Incident Response, Malware, Phishing, TDR, Vulnerability Management

OMB mandates use of DNSSEC in gov’t agencies

The federal Office of Management and Budget is ordering all federal agencies to deploy a standard for securing their Domain Name Systems (DNS).

DNSSEC is an Internet Engineering Task Force set of specifications that secures communication between DNS name servers and clients. DNS security was brought to the forefront this year when researcher Dan Kaminsky revealed a critical design flaw that could permit cache poisoning -- potentially allowing attackers to redirect web users to anywhere they wanted.

"The government's reliance on the internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise and loss of the .gov domain space," wrote Karen Evans, OMB's administrator for e-government and IT, in a memo Aug. 22 to agency chief information officers.

The DNSSEC standard, however, has been riddled with deployment complexities, according to experts.

But Bruce Van Nice, director of product marketing at Nominum, provider of IP address infrastructure software, said he applauds the government for leading the charge to secure DNS, which essentially acts as the telephone directory for the internet by translating URLs into corresponding IP addresses.

"The reality is, we don't know if it's gonna be hard to do until someone does it," he said. "I think the beauty of the internet is that's the essence of how and why it works -- that someone actually has to go and implement the protocol and when they do that, learn what does and doesn't work."

Marcus Sachs, director of the SANS Internet Storm Center and a former White House IT official, told that DNSSEC essentially acts a digital signature for looking up websites. As it stands now, the .gov domain cannot recognize the difference between signed and unsigned.

"It just blindly trusts the answer that comes back," Sachs said. "DNSSEC is the cryptographic piece. You could assert that you are getting the true IP address that is bound to this [URL]."

He added that government is taking a leadership role -- and hopefully other top-level domains, including .com and .us -- will follow suit.

Van Nice said protecting DNS is critical, considering attackers are finding more innovative and hostile ways to compromise it.

"DNS touches virtually every application on the internet," he said. "If an attacker, unknowingly on the part of a subscriber, redirects traffic, that's a very powerful and dangerous capability."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.