Whenever seismic activity picks up somewhere in the world, our local press here in California like to point out that we’re overdue for The Big One.  They cite how frequently, on average, large earthquakes occur on the various faults that we cross on our daily commutes and note that it’s been many times that long since those faults have experienced a major tremor.  Then they cut to footage of the aftermath of the Northridge or Loma Prieta earthquake or the movie “2012” and remind you to stock up on canned food, drinking water and ammunition.  Sensationalist, sure, but relatively tame when compared with most of the fear mongering they use to try to boost ratings.

I’m waiting for The Big One to strike the Internet.

Over the past several years, we’ve seen some large Distributed Denial of Service attacks against Internet infrastructure, including DNS.  In fact, as recently as August 6^th, the DNS hosting provider DNS Made Easy was hit with a DDoS attack that they estimated at “over 50 Gbps.”

Read more...

In the last few weeks, we passed two more important milestones in the deployment of DNSSEC:  the signing of the root zone and the .edu zone.  The root zone was signed July 15^th, and the .edu zone was signed on August 2^nd.

Read more...

The Domain Name System was originally used as the Internet’s naming service—that much isn’t contentious.  Over the years, though, clever people have found all sorts of new applications for DNS.  DNS’s ubiquity, distributed management and (relatively) easy extensibility made it an obvious target for new uses, including blacklists of various types, storage of email authentication and authorization data, and more.  Much more.

One of these novel applications of DNS is its use to enhance client security.  David Ulevitch and his gang at OpenDNS are pioneers in this area:  Their service can restrict access to content by domain name, so that if one of your employees or students tries to visit http://www.hotmamas.com/, they’re directed to a page that says, in effect, tsk, tsk, no you don’t.  (Note to Infoblox IT:  I loaded that URL solely to make sure I wasn’t leading users somewhere unsavory—please don’t have me fired.)  Or if malware on your computer tries to surreptitiously resolve the domain name of its command-and-control channel to an IP address to ask SMERSH headquarters for orders, OpenDNS can prevent it and alert you or the administrator of your network that your computer has been infected.  Very handy.

Read more...

Read more...

With the recent announcement that OpenDNS will support DNSCurve, I've begun hearing more questions about it.  In particular, people wonder whether DNSCurve is a viable alternative to DNSSEC.  They've generally heard that DNSCurve is simpler to set up than DNSSEC and involves less overhead.

Unfortunately, DNSCurve isn't an alternative to DNSSEC - although it could conceivably complement DNSSEC, in ways I'll discuss.

Read more...