Attacks on the DNS System
Cyber attacks on the DNS system are not new. Cache poisoning, Domain Hijacking and BGP injections of routes to public DNS resolvers happen regularly, but they usually don’t get much attention as they target the Internet’s core infrastructure and are not directly visible to end users in most cases. This time it was different. The recent widespread DNS hijacking attacks on several Mid East, North African and European and North American governments and infrastructure providers, published by Ciscos Talos showed that DNS attacks are a real threat to cyber security. Netnod, one of the affected infrastructure providers issued a statement, that called, amongst other domain security mechanisms, for the implementation of the DNS Security Extensions (DNSSEC).
The analysis of these attacks also convinced the Internet Corporation for Assigned Names and Numbers (ICANN) that there is an ongoing and significant risk to key parts of the System (DNS) infrastructure. ICANN issued a call for “Full DNSSEC Deployment to Protect the Internet” across all unsecured domain names.
The question is if these attacks and the awareness that DNSSEC is an absolute essential base layer protection for domain names had some effects on the Implementation of DNSSEC Switzerland?
More DNSSEC signed domain names
As a ccTLD operator SWITCH publishes the number of DNSSEC signed .ch and .li domain names every month. While the number of signed domain names is still very low at around 3-4% we see a rise in the numbers of signed domain names for two years now.
One reason is that Infomaniak started signing all newly registered domain names by default. In March 2019 we saw an even sharper rise with more than 10’000 .ch domain names newly DNSSEC signed. In general we saw more DNS hosters and registrars signing their domain names, but the reason for this “jump” was FireStorm, a Swiss webhoster and registrar who signed several thousands of domain names on his DNS server.
FireStorm signed them by publishing Child DS (CDS) record sets in the zones on his autoritative name servers. This feature was introduced by SWITCH at the end of 2018 and activated in the beginning of 2019 for all .ch and .li domains. We think that CDS makes DNSSEC signing much more easy for DNS hosters, especially if they are not the registrar for some of their domain names.
More Swiss AS are validating
With more are more and more domain names now signed, the question is how many of the DNS recursive resolvers in Switzerland actually validate the DNSSEC Signature of the signed zones? Thanks to Geoff Huston from APNIC we can estimate the percentage of all DNS requests that come from validating resolvers. Looking at Switzerland over all, about 13% of all requests are validated, compared to other countries in Europe this is quite low and places Switzerland on place 30 in Europe.
If we look at the individual AS in Switzerland, we can see that mainly cooperated networks and some smaller ISPs turned on DNSSEC validation on their resolvers recently. Amongst them there are ISPs like green and EWB and GGA Maur, the bank Julius Bär that started validating to protect their users. They joined ISPs like Quickcom and coorporate networks like Novartis and Swiss Re that are already validating on their resolvers for several years.
A special case is Salt that currently validates about 50% of all DNS Queries but it is most probably due to their usage of the Google public DNS (18.104.22.168) that validates DNS queries, a fact that can also bee estimated by the measurement from APNICLabs.
Federal Administration is leading the public sector with DNSSEC deployment
The main domain used by the Swiss federation admin.ch was signed last year, and it is good to see that the Swiss federation apparently also turned on DNSSEC validation on their resolvers at about the same time.
The DNSSEC Chicken and the Egg problem is solved
So far most ISPs in Switzerland argued that they don’t need to validate DNSSEC because nobody is signing their domain names with DNSSEC. And most DNS hosters argued that, as long as no Swiss ISP is validating, there is no point in signing domain names. Now that we see a strong surge in DNSSEC signed .ch domain names and more ISPs and corporate networks validating, this arguments are no longer valid.
There is no evidence that the rise in adoption of DNSSEC is directly related to the recent attacks, but we think that the public attention for DNS had its impact on the rise of DNSSEC in Switzerland.
The core Internet Infrastructure in Switzerland needs better protection
DNS is a base protocol that is used by almost every service on the internet: web pages, e-banking, e-commerce, email and also most apps on mobile phones rely on this core service and are vulnerable for attacks on the DNS. While we see that the adaption of DNSSEC is growing in Switzerland, Swiss ISPs and other infrastructure providers like webhosters need to implement technologies that protects the DNS. DNSSEC is a mature protocol, it is supported out of the box from all major DNS servers and easy to deploy. DNSSEC is available for the TLDs .ch and .li for about 9 years and after the recent attacks there is no reason not to protect your services with DNSSEC.