The new Virtual DNS service from CloudFlare aims to help improve the state of DNS security on the Internet.
Security specialist CloudFlare today announced a new Virtual DNS service with the goal of helping mitigate denial-of-service (DoS) attacks and improving Domain Name System (DNS) security overall.
DNSes are core to the operation of the modern Internet, connecting domain names to the IP addresses of servers. As critical infrastructure, DNSes are also coming under increasing pressure, with distributed denial-of-service (DDoS) attacks taking aim at DNS servers. CloudFlare aims to address that challenge with its Virtual DNS service.
"You can think of Virtual DNS like a shield that sits in front of a company's existing DNS infrastructure," Matthew Prince, co-founder and CEO of CloudFlare, told eWEEK
As part of the company's delivery network and security platform, CloudFlare has already built one of the largest DNS infrastructures in the world and many customers have used the company's DNS directly for years, Prince said. But not all organizations are able to directly leverage a third-party DNS infrastructure, he said, adding that many organizations have their own existing DNS deployments and want to maintain more control.
"The way Virtual DNS works is like a giant proxy, so a company keeps their existing DNS infrastructure with no changes," Prince explained.
From a deployment perspective, a key use-case is for hosting providers to be able to deliver DNS services to their customers. So, for example, if a Web-hosting company is using "ns1.example.com" as its DNS, it points the name server to "bob.cloudflare.com" to leverage the Virtual DNS. Customers of the Web-hosting company, in turn, still have all their domains pointing to "ns1.example.com," and don't have to make any changes to get the improved security. Cloud service provider DigitalOcean is currently one such provider that is using CloudFlare's Virtual DNS.
In addition to the scalability and protection against DDoS that the CloudFlare Virtual DNS offers, the service also can be used to enable DNS Security Extensions (DNSSEC). With DNSSEC, a domain name can be cryptographically signed to provide an additional layer of authenticity and integrity.
Back in 2008, security researcher Dan Kaminsky discovered a poisoning flaw in DNS that could have enabled attackers to infect DNS servers and trick them into pointing to a possibly incorrect IP address. While the underlying DNS server technologies have been patched for the Kaminsky flaw, DNSSEC is regarded as the longer-term solution to improving DNS integrity. DNSSEC support for Virtual DNS is currently a beta feature, according to Prince.
"We're able to add DNSSEC records into the response even if the provider doesn't support DNSSEC, as long as the individual domain is signed," Prince said.
By making it easier to enable DNSSEC, CloudFlare can help secure more of the Internet, Prince said. "DNS is the heart of the Internet, and DNS poisoning is a real problem, and it's a type of attack that happens daily on the Internet," Prince said. "DNSSEC is a way of solving that problem, and it's a protocol that has been hard and complex to implement."
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.