourced DNS market. UltraDNS rakes in more than $100 million a year in its managed DNS business, which is up around 16% compared to last year. UltraDNS customers include retailers such as Petco and J.Jill as well as publishers such as Forbes.com.
UltraDNS officials say they expect more companies to outsource DNS not just because of the extra workload involved with DNSSEC, but because of a broader range of security concerns.
"The bulk of our efforts these days is geared towards the security issues," says Rodney Joffe, founder and chairman of UltraDNS. "It's not just a matter of having the DNS infrastructure, but it's also about building capabilities to help us defend our customers from an overall security point of view. DNS is vulnerable; there's no question about that."
Joffe points to a route hijacking attack that occurred in April involving Chinese hackers as an example of a threat facing enterprise network managers.
"A Chinese ISP hijacked about 10% of all Internet routers. What they were able to do is effectively route traffic through China that was intended to go elsewhere," Joffe explained. "Two things would have solved this problem. One is DNSSEC…The second thing is secure BGP or equivalent signing of the routes for BGP. But until such time as DNSSEC is globally deployed, we are still vulnerable."
That's why UltraDNS is focusing on alternative security services such as Cache Defender as well as DNSSEC.
"We're using sensors to be able to identify where the attacks are coming from and how they are occurring and what kinds of vulnerabilities the bad guys are using," Joffe says. "The average enterprise looking at DNS infrastructure isn't even thinking about how their routes are being handled on the Internet, but that's the most likely way that their DNS is going to be compromised."
He adds: "I think there's going to be a surge in outsourcing DNS, but because of DNS security not just DNSSEC."