As the enabler of almost all web, email, instant messaging, and streaming transactions, the DNS is arguably one of the most critical infrastructure services in the Internet. DNS is also the main platform for new and emerging services such as Voice over Long-Term Evolution (“LTE”) (“VoLTE”) in cellular networks, Voice over Internet Protocol (“IP”) (“VoIP”) in telephony, Radio Frequency ID (“RFID”) technologies, and Content Distribution Networks (“CDNs”). DNS plays a central role in the acquisition and verification of server certificates to allow secure communication over the Internet via SSL/TLS, for example, when connecting with a browser to a banking Web site, or authenticating securely to a login page.
Based on the above, it is essential that DNS is continuously available and operated reliably. In the past several years, there has been an increase in the volume and sophistication of attacks on the Internet infrastructure, including DNS. Online theft has surpassed physical theft, which is an indication of the high value presented by the Internet to criminal organizations. At the same time, companies have the responsibility to protect their customers from illegitimate activities and their capital investments in infrastructure. A major priority in this effort is to protect the DNS service, which is offered to individual and business customers, and supports numerous other services.
When the DNS protocol was initially designed in the early 80's, it was used by a small set of trusted terminals and servers. Today, DNS is used by billions of devices around the globe, and a significant portion of these devices are compromised or operated with malicious intent. Despite this, more than thirty years after the initial design, there still has not been a significant overhaul in the security of the protocol. Domain Name System Security Extensions (“DNSSEC”), a new protocol build on top of the original DNS protocol, is touted by many as the right solution, but the reality is that DNSSEC has its own weaknesses, and introduces many additional risks. For these reasons many DNS operators delay DNSSEC introduction. Evidence to this is the very slow rate of DNSSEC deployments over the last several years.
Due to the weak security of DNS, DNS is amenable to information tampering. This can affect multiple client devices as the tampered information remains persistent in server caches. This is commonly referred as cache poisoning. Client devices may unknowingly use the tampered information and can be denied service or even maliciously get redirected to other servers that may retrieve user credentials, leak information, sell illegal or fake merchandise, or perform some other malicious activity. DNSSEC can theoretically mitigate this problem but introduces many additional risks, such as increased hardware requirements (e.g., network links, routers, larger servers and disks), operational costs, and increased frequency of service outages. DNSSEC is also not the optimum solution for network service providers whose main interest is the protection of end users with minimal impact to their network.