Internet Performance Delivered right to your inbox

DHS IT Sector Risk Assessment Report cites DNS Resolution

Dyn Inc. Services offer mitigation solutions

On Tuesday, the Dept. of Homeland Security (DHS) released a 114-page report on IT Sector Risk Assessment (PDF). The provision of DNS Resolution services was cited as a key area in the IT Sector Baseline Risk Profile. This report is intended to help members of the public and private IT sectors identify and address high-consequence risks.

Their analysis of the role of DNS: “Almost all Internet communications today rely on the DNS, making it one of the most critical protocols to the IT infrastructure. Because most end-user IPs require the ability to look up host names and addresses, the DNS is as critical to the Internet as data transmission lines.” Yeah, we knew that.

Redundancy and disaster mitigation tactics are routinely discussed with regard to data storage and data transmission. But if your DNS is a single point of failure, your online services, company network and communication channels are still at risk.

The Subject Matter Experts (SMEs) identified four categories of attack vectors or risk areas to the Domain Name Resolution Services. Their analysis included the risk of unintended consequences from human error in addition to the more obvious risk due to nefarious activities. These four areas of attack are classified as: Policy, Governance, and Knowledge Failures; Loss/Denial-of-Service; Information Disclosure and Privacy Loss; and Data and Service Corruption.

None of these vulnerabilities are new revelations, but this report does highlight these DNS security issues within the framework of general IT Security issues. DNS is often an after thought. The beauty of DNS is it just works and most end-users don’t even know it exists. It’s there, it’s readily available from your ISP, web host or other technology service providers who simply throw it in. But these providers are not dedicated to DNS like Dyn Inc.

The Case Against Free ISP DNS is a free white paper discussing why a Managed DNS Service provides a more reliable, secure and cost effective solution.

The DHS report clearly identifies in each of the vulnerability areas that unintentional consequences resulting from inexperience or bad practices can lead to security issues. These are a result of DNS services being administered by people who are not necessarily DNS experts or for whom DNS is not their primary expertise or interest.

“Someone who has the ability and access to promote production changes could unintentionally promote programming errors, quality assurance errors, or system administration errors.
Disregarding standard testing procedures could result in an accident that could affect the operation of a DNS.”

“Poor or negligent software development practices, the lack of comprehensive code review, reckless or negligent deployment procedures, and the lack of fully understanding the ramifications of a particular configuration change.”

Vulnerabilities to man-made attacks against Top-Level Domain Name Service providers, specifically nation-state attacks against ccTLD (Country Code Top-Level Domains) name servers, were identified by the SMEs as potential risks within the policy and governance area.

Mitigation tactics that address these risks are identified in the report as existing and future mitigations. Dyn Inc. services including the DynTLD ccTLD services and the Dynect Platform offer access to these mitigation strategies especially with regard to the expertise factor. Dyn Inc. does DNS. We’ve done DNS for over 10 years.

Infrastructure diversity? Yeah, we’ve got that. The Dyn Inc network supporting our DNS services is housed in 12 data centers strategically located around the globe.

Anycast technology? Yeah, we’ve got that. Our Anycast network not only provides our customers with faster resolution but also provides the added benefit of allowing us to make routing modifications when necessary to mitigate traffic problems.

DNSSEC Implementation? Yeah, we’ve got that. We have a plan in place, a test bed available and the Dynect Platform supports zone signing and key maintenance.

When planning out your IT infrastructure, risk identification and mitigation approaches play a significant role. This report from DHS, while painting a more rosy picture than may be accurate, identifies six key areas of risk for consideration. Dyn Inc. provides solutions and mitigation options.

Share Now

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn