DNS security has been in the headlines a lot recently, and that’s never a good thing. This typically means there has been a major security breach in DNS infrastructure that compromises IP-based networks, which often brings down companies’ web-based communications in the process.
The telecom industry is always a central figure in discussions of DNS security because it is responsible for such a large portion of the world’s DNS servers, which serve as the phone book of the Internet by mapping names to IP addresses. One of the most fundamental vulnerabilities of the DNS protocols is that one cannot necessarily trust the answers that the DNS provides, making it possible for attackers to redirect users to false web sites in order to conduct fraud.
To address this vulnerability in the DNS, an international consortium of security experts developed a set of security protocols called Domain Name System Security Extensions, or DNSSEC, which adds critically-needed trust to the answers that DNS provides. There has been a chorus of calls for telecom companies and other organizations to implement DNSSEC, but a new progress report shows that the telecom industry has been slow to adopt the protocols – even slower than the industry’s own projections about progress on this important security issue.
The progress report conducted by the technical team here at Secure64 is a follow-up to a 2010 study by Forrester (News - Alert) Research titled, “DNSSEC Ready for Prime Time,” which reported on organizations’ plans to implement DNSSEC security. DNSSEC ensures that answers provided by the DNS came from an authorized server and have not been altered in transit – critical characteristics that provide the level of trust that the Internet needs.
DNSSEC protocols have been embraced and implemented by the U.S. government and many top level domains. The White Houseissued a directive that has prompted a significant portion of federal agencies to implement DNSSEC, and the Department of Homeland Securityhas highlighted this as a critical initiative for all organizations with DNS infrastructure. Most importantly for the telecommunications industry, the FCC announced in 2012 that it was calling on major telecommunications companies to implement DNSSEC, and that quickly resulted in an agreement with the largest providers to follow through on that request.
That agreement with the FCC (News - Alert) was a clear sign of the telecommunications industry’s understanding of the importance of DNS security and its intention to implement the security protocols. The Forrester Research (News - Alert) report corroborated that with a statistic that 52 percent of the telecom-focused companies interviewed for the study called DNS security an urgent issue. The report also highlighted the eye-catching statistic that more than half of the total participants in the survey had experienced a recent DNS attack on their networks.
The most intriguing statistic from the report, though, is this one: Forrester reported that 95 percent of the total organizations surveyed who were familiar with DNSSEC said they had either already implemented DNSSEC or planned to in the coming 12-18 months. That report was published in 2010, so an analysis of DNS systems today should show significant progress on this issue, particularly when the recent FCC agreement with major telcos is factored in. Our progress report shows a very different picture, though:
- None of the 60-plus largest telecom/ISP companies in the world have completed full deployment of DNSSEC.
- And none of these telecom/ISP companies show evidence of even having begun a trial deployment of DNSSEC, which would include basic steps such as signing DNS data.
Our technical team broadened our research to look at other organizations that manage DNS infrastructure, including the media/entertainment industry, which in many ways is a close cousin to the telecommunications industry based on the way media and telecom have come to overlap over the past decade:
- Of the largest 50 media and entertainment organizations, only one shows evidence of DNSSEC implementation.
- Comcast (News - Alert) (which is categorized as media by Fortune) is the only company in this vertical that has fully deployed DNSSEC, including signing of DNS data and establishing a full chain of trust.
There is clearly a large gap between what telecom companies have publicly said they plan to do about DNS security and the reality of what they have done so far. The slow pace of adoption may be due to lingering perceptions of DNSSEC as difficult to deploy, but the reality today is that there is no technological barrier to implementing DNS security measures in a fast and inexpensive manner.
Mark Beckett is vice president at Secure64 (www.secure64.com).
Edited by Stefania Viscusi