NS1 Launches DNS Security Service

NS1, a provider of an instance of DNS delivered as a managed service, yesterday announced an instance of a DNSsec-enabled service that includes support for traffic management capabilities such as restricting access to network services to specific zones.

The company hopes to take advantage of a big security hole. The Domain Name System Security Extensions (DNSsec) specifications were originally developed to prevent cybercriminals from poisoning DNS servers in a way that would reroute traffic to websites loaded with malware. But so far, implementation of DNSsec has been spotty at best because many of the traffic management capabilities implemented by providers of DNS servers are incompatible with DNSsec.

The poisoning of DNS caches remains one of the primary vectors cybercriminals employ to compromise the results of DNS queries, says Jonathan Lewis, vice president of product marketing for NS1. While the fix for this issue has been available, many providers of DNS services have been reluctant to implement DNSsec because one of the main value propositions they provide is traffic management, says Lewis.

“A lot of the traffic management capabilities being provided are simply not compatible with DNSsec,” says Lewis.

NS1 has reworked its implementation of DNS to now make DNSsec a default capability while still being able to provide capabilities such as geo-routing, adds Lewis.

Lewis says NSI is betting that, now that more organizations realize how cybercriminals are compromising DNS servers to deliver malware, many more of them will opt to rely on a secure managed DNS service rather than continuing to manage DNS servers on their own.

Ever since a massive distributed denial of service (DDoS) attack took down most of the websites on the east coast in late 2016, IT organizations have been reevaluating their approach to DNS services, which many once took for granted. The challenge they have faced is finding a way to better secure DNS without compromising the quality of the web application experience being provided.

DNSsec, of course, won’t prevent cybercriminals from launching a DDoS attack. But, at the very least, it should provide some peace of mind that a compromised DNS server has not become part of the larger cybersecurity problem.