The future of DNS security: From extremes to a new equilibrium

In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to internet pioneer Dr. Paul Vixie, Farsight Security Chairman and CEO.

Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet software including BIND 8, and of many internet standards documents concerning DNS and DNSSEC.

You’ve worked in the DNS field for more than three decades, how have things changed since the late 1980s?

The internet is the biggest thing ever to happen to human society, but likewise commercialization and privatization was the biggest thing ever to happen to the internet. nothing about the internet’s technology or governance was ready for general exposure to humanity – it was built by academics for their own purposes.

Denial of Service attacks, spam and other fraudulent transactions, inappropriate monetization of public resources, and unnecessary centralization have all thrived along with the internet itself, because the people who designed and deployed the fundamental architecture and infrastructure of the internet did not know and could not have believed that nothing which can be abused won’t be. Well, now we know that, but it’s late.

We’re seeing a steady push to move access side DNS away from customer networks and towards companies like Cisco, Google, IBM, and Cloudflare. What are the risks and costs, and who pays them?

I’ve often said that if the internet was a territory, then the DNS is its map. That’s now broadly understood by the tech sector, and their response is to centralize DNS either for their own leverage or to prevent others from having such leverage.

Centralization is not and never was necessary or beneficial for DNS, and the costs of centralization will be more surveillance, more fragility, more complexity, and more security bypasses. I’ve left instructions in case I perish, so on my tombstone it will be written, “run your own recursive DNS”.

What’s your take on DNS over HTTP?

I think a lot of technologists were enraged by the Snowden disclosures of 2013, and they’re dedicated to creating a user-centric network without any possible controls or monitoring. they tell us, we can’t trust network operators, or our operating systems.

What I’ve told them in reply is, we can’t trust our apps which might be malware or infected, nor our users who might be intruders or malicious insiders, and “going dark” will limit good surveillance and controls (by private network operators, and endpoint security products) and empower new kinds of e-crime and e-abuse, in at least the same and probably greater magnitudes than whatever benefit we get by limiting nation-state surveillance efforts.

We needed a balance, but DNS over HTTP is a new extreme.

How do you envision DNS security evolving in the near future?

It’s all going to be encrypted, even the parts which are public information containing no personally identifiable information.

This will trigger a new arms race as to who gets to encrypt what against whom. Managed private network operators are going to have to figure out how to prevent DNS over HTTP from bypassing their enterprise and family security controls, and there will be hell to pay in the form of new complexities and collateral damage. It’s going to take years for a new equilibrium to evolve out of this mess.