In today's high paced, high tech world, people access the web at an incredible rate. Every minute, Google receives 4 million search queries. That comes out to be 70,000 searches every second of every day. This incredible statistics is an indictment of an expansive and prolific technologically connected world. As of June of 2019, the estimate is that 97% of all US Citizens have a Cell Phone. Of those people, 75% of them are Smartphones, each with applications and web services that connect these people to the world. The Internet of Things boasts over 26 Billion devices as of 2019. IoT has taken over with all sorts of innovations from camera equipped doorbells, automated smart lighting and heating systems and appliances that can show you the inside of your fridge and tell you that you need to add milk to your shopping list.

But while doing all of these wonderful things, behind the scenes there is a network service that has become so critical to the function and security of the world we live in that in my opinion this has become the single most important service in the world. Almost every single person uses this dozens of times daily and never takes notice. That service is known as DNS or the Domain Name Service.

So Why is DNS such a big deal?

Domain Name Service is the service that converts the web addresses typed in your favorite browser of choice into the IP addresses that work over the web. When you type a web address that does not reside in your local hosts file, the computer will query the DNS Server configured on your workstation. It's a universal translator that provides the internet you know and love. Most people using the web from their home computer will be provided a DNS server that is run by their local ISP. Others may choose to use a DNS server provided publicly by large entities such as Google's public DNS server at 8.8.8.8 or Cloudflare's 1.1.1.1. There are many others but they all perform the same function; they convert website addresses into IP addresses.

So why is DNS such a huge deal? There are two massive reasons why DNS holds the keys to most of our digital kingdoms and the vast majority of the world is completely oblivious to it.

The first massive reason why DNS is so vitally important to cyber security is just how little people know about DNS. Cyber criminals can rather easily program malware that changes your home computer or even your home router's DNS settings to a rogue DNS server. The vast majority of people will never notice this change assuming the criminals set up a name server that still resolves the majority of web traffic. From there, criminals can do a host of things from simply monitor your DNS queries in order to craft better phishing emails to hosting their own version of say your online bank's website, inserting that as the resolved location for your bank and harvesting your online banking credentials. Criminal activity happens regularly by abusing DNS and can be lucrative if done properly.

In 2011, an Estonian company called Rove Digital published malware called DNSChanger. The malicious code would be presented as a Video Codec that would appear on websites enticing users to download it to access the website. Once downloaded, the end user would get infected with DNSChanger, which would change the DNS server of their local machine to Rove Digitals. They would then block AV software updates and advertise the DNS server as a DHCP server to allow other network machines to change their DNS settings as well. The result was nearly 4 million infected machines worldwide at its peak. Rove Digital would make money from this by leveraging those DNS servers to inject advertising into web pages to the tune of over 14 million dollars. The FBI and other law enforcement agencies eventually took this company down in 2012 but it rendered thousands of people down after the criminals name servers were taken offline.

The second reason this service is so so critical to our cyber security world today is the volume of abuse that can be done with DNS. One of the great pitfalls of our internet world today is the design of some of the core functions of the web. DNS is one of those pitfalls. Without any security built into the protocol, users are at the mercy of the server you trust. If that server is compromised in any way, you are a victim to that compromise. Minimally the company that you set this to has means to view all of your DNS query traffic and can monitor, advertise and potentially sell your tendencies to 3rd parties. This has become a huge hot button issue for Google and Mozilla as they try to push DNS into a new age.

How to fix the problem

There are several prevailing means upon which we can secure DNS. The first is the means that we can use to secure DNS is DNSSEC. DNSSEC adds a cryptographic element to validate a domain name from an end user making the DNS Query. This ensures that each portion of the DNS process is protected and that the site you are requesting is indeed that site. This is essentially synonymous with code signing but for DNS queries.

DNSSEC is not a magical panacea for DNS as there are some other issues that it does not address. Most notably it does not provide confidentiality in the connection and as such would allow third parties to view DNS history. It also does not provide any meaningful prevention for Denial of Service attacks.

Another option for DNS security and one that actually can work in conjunction with DNSSEC is DNSCrypt. DNSCrypt turns unencrypted DNS queries into encrypted ones. DNSCrypt fills in a large portion of the faults in DNSSEC by keeping the conversations confidential using encryption as well as even forcing a question into the transaction to mitigate DoS attacks. Most recently, Anonymized DNSCrypt can be used to even hide the source IP of the requesting endpoint. DNSCrypt can do all of this and can be used while using DNSSEC to validate the DNS process. While these together can work to secure DNS, the truth is that DNSSEC is not widely used at the present moment and in some cases is incompatible with some software and the big knock on DNSCrypt is it is not an IETF approved process.

The solution that Google and Mozilla seem to be leaning towards is DNS over HTTPS. The big advantage to this is that it keeps the DNS process within the HTTPS encrypted channel which shields it from significant abuse. It also ensure privacy from even ISPs and government agencies. This likely explains the push back that has been provided by most of the major ISPs in the world who have no problem checking your DNS searches and tailoring ads or even bandwidth based on those results.

This debate is really just beginning and will likely be a pointed topic in both the technology sector and even potentially the 2020 presidential campaign in the US. Which option do you feel should be implemented? What other DNS questions do you have? Feel free to comment below to discuss!