The domain name system
First proposed in 1983, six years before the World Wide Web, DNS translates domain names like amazon.com and paubox.com into numerical Internet Protocol (IP) addresses that identify every server, computer, and device connected to the Internet. It's much easier to remember google.com than 142.250.68.100. DNS entries include electronic mail routing information. The problem of email spam was solved in part by tracking which IP addresses were used to send spam and blocking them, and requiring IP warming before new addresses could send email.
SEE ALSO: HIPAA Compliant Email: the Definitive Guide
But more sophisticated attacks target the DNS system itself. And if the global address book of the Internet can't be trusted, it's impossible to know which systems you can trust.
DNS hijacking
Because computers rely on DNS to know where to find each other, hackers often target the DNS system to redirect connections to other servers. This is called DNS hijacking. For example, you may be trying to log onto your bank's website at paubank.com, which the DNS system will normally tell you can be found at 123.456.789. Hackers could "hijack" the DNS directory entry for paubank.com and send you to 123.456.666 instead. If the website at the other end is designed to look like your bank website, you could log in with your username and password and unknowingly compromise your security. There are four basic types of DNS redirection attacks:
- Local: Malicious software (malware) is installed on your computer to change your DNS records and settings.
- Router: Centralized hardware in homes and businesses, which people often install without changing the factory usernames and passwords, is modified to redirect DNS lookups.
- Man-in-the-middle: Connections are intercepted between a user and a DNS server to replace correct IP addresses with IP addresses of malicious websites.
- Rogue DNS server: Setting up or taking over a DNS server to have control over the entire address book, again to direct users to malicious websites.
SEE ALSO: How do I identify my domain host?
What is DNSSEC?
In order to restore trust in the DNS system, new systems and standards were implemented to add layers of security and authentication. One of the organizations entrusted with establishing Internet standards is the Internet Engineering Task Force ( IETF), an open, international community of network designers, operators, vendors, and researchers focused on the smooth operation and evolution of the Internet. In 1999, the IETF proposed Domain Name Security Extensions (DNSSEC) to "provide data integrity and authentication . . . through the use of cryptographic digital signatures." With cryptographic digital signatures, DNS servers can detect forged or manipulated DNS data, and compare the information provided against a designated authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including MX records. Although DNSSEC makes the DNS system more secure, it also adds complexity to its overall operation, and it is not universally supported. Google provides open, DNSSEC capable DNS servers via its Google Public DNS service.Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.