Driving DNSSEC

By Thomas Orthbandt

Nominum Logo

Posted on March 21, 2012 in: Security

Tags:

DNSSEC continues to gain momentum as network operators and domain owners watch and learn from early adopters.   The learning process is made easier by efforts such as the ongoing work conducted by researchers at Sandia labs to methodically identify and categorize the kinds of problems that are occurring.

Read more

‘DNS Changer’ Fallout

By Thomas Orthbandt

Nominum Logo

Posted on March 15, 2012 in: Network

The situation surrounding DNS Changer highlights some interesting issues.  Unless end users remove DNS Changer malware from their machines, those machines will always try and connect to the DNS server addresses encoded in the malware.   Today they’ll connect to “clean” DNS servers that replaced the hackers DNS servers as a result of a court order.  But those servers are unlikely to remain in place.   This means at some point infected machines will lose their Internet connectivity.

Read more

A Volunteer Army for Defeating Botnets

By Thomas Orthbandt

Nominum Logo

Posted on March 8, 2012 in: Security

Governments around the world are starting to pay attention to botnets and the damage they can inflict.  Recently the Chairman of the US Federal Communications Commission (FCC), Julius Genachowski, called for action to address the bot problem and improve Internet security.

Read more

Best practices for securing the DNS infrastructure

By Thomas Orthbandt

Nominum Logo

Posted on February 28, 2012 in: Network

Like any critical part of network infrastructure, securing recursive DNS requires a layered approach. All the points of entry into the system – the console(s), network, etc need to be protected.  Before we look at the types of protection we need to consider the various types of attacks against recursive DNS server infrastructure, they can be broadly categorized based on the attack target:

Read more

DNSSEC Implementation

By Thomas Orthbandt

Nominum Logo

Posted on February 21, 2012 in: Security

 

I first became familiar with DNSSEC around 2002 when it was a feature of the Bind9 server, which I was using to setup a new authoritative DNS platform for customers of the ISP I was working for. I looked at it briefly, decided it was too complex and not worth investigating. A couple of years later a domain of a customer got poisoned in another ISPs network. And while the DNS service we provided was working properly, the customers impression was we hadn’t protected them.

Read more

Ghosts in the DNS machine

By Thomas Orthbandt

Nominum Logo

Posted on February 14, 2012 in: Network

Tags: , ,

There was an intriguingly named vulnerability revealed this week: Ghost Domains.  A paper describing it can be found here.  A team of researchers in China discovered a way to allow a domain to remain reachable in the DNS even after it has been revoked from a TLD.  It looks like they expended a lot of energy testing their new idea and discovered there are several caching DNS software releases that are vulnerable.

Best practices for DNS design and architecture

By Thomas Orthbandt

Nominum Logo

Posted on January 24, 2012 in: Network

Tags: ,

The DNS is a critical component of ISP infrastructure. It’s usually described in two forms, Authoritative and Caching.

Authoritative DNS Servers host your domains like www.yourcompany.com, and associated resource records, as well as their location. It does this by mapping names of hosts to their IP-addresses.

Read more

Intelligent DNS Will Be Critical in Mobile Networks

By Thomas Orthbandt

Nominum Logo

Posted on January 19, 2012 in: Network

Tags:

Mobile exploits aren’t yet widespread; inherent security protections built into mobile devices, operating systems and networks have thus far largely deterred malware that gets secretly downloaded to mobile devices.  But mobile users are still subjected to socially engineered attacks like phishing, and technologies (like QR codes) expose them in new ways.

1 8 9 10 11