Security from the Start
In the web, HTTP traffic (such as a search query) is usually protected in a way so that clients (browsers) can verify, using cryptographic techniques, that the traffic was not manipulated on the way from the web server. This type of protection is not always there when it comes to DNS traffic: DNS queries and responses are mostly transmitted without cryptographic protection, and are subject to certain kinds of attacks.
Given that DNS queries and responses happen as the very first step of a connection (even before HTTPS!), DNS-based attacks have the potential to undermine the reliability of connections as a whole. When the Internet was conceived, this was not much of a problem, as it was used for academic purposes and abuse was low. The absence of security in the early design of the Internet also allowed for conceptual simplicity, which made it easily extensible and has contributed to the Internet's tremendous success. But today, it's time to fix those holes that were left open in the past.
Securing the DNS
Developments from recent years have enabled DNS providers (who are the source of DNS responses) to secure their DNS responses with digital signatures, using a technology called DNSSEC. It's a complex mechanism, and while its operation can be automated almost entirely, there are a number of choices in how exactly to run it. This reflects DNS operations in general, where there are a lot of knobs to configure behaviour for a number of edge cases, some of which are mainly performance-related while others have implications for security and privacy.
Role of deSEC in DNS4EU
deSEC's mission is to make the Internet a more trustworthy place. We focus on this goal using technical means, as people and their applications need a solid underlying technical foundation in order to build "trustworthy real-world things" on top. In particular, we work to advance the state of DNS security.
That's why deSEC participates in DNS4EU. As a not-for-profit player from the Internet security community, we'd like to help develop a solid security posture, advise on privacy and security issues related to DNSSEC and beyond, and enable a healthy culture of considering security in the European DNS Resolver from the start.
This blog post was written by deSEC, a member of DNS4EU consortium.
