ICANN warns of “ongoing and significant” threat to DNS infrastructure

The internet’s address book keeper has warned of an “ongoing and significant risk” to key parts of the domain name system infrastructure, following months of increased attacks.

The Internet Corporation for Assigned Names and Numbers, or ICANN, issued the notice late Friday, saying DNS, which converts numerical internet addresses to domain names, has been the victim of “multifaceted attacks utilizing different methodologies.”

It follows similar warnings from security companies and the federal government in the wake of attacks believe to be orchestrated by nation state hackers.

In January, security company FireEye revealed that hackers likely associated with Iran were hijacking DNS records on a massive scale, by rerouting users from a legitimate web address to a malicious server to steal passwords. This so-called “DNSpionage” campaign, dubbed by Cisco’s Talos intelligence team, was targeting governments in Lebanon and the United Arab Emirates. Homeland Security’s newly founded Cybersecurity Infrastructure Security Agency later warned that U.S. agencies were also under attack. In its first emergency order amid a government shutdown, the agency ordered federal agencies to take action against DNS tampering.

ICANN’s chief technology officer David Conrad told the AFP news agency that the hackers are “going after the Internet infrastructure itself.”

The internet organization’s solution is calling on domain owners to deploy DNSSEC, a more secure version of DNS that’s more difficult to manipulate. DNSSEC cryptographically signs data to make it more difficult — though not impossible — to spoof.

But adoption has been glacial. Only three percent of the Fortune 1,000 are using DNSSEC, according to statistics by Cloudflare released in September. Internet companies like Cloudflare and Google have pushed for greater adoption by rolling out one-click enabling of DNSSEC to domain name owners.

DNSSEC adoption is currently at about 20 percent.

Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.

With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.

It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.

For years, you could open up a website and take its instant availability for granted. DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.

Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time. Terabytes of internet traffic were siphoned through Russia for reasons that are still unknown. Any non-encrypted traffic was readable, at least in theory, by the Russian government. Suspicious? It was.

That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.

But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains, largely because the domain owners can’t be bothered, but also because their DNS operators either don’t support it or charge exorbitant rates for the privilege.

Cloudflare now wants to do the hard work in setting those crucial DS records, a necessary component in setting up DNSSEC, for customers on a supported registrar. Traditionally, setting a DS record has been notoriously difficult, often because the registrars themselves can be problematic.

As of launch, Gandi will be the first registrar to support one-click DNSSEC setup, with more expected to follow.

The more registrars that support the move, the fewer barriers to a safer internet, the company argues. Right now, the company says that services that users should consider switching from providers don’t support DNSSEC and “let them know that was the reason for the switch.”

Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate. The more companies that adoption the technology will help end users be less vulnerable to DNS attacks on the internet.

And besides the hackers, who doesn’t want that?