The Domain Name System is core to the functional operation of the Internet, linking domain names to IP addresses. Yet despite DNS’ critical role in the Internet infrastructure, proper security of DNS information has largely been lacking, which is something CloudFlare is now aiming to change.
DNS information is at risk of being poisoned or manipulated in ways that could disrupt the way the Internet works. Back in 2008, security researcher Dan Kaminsky warned of a “Web doomsday” thanks to a DNS vulnerability that could have enabled attacks. While the specific flaw in DNS that Kaminsky first warned about was patched seven years ago, the long-term solution for securing DNS is a technology called DNSSEC (DNS Security Extensions). DNSSEC provides cryptographic integrity and authenticity for DNS information.
The challenge with DNSSEC, however, is that it is complex and difficult to deploy. It’s a challenge that CloudFlare has taken on over the course of 2015. In March, CloudFlare announced a Virtual DNS Security Service that provides initial support for DNSSEC. Now, CloudFlare is expanding its DNSSEC efforts by offering a universal DNSSEC service to all of its customers—for free.
“The challenge with DNSSEC is not so much around the technical implementation but more around the usability,” Matthew Prince, co-founder and CEO of CloudFlare, told eWEEK.
Another challenge that has emerged in recent years is that attackers are making use of DNSSEC records as part of DNS amplification distributed denial-of-service (DDoS) attacks. In an amplification attack, the attacker makes use of a legitimate DNS query, but then amplifies it by using a large number of hosts to overwhelm a victim. There is often a lot of data in a DNS query that looks at a DNSSEC record, Prince said.
Part of CloudFlare’s DNSSEC deployment is minimizing the size of the cryptographic records to help limit the risk of DNS amplification. CloudFlare is using Key Algorithm 13, which is an elliptic curve cryptography implementation that enables smaller record sizes for DNSSEC, according to Prince.
The company is also working on the deployment challenges of DNSSEC from a domain administrator perspective.
“We are making it one-click simple for a customer to now enable DNSSEC,” Prince said. “There are no Byzantine choices, and there is very little you can do to screw it up.”
The actual process, however, does take a few steps to enable on most types of top-level domains. After the user clicks the button to get DNSSEC, CloudFlare generates a DNSSEC record that the user will then need to copy and take to their own domain registrar, Prince said. Users will need to log into their own domain registrar, copy the DNSSEC record and save the new complete record.
“The uploading to the registrar part is still harder than it needs to be,” he admitted.
Prince, however, has a plan to make the process even more seamless.
“We think that just like SSL/TLS [Secure Sockets Layer/Transport Layer Security] encryption works pervasively on the Internet, we have to make it such that DNSSEC is just on by default,” he said. “In order to do that, we have to eliminate the step where the domain holder has to upload a new record to their domain registrar.”
One way to do that is to have standards bodies enable DNS providers such as CloudFlare to provide DNSSEC entries directly to registrars. To that end, there is now a proposal in front of the Internet Engineering Task Force (IETF) that will enable just that.
Among the first registrars in the world to support CloudFlare’s initiative is the dot.ca Canadian top-level domain registry.
“So if you’re a CloudFlare customer and you have a dot.ca domain, DNSSEC is automatic,” Prince said. “We’re confident that over time more registry providers will support this effort.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.