Web securityMaking domain names safe and reliable

Published 8 December 2011

DHS Science and Technology Directorate (S&T) says it is doing its part to make Web sites more secure and reliable by enhancing the Domain Name System (DNS), which translates Web-site names like science.com into a network address like 1.2.3.4

As DHS made clear throughout National Cyber Security Awareness Month, Internet safety is a shared responsibility, and the government, the private sector, and individual citizens each has a role to play. The DHS Science and Technology Directorate (S&T) says it is doing its part to make Web sites more secure and reliable by enhancing the Domain Name System (DNS), which translates Web-site names like science.com into a network address like 1.2.3.4. Recognizing the department’s role in this effort, the S&T Domain Name System Security Extensions (DNSSEC) project received the National Cybersecurity Innovation Award at the Sans Institute’s Second Annual National Cybersecurity Innovation Conference for its innovation in promoting research that “pays off” by focusing on work that can result in real products and real risk reduction.

At the advent of the Internet thirty years ago, the brand new DNS was trusted by everyone. Today, hackers take advantage of our long-standing trust in DNS and work to trick the system by stealing information and redirecting our data hundreds, if not thousands, of times every day. S&T says that it is working with its partners to restore trust in the system through the creation and implementation of DNSSEC.

Most Web sites are not self-contained, but are rather a patchwork of information drawn from scores of sources. 

DNSSEC authenticates the existence, ownership, and integrity of data while systematically validating sources including hundreds of servers, or nodes. “The value of DNSSEC reaches far beyond preventing hackers from obtaining login information,” said Edward Rhyne, DNSSEC program manager in S&T’s Cyber Security Division. “DNSSEC is the foundation for a new trust model for all communications on the Internet, essentially protecting our critical infrastructure.”

As governments, banks, Internet service providers, businesses, and other stakeholders increase their awareness of DNS-related threats, DNSSEC adoption is gaining momentum. “Users are starting to understand,” said Rhyne. “A hacker may insert a malicious server between a user and their bank, enabling collection of login credentials and account information — essentially allowing the hacker to steal an identity and transfer money as the authorized user.”

S&T says that since 2004, it has worked with its partners, including the National Institute of Standards and Technology and the DNS-SEC Deployment Initiative, to build support for DNSSEC, which has resulted in registrars from all over the world. More than twenty country codes, including the United States, the United Kingdom, are involved in this effort. In addition, DNSSEC was deployed in the .edu, .gov,.org, .net, and .com zones while top-level domains of the U.S. military’s .mil are slated to be DNSSEC-signed this month. Adoption by these most commonly utilized domains paves the way for others, and will ultimately create a complete end-to-end chain. By authenticating and protecting data, DHS is continuously working to build a safer, more secure, and more resilient cyberspace.