The Internet Corporation for Assigned Names and Numbers (ICANN), the organization in charge of the internet’s Domain Name System (DNS) infrastructure, has issued a foreboding warning on Friday about the dangers facing the DNS system.
ICANN said it “believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure,” and urged domain owners and DNS services to migrate to using DNSSEC as soon as possible.
Cryptographically signing DNS recoand prevents unauthorized third-parties from modifying DNS entries without a private DNSSEC signing key that’s usually in the possession of the legitimate domain owner only.
ICANN officials said DNSSEC would have prevented the recent DNS hijacking attacks that have made headlines in the past two month.
At the start of the year, US cyber-security firm FireEye revealed a months-long campaign carried out by Iranian threat actors who hacked into the web hosting and domain registrar accounts to change the DNS records of email domains belonging to private companies and government entities.
This attacks –called DNS hijacking– allowed the crooks to redirect legitimate traffic to their own malicious servers, where they performed man-in-the-middle attacks to intercept login credentials and then forwarded the traffic back to the legitimate email servers.
The US Department of Homeland Security issued an alert about the attacks, urging both government entities and private companies to review their DNS records for malicious entries.
In a different report also touching the same DNS hijackings detected by FireEye, infosec investigative journalist Brian Krebs revealed additional DNS hijacking attacks, painting a grim picture in which hacker groups appear to have realized that is much easier to alter DNS records rather than hack email servers or spear-phish employees.
Now, ICANN, which has also taken note of the attacks, wants to avoid further attacks on the DNS system as a whole. The organization wants domain owners and the tech industry to push harder for DNSSEC adoption in the hopes to stop or limit future DNS hijacking attacks, which it sees as a real threat to the entire internet and the trust that users inherently have that they’ll land on the websites they want to view when they press Enter in their browsers.
Even if DNSSEC has been around for two decades, it has barely been deployed. According to APNIC (Asia-Pacific Network Information Centre) data, DNSSEC adoption has barely passed 19.3 percent, and ICANN has a daunting task ahead of it.