UPDATED 11:44 EST / SEPTEMBER 06 2017

EMERGING TECH

DNS gets makeover to bolster security

There are a lot of things the internet can do without, but the domain name system, or DNS, isn’t one of them. Without a directory of domain names that can be translated into recognizable addresses, the internet simply would not work. And that’s why when criminals launch distributed denial of service, or DDoS, attacks using DNS, security experts around the world take notice.

“Folks are starting to realize how critical DNS is,” said Cricket Liu (pictured, left), chief DNS architect for Infoblox Inc., which delivers network intelligence to enterprise, government and service provider customers.

Liu visited with John Furrier (@furrier) (pictured, right), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during theCUBE’s On the Ground program at Centrify’s headquarters in Santa Clara, California. They discussed ramifications from a high-profile attack against the internet last year and steps being taken to make DNS more secure.

The critical importance of DNS was underscored last October when a DDoS attack, leveraged by weak security inside connected Internet of Things devices, targeted Dyn, a company that controls a great deal of the internet’s infrastructure. The attack temporarily brought down a number of popular websites across the U.S. and Europe.

“I think that woke a lot of folks up,” Liu said. “These guys are not too big to fail even though they have enormous infrastructure.”

Move toward policy controls

DNS administrators have responded to the Dyn attack by encouraging greater reliance on Response Policy Zones, a way to intercept access requests and redirect them based on local policy rules. In this way, criminals who use malware to find command and control servers through DNS could be thwarted.

“It tells DNS that if you get a query from a domain that we know is being used maliciously, don’t answer it,” Liu explained.

In addition to response policy moderation, there are other initiatives underway to overlay more security controls for DNS. One involves the DNS PRIVate Exchange, or DPRIVE, a process to encrypt every single part of the DNS channel. The DPRIVE initiative is being led by the Internet Engineering Task Force.

“If you’re a customer here in the U.S. and a subscriber to an ISP like Comcast, you can make sure that the first hop between your computer and the ISP is secure,” Liu said.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE and theCUBE’s “On The Ground” interviews. (* Disclosure: Centrify Corp. sponsored this segment on SiliconANGLE Media’s theCUBE. Neither Centrify nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU