Why More Registries Should Be Talking About DNS Security
I've been incredibly lucky in my time at Neustar to lead both the exceptional Registry and Security teams. While these divisions handle their own unique product and service offerings, it's clear that they have some obvious crossovers in their risks, opportunities and challenges.
Having been closely involved in the strategy of both these teams, it strikes me that there is more we as Registry Operators and service providers can and should be doing to align the world of cybersecurity with that of domain names.
While we at Neustar regularly talk about our Registry capabilities and the almost 250 TLDs we support, we don't always explain the incredible advantages of our award-winning Security capabilities to our Registry clients, even as these come embedded in our offering.
As an industry, we also don't talk often enough about the cybersecurity threats that face domain name Registries — and the work we do to mitigate this — until it's too late.
In recent months, DNS hijacking incidents have shone a renewed spotlight on the security of domain name infrastructure and DNS, and prompted a callout from ICANN for full DNSSEC deployment across all TLDs and domains.
ICANN wrote in its announcement, "all members of the domain name system ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the Internet." The issue of DNS Abuse was even discussed in a 'How it Works' session at ICANN64 in Kobe shortly afterwards.
These attacks were, unfortunately, a surprise to many. They showed a detailed knowledge of DNS operations, including timing windows, which suggests a highly informed group of culprits. It's a timely reminder that security is a tough game — and we should be constantly striving to stay ahead of it.
We at Neustar have heavily invested in refreshing and rebuilding our Registry, DNS and DDoS capabilities over the last two years in particular. The result is we have the most comprehensive credentials of any Registry operator with 30 global DNS nodes and the largest DDoS mitigation capabilities in the industry with 10.4Tbps of scrubbing capacity. This infrastructure supports not only the largest TLDs but also the largest online brands in the world. In addition, we've developed a breadth of Threat Intel capabilities used internally and externally with our large SOC/NOC infrastructure. This investment and focus on security is key because we are all constantly under threat and the bad actors are always trying to be ahead of us. To get a glimpse at the breadth of the threats we handle, take a look at our live attack map.
There are always emerging threats and Registries must continue to develop their tools and techniques for addressing these challenges, whether it's DDoS mitigation, securing EPP, Registry locks, protecting Registries from the impacts of a compromised Registrar (and vice versa), or monitoring and combatting domain abuse. These are things we consider every day, yet they're not as often part of the narrative we tell around Registry operations.
As Registry Service Providers we also need to remember the critical task of educating and supporting our clients in their security efforts — such as making it easier to implement DNSSEC, or increasing and upgrading monitoring and notification tools. This is equally as vital for the largest TLDs as it is for geographic TLDs, brands, ccTLDs, community and government stakeholders around the world.
Increasing our cybersecurity efforts shouldn't be just a reaction to things going wrong. It should be a constant, continual project for all Registry operators and service providers. Registry and security should — and do — go hand in hand.
Neustar VP, Senior Technologist and Fellow — and award-winning Internet pioneer — Rodney Joffe wrote last year, "twenty years ago, the Internet community looked at the Domain Name System (DNS) as a simple tool designed to route web server requests in a consistent way — not as the first line of defence against hackers."
DNS is evolving, as are cyberattacks — in their complexity, scale and frequency. So we need to evolve too, as the only way for us to protect our industry and our clients is to out-innovate the bad actors.
This piece originally appeared on CircleID. View the original post here.