The Evolution of Security: From Locked Doors to Encrypted DNS

Written By JOSHUA KUO

You know how sometimes you can't quite explain your job to your family? Yeah, I've been there. Especially when I was working in IT security. My dad once thought I was installing actual locks on people's computers! Turns out, "security" means a whole lot of different things in the tech world, especially when it comes to DNS. So, let's dive into how DNS Security has evolved over time.

The Personal Computer Era (1980s): DNS? What's That?

Back in the 80s, when home computers were the new hotness, DNS was this fresh-faced tech that no one really thought about securing. It was all about making life easier by using names instead of remembering a bunch of numbers (IP addresses). Security? Not so much on the radar. For most at the time, security probably meant a locked door, preventing physical access to the computer.

The Anti-Virus Era (1990s): A Little Bit of Security, As a Treat

Enter the 90s, the era of dial-up internet and annoying computer viruses. We got our first taste of DNS security with something called TSIG (Transaction Signatures), which was like a secret handshake between DNS servers. TSIG is still in-use today, primarily authenticating zone transfers between DNS servers. TSIG wasn't much by today’s standards, but hey, it was a start. Meanwhile, most folks were more worried about catching a computer virus than anything else.

The Dot-Com Era (Late 1990s - Early 2000s): DNSSEC to the Rescue (Kinda)

The dot-com boom brought the internet to the masses, and suddenly, DNS security got a bit more serious. DNSSEC (DNS Security Extensions) emerged alongside a competing technology, DNSCurve. Both focused on origin authentication and data integrity, ensuring that DNS responses were genuine and hadn't been tampered with. DNSCurve also aimed to enhance privacy by encrypting DNS queries, but it ultimately did not gain widespread adoption. If you asked anyone what DNS Security meant back then, you were still most likely met with confused looks.

The 2010s: DDoS Attacks and Filtering Frenzy

In the 2010s, DNS Security became a broader concept. While some focused on protecting the DNS service itself from denial-of-service (DDoS) attacks, others sought ways to filter out malicious domain names. The rise of large-scale DNS-based attacks, like the 2016 DDoS Attack on Dyn , underscored the need for robust defenses.

Another form of security was also needed: filtering out bad domain names. Response Policy Zones (RPZ), introduced in 2010, allowed DNS servers to block or redirect queries. Initially met with resistance, RPZs became more accepted as the threat landscape evolved, especially with the rise of internationalized domain names (IDNs) and lookalike domains.

How bad can lookalike domains be, you ask? Well, for fun, I made a few domain names using Unicode characters to look like dnsinsecurity.com. How many you can identify?

  • dnsinsecürity[.]com (replaces “u” with ü)
  • dnsinsecսrity[.]com (replaces u with Armenian “ս”)
  • dnsinsecυrity[.]com (Replaces "u" with Greek upsilon “υ”)
  • DNSlNSECURITY[.]com (uses all caps and replaces uppercase “I” with lowercase “L”)
  • dnsınsecurıty[.]com (replaces “i” with Trukish dotless “ı”)
  • dոsiոsecurity[.]com (replaces "n" with Armenian “ո”)
  • dnsinsecuritỵ[.]com (replaces y with Latin “ỵ”)

Of course, a real threat actor would carefully choose fonts to hide these names better, but this gives you a taste of what the bad guys are up to.

The 2020s: Privacy, Please!

These days, if you asked someone about DNS Security, it's all about privacy. Encrypted DNS, like DoT, DoH, and DoQ is the new hotness. Major browsers quickly adopted DoH, even before the RFC was finalized. However, this privacy also presented challenges, as it could be exploited by malware to evade detection, like the Godlua malware. Today, encrypted DNS is widely supported by operating systems and browsers. Most user are using Encrypted DNS today without realizing it.

Looking Into the Future

What is next for DNS Security? My bet is on Zero Trust DNS. The industry has been thinking about moving in this direction for a while. This essentially requires a protective DNS server to returns a “clean” DNS answer, before the client is allowed to reach the network resource. If the client obtained the address somehow through a different DNS server, or just simply entered the address manually, the access is blocked, either by a local firewall rules (such as iptables) or a network firewall.

So, the next time someone mentions DNS Security, don't assume you're both on the same page. It's a term that's evolved a lot, just like the Internet itself.

JOSHUA KUO
Previous

Lessons from CrowdStrike’s BSOD
Next

CISA's Encrypted DNS Guideline: A DNS Revolution?