Are there pirates on board?

Hackers are fond of hijacking the domain names of well-known organisations. DNSSEC is technically easy to implement and represents an important line of defence.

Text: Cornelia Puhze, published on 26.06.2019

The global DNS hijacking campaign at the beginning of the year once again demonstrated the vulnerability of internet infrastructure, as well as how coveted intellectual property is. In most cases, domains protected with DNSSEC would have been harder for hackers to attack and, most importantly, their attacks would have been detected much more quickly. The Internet Corporation for Assigned Names and Numbers (ICANN) therefore strongly recommends using DNSSEC for all domains. Switzerland trails far behind the rest of Europe here, with an adoption rate of just 4%. This is astonishing, because in many cases the technical implementation takes just a single click.

Domain pirates love big-name data carriers

Hijacking a well-known domain name is a lucrative business for cybercriminals. University domains also offer a chance to make off with a big bundle of loot. They are tempting targets, with access to highly sensitive data from research projects, patent-pending innovations or the personal data records of countless users. And a well-known, credible domain is perfectly suited to spamming and phishing.

Depending on the scope of the attack, most would prefer not to imagine the financial or reputational damage in too much detail. It would therefore behove university IT departments to put DNSSEC rather nearer to the top of their priority list.

‘Best practice and an extra security component’

One of the oldest universities in Switzerland, the University of Bern, implemented DNSSEC in December 2017. Thushjandan Ponnudurai from the IT department thinks this was a good decision, as the process was surprisingly easy and created almost no extra work at all once it had been implemented. ‘It was clear to us that using DNSSEC is the best practice and offers an extra security component to protect students, staff and researchers against internet attacks,’ the project manager says, as he reflects on what motivated him to implement the solution. ‘DNSSEC also serves as a technological basis for other methods of securing data traffic, such as DNS-based Authentication of Named Entities (DANE).’ For example, DANE verifies the authenticity of encrypted email communications.

The Lucerne University of Applied Sciences and Arts began signing and validating its domains with DNSSEC this year. ‘Security is a high priority for us,’ explains Daniel Eisenlohr from IT Services. ‘DNSSEC has allowed us to create an additional hurdle for potential hackers within our security architecture.’ The implementation had been in planning for a long time, but resources were lacking. The actual implementation was reported to have gone faster and more smoothly than expected. Current research suggests that it takes two weeks to learn how to plan and implement the solution. ‘During the migration itself, we were able to rely on the DNS specialists at SWITCH, which we found very helpful,’ reports Daniel Eisenlohr.

DNSSEC at the touch of a button

SWITCH advises university IT departments on the planning and implementation of DNSSEC. Its team of DNS specialists is ready to help should there be any problems. Depending on the DNS server, DNSSEC can be activated at the press of a button thanks to the Child Delegation Signer (CDS).

SWITCH’s registry has been proactively planning for this automation as this also helped HTTPS to make its big breakthrough in recent years.

Since CDS was activated for .ch and .li domains at the beginning of the year, considerably more domains have been secured with DNSSEC in Switzerland. As a result, SWITCH is playing a key role in making the flood of data more secure and ensuring that internet users do not end up on hijacked websites. However, domain holders are equally responsible for systematically implementing DNSSEC as a barrier to prevent these hijackers from gaining access.

What do I need to do to use DNSSEC?

No action is required on your part as an internet user. If your internet provider supports DNSSEC, the signatures are always verified on the provider’s DNS servers.

If you are the domain owner and would like to protect your domain name with DNSSEC, you can select a registrar / host who will sign your domain name with DNSSEC. Some .ch registrars let you do this with just a single click.

Further information

Other articles