Can DNS be used to support encryption?

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Platform Security,   Enterprise Data Protection,   Disk Encryption and File Encryption,   Network Protocols and Security,   Enterprise Network Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security What are the security risks of Windows Vista RSS functionality? How to harden Linux operating systems What are the key provisions of Massachusetts Executive Order 412? A simple substitution cipher vs. one-time pad software When should a virtual patch be used? What is the best operating system for an FTP server implementation? Are encrypted, self-deleting USB storage drives worth the investment? Can read/write access policies be put on a SAN server? Is it more secure to have a mainframe or a collection of servers? Should open source disk-encryption software be used? Disk Encryption and File Encryption Database monitoring, encryption vital in tight economy, Forrester says Sophos integrates encryption into endpoint security Cryptography for the rest of us Encryption in data management should never be ignored, expert says The difference between AES encryption and DES encryption Security budget issues to resonate at RSA Conference Portable security storage device could replace OTP devices Mass. officials explain new data protection regulations A simple substitution cipher vs. one-time pad software Are encrypted, self-deleting USB storage drives worth the investment? Network Protocols and Security DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security PCI compliance requirement 4: Encrypt transmissions Balancing security and performance: Protecting layer 7 on the network Swedish hacker indicted for Cisco Systems, NASA breach How to implement PCI network segmentation How should service providers address VoIP security issues and threats? How to create a secure network through a shared Internet connection Cyberattack mapping could alter security defense strategy The case against UTM: Is there a better alternative?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) quantum cryptography  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

I think it's more likely that encryption will be used to support DNS than the other way around. The Domain Name System, designed to identify and locate Internet-connected devices, is a public database and inherently insecure. As long as DNS query requests and results can be intercepted or altered, the Domain Name System is unlikely to make a sound base for providing some form of support service for encryption.

Take DNS cache poisoning, for example. Attackers use this technique to trick a DNS server into believing it has received authentic information when, in reality, it has not. In fact, it's because DNS responses are not usually cryptographically signed that there are so many attack possibilities.

As the use of DNS outgrows its original purpose -- it's being used with an increasing myriad of Internet-connected devices from smartphones to kitchen appliances -- it is becoming more important that both DNS queries and responses are better protected. Yet securing DNS is proving difficult, as any changes have to be backwards-compatible with older systems and yet still scale to the size of the Internet. This and a lack of cooperation between major Internet players are why initiatives to improve the security of DNS, such as the Domain Name System Security Extensions (DNSSEC), have yet to be widely adopted (DNSSEC modifies DNS to add support for cryptographically signed responses).

Another approach to help validate DNS results is Forward Confirmed Reverse DNS (FCrDNS). FCrDNS checks that an IP address has both forward and reverse DNS entries that match each other. These entries are used to authenticate a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While weak, this authentication is strong enough that it can be used for whitelisting purposes. Because of a statistical correlation between machines that send spam and machines that fail FCrDNS check, spammers and phishers usually can't bypass this verification when they use compromised computers to forge the domains.

Even with encryption, a DNS server can become compromised by a virus or a disgruntled employee who could redirect the server's IP addresses to a malicious address with a long time-to-live (TTL) value. Every DNS server that cached the bad IP data would have to be manually purged, as a TTL can be set for as long as 68 years!

Then there's the problem of typos. How often have you misspelled the address of the website you want to visit but still ended up at a website? For example, paypal.com and paypa1.com are different domain names, yet users may be unable to distinguish between them, particularly if their typeface doesn't clearly differentiate the letter l and the number 1. This problem is even more serious in systems that support internationalized domain names, since many characters that are different, from the point of view of ISO 10646, appear identical on a typical computer screen. This vulnerability is often exploited in phishing.

As with most protocols used on the Internet, it is becoming imperative in the interest of security and privacy to prevent the disclosure of dialogues between the intended client and server. If a large number of popular name servers were to adopt strong cryptography, many attacks on DNS would be rendered useless. Even so, DNS would still be a long way off from the point where it is secure enough to be part of a cryptographic service.

More information: