Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Half of federal Web sites fail DNS security test

Half of U.S. government Web sites are vulnerable to commonplace DNS attacks because they haven't deployed a new authentication mechanism that was mandated in 2008, a new study shows.

The Office of Management and Budget (OMB) issued a mandate requiring federal agencies to deploy an extra layer of security — called DNS Security Extensions or DNSSEC — on their .gov Web sites by Dec. 31, 2009.

However, an independent study conducted this month shows that 51 per cent of agencies are out of compliance with the requirement to deploy DNSSEC, which is also necessary for high marks in agency report cards under the Federal Information Security Management Act or FISMA.

DNSSEC FAQ 

DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.

In order to be effective, DNSSEC must be deployed across the entire Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .gov, .com and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is fully deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

DNSSEC was enabled in the root zone last July. More than a dozen top-level domains - including .org for non-profits, .edu for universities and .net for networking companies - support the standard.

Related Events: DNS gains added measure of security starting today 

Secure64 Software Corp., a DNS vendor, tested 360 federal agencies for evidence of digital signatures on their .gov domains. The company ran the same test a year ago and found that only 20 per cent of federal Web sites were in compliance with the DNSSEC mandate.

"We checked which ones of those Web sites were signed, which is the first step to deploying DNSSEC," says Mark Beckett, vice president of marketing and product management for Secure64. "Last year, that number was 20 per cent. This year, that number is 49 per cent."

2010 DNSSEC Survey 

Secure64's findings show progress on the DNSSEC front, with the number of federal agencies digitally signing their domains having more than doubled. "But if you think the government should be fully deployed by now, it's a disappointing number," Beckett added.

Secure64 examined only .gov domains, eliminating federal Web sites that end in .mil, .com or .org from its research because the OMB mandate only applies to .gov Web sites.

"The sample size is large enough that these numbers are very believable and conceivable with what we see out in the market," Beckett says.

Leaders in DNSSEC deployment include the State Department, which is 100 per cent compliant, and the Department of Labor, which is 90 per cent compliant, according to the Secure64 survey.

Among the agencies that appear to be lagging in DNSSEC deployment include the Treasury Department, which is signing only one of its dozen subdomains.

Beckett says agencies are even further behind in establishing a chain of trust with their parent domains, which is the second step in DNSSEC deployment after signing a DNS zone.

"Of the folks with signed domains...only about 20 per cent have established a chain of trust with their parent," Beckett says. "The fact that more than half of the agencies have not yet signed and an even larger percentage haven't established their chain of trust tells you the difficulty for anybody - including federal agencies - in deploying this. It's evidence of the complexity of doing this."

Secure64 sells automated systems for DNSSEC deployment; a typical customer spends around $100,000 on their systems.

Other vendors sell DNSSEC services built into broader product suites, such as IP address management offerings from Infoblox and BlueCat Networks or load balancing systems from F5.

DNSSEC will continue to be in the news this year because VeriSign has committed to supporting the security technology in the .com domain in March. The Internet's largest domain, .com has more than 90 million registered domain names, according to the latest VeriSign Domain Name Industry Brief.

Background on VeriSign's DNSSEC plans

"I think the .com signing is a really important event," Beckett says. "I think it's going to create a much bigger market for products and services that make DNSSEC easier. You can see from our statistics that deploying DNSSEC hasn't been the easiest thing. I think you'll see more and more companies like ours that offer products and services that take the pain out of DNSSEC."

The types of DNS attacks that DNSSEC would eliminate are widespread. More than half of IT decision makers report being victims of DNS-based attacks during the last two years, according to a July 2010 survey by Forrester Research. Among the most common forms of DNS attacks are man-in-the-middle attacks and DNS cache poisoning - both of which could be eliminated by DNSSEC.

The U.S. government isn't the only sector dragging its feet on DNSSEC deployment. Only 11 per cent of the nearly 300 IT decision makers surveyed by Forrester Research had adopted DNSSEC, and these IT decision makers represented financial services firms, ISPs, content providers, e-commerce sites and public-sector organizations.

"DNSSEC is not widely known or deployed, but the majority of those who know DNSSEC plan to adopt," the Forrester Research survey said.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: BlueCat Networks, Cache, F5, F5 Networks, Forrester Research, Infoblox, LAN, Office of Management and Budget, PAM, SEC, VeriSign
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: government, industry verticals, security
Latest Blog Posts
Whitepapers
  • Case Study: Danske Bank Group improves efficiency and reduces time to market
    Danske Bank Group wanted to deliver new services faster. It sought to reduce time to market from approximately 14 months to nine months and increase IT development efficiency by 10 percent. Find out more.
    Learn more »
  • IDC MarketScape: Worldwide Managed Print Services 2011 Hardcopy Vendor Analysis
    This IDC study assesses 11 hardcopy vendors that are participating in the worldwide managed print services (MPS) market. Vendor selection included vendors with existing and developing MPS programs. This assessment discusses both quantitative and qualitative characteristics that explain success in this important market. Growth of print services will continue to escalate as companies of all sizes recognise the savings and efficiencies that can be realised under such programs, and vendors compete aggressively to expand market reach and gain share.
    Learn more »
  • The State of Data Security
    Recognize how your data can become vulnerable, including the latest issues stemming from unprotected data on mobile devices and social media sites. Understand the compliance issues involved, and identify data protection strategies you can use to keep your company’s information both safe and compliant.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments