Many of the core technologies that underpin the internet were created decades ago, in a time when hacking was a much less pronounced threat than it is today. As a result, some of these building blocks suffer from security weaknesses that make them and the services that depend on them vulnerable to attack.

NS1 Inc., a recently funded startup that helps the likes of Salesforce.com Inc. handle user traffic, has set out to tackle one such foundational weakness today. Its newly announced solution is a homegrown implementation of a controversial technology called DNSSEC and focuses on the Domain Name System, the distributed network that serves as the internet’s switchboard.

The DNS network is responsible for matching URLs, for instance those that a user types into their browser, to the desired service. NS1’s customers rely on its infrastructure to connect their online assets to the system. The security issue that the startup is tackling has to do with the way that the switchboard handles incoming requests.

Because the DNS network is spread out over numerous servers and providers, the individual node that happens to receive a URL query may not know what website it belongs to. In such cases, it will forward the request to other DNS nodes. If those machines don’t have the necessary information either, the process continues until a match is found. The original server then caches the result so that it may handle future requests without repeating the operation.

Under certain circumstances, hackers can answer a DNS node’s request for information with a fraudulent record that associates a URL with a malicious IP number. The result is the node will redirect users who try to visit that address to the attackers’ website. Since email servers also rely on the DNS network, online communications can be affected as well.

This type of attack is known as “DNS cache poisoning.” DNSSEC, the protocol that NS1 has implemented, was created by the Internet Engineering Task Force to stave off such redirect attempts by cryptographically signing DNS records to verify their authenticity. But adoption has been sluggish so far thanks to some technical challenges with the protocol.

NS1 said it has managed to bake DNSSEC into its DNS hosting platform in a way that overcomes these obstacles. Specifically, the startup addresses the fact that the protocol often requires disabling many of the mechanisms commonly employed to optimize DNS performance for users. These include load balancing and “geo-routing,” which involves sending DNS requests to the server closest to the originating device.

NS1 also offers offer protection against outages. Companies can deploy the startup’s Dedicated DNS system in their private data centers or the public cloud to serve as a fallback for the DNSSEC-enabled servers they run on its hosting platform.

Image: geralt/Pixabay