Use DNS security extensions to foil ongoing attacks: ICANN

The Internet Corporation for Assigned Names and Numbers (ICANN) is warning that there are ongoing efforts to compromise the domain name system (DNS), which in turn could allow large-scale redirections of the world data traffic.

In January this year, security vendors Mandiant FireEye and Cisco Talos reported on widespread attacks worldwide that compromised DNS data for the domains of telcos, governments and internet infrastructure organisations.

Through phishing and compromising registrars, attackers have succeeded in replacing the addresses of intended servers with addresses of machines controlled by them.

Such attacks have led to email and other data traffic being compromised, and digital transport layer security (TLS) certificates for domains being wrongly issued to unauthorised parties.

ICANN suggests that in the face of ongoing attacks, more effort is required to fully deploy security extensions for the DNS to prevent unauthorised changes to domain name delegation structures.

The attacks only work when DNSSEC, which digitally signs DNS data to ensure is valid, is not used, ICANN said.

"Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorised modification to DNS information can be detected, and users are blocked from being misdirected," ICANN advised.

Currently, DNSSEC deployment has been slow as the security technology is deemed to be complex to set up and manage.  

APNIC statistics showing that for the world as a whole less than a fifth of servers validate as using security extensions.

For Australia, the number is just under a quarter, with New Zealand reaching just over 58 per cent DNSSEC deployment.

The attacks are thought to be the work of Iranian state actors, and sparked the first emergency directive from the United States Cybersecurity and Infrastructure Security Agency (CISA).

Australia's Cyber Security Centre also posted an advisory about the attacks.

On top of signing DNS zone records with DNSSEC and that resolvers validate these, ICANN also suggests that administrators enable better access controls to servers.

Strong passwords that are regularly changed, and multi-factor authentication are recommended by ICANN to boost access security, along with anti-phishing measures for email systems.