The Internet Corporation for Assigned Names and Numbers (ICANN) – the keepers of the web’s address book – has warned that they believe there is “an ongoing and significant risk to key parts of the DNS infrastructure.” according to an announcement on Friday from ICANN, the DNS infrastructure is being targeted by ‘malicious activity.’
DNSSEC which stands for Domain Name System Security Extensions isan extension for the DNS protocol that allows domain owners to digitally sign DNS records.
Cryptographically signing DNS recoand prevents unauthorized third-parties from modifying DNS entries without a private DNSSEC signing key that’s usually in the possession of the legitimate domain owner only.
ICANN officials said DNSSEC would have prevented the recent DNS hijacking attacks that have made headlines in the past two month.
On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take to protect their systems, their customers’ systems and information reachable via the DNS.
At the start of the year, US cyber-security firm FireEye revealed a months-long campaign carried out by Iranian threat actors who hacked into the web hosting and domain registrar accounts to change the DNS records of email domains belonging to private companies and government entities.
The US Department of Homeland Security issued an alert about the attacks, urging both government entities and private companies to review their DNS records for malicious entries.
In a different report also touching the same DNS hijackings detected by FireEye, infosec investigative journalist Brian Krebs revealed additional DNS hijacking attacks, painting a grim picture in which hacker groups appear to have realized that is much easier to alter DNS records rather than hack email servers or spear-phish employees.
Now, ICANN, which has also taken note of the attacks, wants to avoid further attacks on the DNS system as a whole. The organization wants domain owners and the tech industry to push harder for DNSSEC adoption in the hopes to stop or limit future DNS hijacking attacks, which it sees as a real threat to the entire internet and the trust that users inherently have that they’ll land on the websites they want to view when they press Enter in their browsers.
Even if DNSSEC has been around for two decades, it has barely been deployed. According to APNIC (Asia-Pacific Network Information Centre) data, DNSSEC adoption has barely passed 19.3 percent, and ICANN has a daunting task ahead of it.