There have been enough clues over the last few years that the global DNS system as used in its current form, is particularly frail and subject to simple attacks. Yet the main commercial protagonists piggy-backing onto this system, have remained almost spectacularly silent on the issue and there seems to be little impetus to change things. Similar to the massive holes found in OpenSSL 2 years ago, the DNS system performs a critical job with very little support. As was the case with OpenSSL after these issues, it’s probably time for a few of the larger companies who are making a living from the internet, to come together and add their financial muscle to the DNS system.
Dyn’s meltdown last Friday is a small hint of what’s to come. But besides Dyn’s specific problems, there are some issues here that need addressing:
First, why do global brands like CNN, Twitter and Spotify use a 3rd party for their authoritative DNS? This alone beggars belief … it takes a skilled IT admin a few hours to put up a geo-safe, high-availability authoritative DNS solution. Were they trying to save money? Was it simply the easy route? Or maybe they were sold on the Cloud gravy train … where TITSUP* seems to be a common theme.
Second, is it too much to ask that manufacturers of IoT devices, do at least the simplest of security audits on their products? Perhaps there should be a global program where a seal of approval is given to IoT devices once they’ve passed a security test.
And finally, the DNS system itself, an aging 35-year old solution that’s well past its sell-by date. Amplification attacks on the DNS infrastructure are simple to enact. The DNS system needs to be rebuilt with security in mind even if this means running a dual-system for a period or breaking the internet.
Because if we don’t do something soon, a trivial attack on the DNS system will mean total carnage for the internet as we know it.
*total inability to support user performance