There are a lot of things the internet can do without, but the domain name system, or DNS, isn’t one of them. Without a directory of domain names that can be translated into recognizable addresses, the internet simply would not work. And that’s why when criminals launch distributed denial of service, or DDoS, attacks using DNS, security experts around the world take notice.

“Folks are starting to realize how critical DNS is,” said Cricket Liu (pictured, left), chief DNS architect for Infoblox Inc., which delivers network intelligence to enterprise, government and service provider customers.

Liu visited with John Furrier (@furrier) (pictured, right), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during theCUBE’s On the Ground program at Centrify’s headquarters in Santa Clara, California. They discussed ramifications from a high-profile attack against the internet last year and steps being taken to make DNS more secure.

The critical importance of DNS was underscored last October when a DDoS attack, leveraged by weak security inside connected Internet of Things devices, targeted Dyn, a company that controls a great deal of the internet’s infrastructure. The attack temporarily brought down a number of popular websites across the U.S. and Europe.

“I think that woke a lot of folks up,” Liu said. “These guys are not too big to fail even though they have enormous infrastructure.”

Move toward policy controls

DNS administrators have responded to the Dyn attack by encouraging greater reliance on Response Policy Zones, a way to intercept access requests and redirect them based on local policy rules. In this way, criminals who use malware to find command and control servers through DNS could be thwarted.

“It tells DNS that if you get a query from a domain that we know is being used maliciously, don’t answer it,” Liu explained.

In addition to response policy moderation, there are other initiatives underway to overlay more security controls for DNS. One involves the DNS PRIVate Exchange, or DPRIVE, a process to encrypt every single part of the DNS channel. The DPRIVE initiative is being led by the Internet Engineering Task Force.

“If you’re a customer here in the U.S. and a subscriber to an ISP like Comcast, you can make sure that the first hop between your computer and the ISP is secure,” Liu said.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE and theCUBE’s “On The Ground” interviews. (* Disclosure: Centrify Corp. sponsored this segment on SiliconANGLE Media’s theCUBE. Neither Centrify nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE