Domain Name System is once again front and center for exploits and security policy
Two recent events are once again bringing the internet’s foundational Domain Name System into the news, and not in a good way.
The first event involving the DNS last week was a warning from the Cybersecurity Infrastructure and Security Agency issued on Friday for version 9 of the Berkeley Internet Name Domain, or BIND.
It calls attention to three exploits that were disclosed and requires updates to this open source software, which is used by thousands of companies and government websites to translate the alphabetic domain names, such as SiliconANGLE.com, and a set of numerical IP addresses, such as like 35.91.118.127, back and forth. The exploits would allow remote malware execution, although none has yet been observed in the wild.
DNS is an essential glue protocol that almost every internet-related service depends on, and BIND is the most popular way DNS entries are manipulated and managed. Exploits are common targets for hackers, who can redirect traffic to their own malicious destinations, useful for phishing and subsequent data stealing operations. The recent Microsoft Layer 7 attack, for example, leveraged a few DNS exploits.
This isn’t the first alert regarding BIND, and isn’t even the first alert seen in 2023: Back in January, there was another alert that could cause denial-of-service and other system failures. Both alerts urge users to update their versions to current patched levels.
The second news item relevant to DNS concerns an open letter issued Friday by Vint Cerf, Stephen Crocker, Carl Landwehr and several others, entitled “Concerns over DNS Blocking.” The authors of this Medium post have been involved in internet protocol development and overall internet governance for decades.
The letter was sent in response to a draft bill under consideration in the French parliament entitled draft Military Planning Law 2024-2030 that was issued in early May. The authors state that the proposals “pose grave risks for global Internet security and freedom of expression.”
The meat of the proposed laws would enable wholesale DNS blocking of any internet provider operating in France. The authors claim the proposals would do more harm than good, and they fear they “might set a troubling precedent that could inspire similar measures in democratic and non-democratic jurisdictions alike — with global implications for security and online freedom.”
Part of the issue cited by Cerf, who is vice president and chief internet evangelist at Google LLC and was the former chair of the major internet governing body ICANN, and the others is that DNS blocks could be used for the wrong reasons, such as suppressing dissent, censoring information or conducting surveillance. These blocks are already familiar in China and North Korea, among other places.
“Lots of countries block or seize domain names including the US (usually the Immigration and Customs Enforcement component of the Border Patrol),” Cerf told SiliconANGLE. He said that he hadn’t yet received a response, “although it is the first work day since we posted the letter.”
DNS manipulation is a common tool that is used by many internet users and businesses. There are products, such as the recently introduced Google Cloud Armor, that screen out suspicious denial-of-service attacks and ransomware. Other services are offered free of charge, such as from Cloudflare Inc., as well as OpenDNS from Cisco Systems Inc., and others called DNS open resolvers.
For example, Google offers an open DNS resolver at http://8.8.8.8. Today about 21% of French users rely on an open DNS resolver, the letter cites.
The French proposal will target internet service providers. But the letter claims that these DNS resolver providers will also have to comply, and to do so they would be forced to apply the blocks globally.
“Consider a hypothetical scenario in which an authoritarian regime were to demand, under its own domestic laws, that open resolvers globally block the domain of a news organization for reporting on human rights abuses in their country,” Cerf and the others wrote. “More users would seek out risky infrastructure to bypass the filters.”
Worse, another interpretation of the legislation would be blocking that would be needed by every internet browser provider with French customers. That would introduce an additional level of confusion and pain, perhaps eclipsing the original purpose of the laws.
Image: Cloudflare
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU