NS1, a domain name system (DNS) and traffic management provider, is taking on “DNS cache poisoning” attacks with new DNS Security Extensions (DNSSEC) capabilities built into its platform.
DNS translates web URLs into IP addresses. NS1’s platform helps manage this traffic and automatically route users to the best service endpoint.
DNSSEC’s purpose is to prevent attacks in which hackers can essentially trick the DNS system into storing false IP addresses. These are called DNS cache poisoning attacks.
“The hackers can do things like send users to bogus banking websites where they are told to enter their credentials; they can do all kinds of malicious things that target specific sites or entire domains,” explained Jonathan Lewis, VP of product marketing at NS1. “It’s a serious vulnerability that has existed from the get go with DNS.”
It sounds like a no-brainer — of course an enterprise would want to use DNSSEC to protect its information. But it’s not that simple. Historically many organizations have not used DNSSEC because it usually means they are trading security for functionality.
“DNSSEC was written for what you might call ‘vanilla DNS,’” Lewis said.
What he means is that DNS has evolved since the software was originally developed. Now vendors like NS1 and others including Oracle’s Dyn, Akamai, Neustar, and Verisign provide DNS traffic management. They’ve added intelligence to DNS so that when a user wants to visit a particular website, they can route it to the server that is the closest, or the least busy — whichever one will provide the lowest latency and the highest performance.
This is important, for example, to retail sites because it helps ensure customers don’t abandon their shopping carts because the website takes too long to load.
DNSSEC vs. Functionality
“DNS has become very important in providing this application performance that users are expecting,” Lewis said. “Using DNSSEC from most providers breaks that functionality. So if you want to use DNSSEC, you’re going to have to give up on the traffic management. You’ll no longer be able to do things like route a user to the closest location. Or you might send them to a location that’s unavailable.”
NS1’s new DNSSEC capabilities remove these downsides, Lewis said. It provides security without compromising traffic management. “There is very little price to pay in implementing DNSSEC so we see this as being a much easier decision for enterprises to make,” he added.
The new security features work, said Eric Hanselman, chief analyst at 451 Research. “NS1 is taking the step of making DNSSEC simple.”
But while the startup’s service may make DNSSEC easier to set up than that of their competitors, NS1 still faces the challenge of overcoming enterprises’ mindset that DNSSEC is too complicated to bother with, Hanselman said.