Search DNSSEC Blog


Monday, February 1, 2010

Google and Neustar propose security fix for DNS geolocation technology

Google and DNS provider Neustar have jointly proposed an extension to the DNS protocol that would fix many of its security problems.

Google and Neustar, which posted the proposal on an IETF mailing list last week, would like to see the protocol extended to include significant significant IP address information about the computer making a DNS request. The extension to DNS would enable nameservers to understand roughly where a query was coming from, which would reduce the risk of attacks such as DNS poisoning, in which a nameserver can be convinced by a rogue computer that an illegitimate internet destination is the right one.

"It specifies an EDNSo option that carries IP address information (by default, only the first 24 bits to preserve privacy) of the user that triggered a DNS resolution," said the posting, made by executives from Google and Neustar. "This should allow authoritative name servers that keep geo-targeted responses to be more accurate, even in cases where the resolver and its users are close to each other."

The posting accompanied a 20-page document detailing the extension, which allows an authoritative name server to issue responses based upon the client's network address, rather than the network address of a recursive name server.

Google has been increasingly active in the battle to make the domain name service more secure. Ever since a fundamental flaw was discovered by researcher Dan Kaminskiy in 2008, the security of the service, which results URLs to IP addresses on the internet, has been in question.

Early last month, it was revealed that 80% of US federal agencies had failed to implement DNSSEC, a set of security extensions to DNS that use public-key encryption to help make the service more secure. The government had imposed a deadline of Dec. 31, 2009 for the upgrades.

Source: Google and Neustar propose security fix for DNS geolocation technology, Retrieved on February 2, 2010 from

No comments:

Post a Comment