Subject: General Tech | September 29, 2017 - 12:53 PM | Jeremy Hellstrom
Tagged: icann, bind, dns, ksk, networking, security
ICANN have had to delay their planned upgrade to the root key signing keys used by DNS thanks to between 5-8% of key validators lacking the new KSK key. If a validator only possess the 2010 key, they would no longer be able to resolve DNS properly and the vast majority of the internet would disappear for stuck on the old system. The Register points out that the problem will actually be much larger as ICANN assumed that everyone has updated to the newest version of BIND DNS database, and only scanned those validators using the newest version.
The reason for the update is to increase the length of the root KSK that DNS depends on, which will greatly increase the security of anyone surfing the net and to help move this forward ICANN will be publishing a list of those out of date validators in the hopes publicity will spur them to upgrade. As with IPv6, we will wait and see.
"A multi-year effort to update the internet's overall security has been put on hold just days before it was due to be introduced, over fears that as many as 60 million people could be forced offline."
Here is some more Tech News from around the web:
- Benchmarks Show Firefox 57 Quantum Doing Well, But Chrome Largely Winning @ Phoronix
- TSMC announces plan to build 3nm fab in Taiwan @ DigiTimes
- Microsoft continues Linux love-in by joining the Open Source Initiative @ The Inquirer
- Ignite Overview @ Microsoft
- Microsoft gives all staff a marked-up 'Employee Edition' of Satya Nadella's new book @ The Register
- ZorinOS Is a Great Linux Desktop For Any User @ Linux.com
- Patch alert! Easy-to-exploit flaw in Linux kernel rated 'high risk' @ The Register
- Air Force Gives 10-Year-Old Orbiting Satellite To Ham Radio Operators @ Slashdot
- Whole Foods hacked and credit card info bagged @ The Inquirer
- E-Win Flash Series Gaming Chair @ TechPowerUp
Yesterday morning the Internet juggernaut that is Google announced that its public DNS service has far surpassed their expectations for the experimental service. In fact, the company has taken the 'beta service' training wheels off of what they believe to be "the largest public DNS service in the world," and their statement that they are now handling 70 billion requests a day means the claim may not be far from the truth.
Interestingly, 70% of the service's users come from outside of the US, and Google has announced that they are beefing up their overseas presence to service them with new access points in Australia, India, Japan, and Nigeria. Further, they are expanding their offerings in Asia in addition to maintaining the current servers in North America, South America, and Europe.
The company is continuing to provide their DNS service for free, and they ended their announcementby stating "Google Public DNS’s goal is simple: making the web—really, the whole Internet!—faster for our users."
For those curious, DNS is the technology that allows users to punch in easy to remember text URLs and have their computers connect to the proper servers via numerical IP addresses (which are definitely not as easy to remember). It has been likened to the Internet equivalent of a phone book, and that description is an apt one as DNS servers maintain a running list of IP addresses and the accompanying URL (universal resource locator) so that humans can input a text URL and connect to servers using an IP address. DNSSEC makes things a bit more complicated as it adds further layers of security, but on a basic level the description fits.
DNS benchmark "namebench" results
There are several free offerings besides the DNS services provided by your ISP, and open source tools like Name Bench can help you track down which DNS service is the fastest for you. Users connect to DNS servers using an IP address on one of several levels (in software, at the computer level, or at the router level, et al), and for the majority of people your modem and/or router will obtain the default DNS automatically from your ISP along with your IP.
The default DNS is not your only option, however. Further, many routers can support up to three DNS IP addresses, and by connecting to multiple (separate) services you can achieve a bit of redundancy and maybe even a bit of speed. A fast DNS server can result in much faster web page load times, especially for sites that you don't normally go to (and thus are not cached).
In the case of the Google Public DNS, they operate on the following IP addresses.
(The latter two are IPv6 addresses, and were announced on World IPv6 Day.)
If you have not looked into alternative DNS services, I encourage you to do so as they can often be faster and more reliable than the default ISP provided servers (though that is not always the case). It does not take much time to test and is an easy configuration tweak that can save you a bit of time in getting to each web page (like PC Perspective!). Have you tried out Google or other alternative DNS services, and did you see any improvements?
Subject: General Tech | January 15, 2012 - 06:21 AM | Tim Verry
Tagged: SOPA, senate, security, pipa, Internet, house, freedom, dnssec, dns, Copyright, congress, bill
SOPA, the ever controversial bill making its way through the House of Representatives, contained a provision that would force ISPs to block any website accused of copyright infringement from their customers. This technical provision was highly contested by Internet security experts and the standards body behind DNSSEC. The experts have been imploring Congress to reconsider the SOPA DNS provision as they feel it poses a significant threat to the integrity and security of the Internet.
In a somewhat surprising move, on Friday, Representative Lamar Smith of Texas and Senator Patrick Leahy of Vermont both announced that the DNS provisions included in their respective bills (SOPA in the House and companion bill PIPA in the Senate) would be removed until such time that security experts could provide them with more conclusive information on the implications of such DNS interference.
Many sites are preparing protests to SOPA, most will be forced to shut down should SOPA pass.
As a quick primer, DNS (Domain Name System) is the Internet equivalent of a phone book (or Google/Facebook contact list for the younger generation) for websites, allowing people to reach websites at difficult to remember IP (Internet Protocol) addresses by typing in much simpler text based URLs. Take the PC Perspective website- pcper.com- for example; the website is hosted on a server that is then access by other computers using the IP address of "126.96.36.199." Humans; however cannot reasonably be expected to remember an IP address for every website they wish to visit, especially IPV6 addresses which are even longer numerical strings. Instead, people navigate using text based URLs. By typing a URL (universal resource locator) into a browser such as "pcper.com," the software then polls other computers on the Internet running DNS software to match the URL to an IP address. This IP is then used to connect to the website's server. Further, DNSSEC (the Domain Name System Security Extensions) is a standard and set of protocols backed by the IETF (Internet Engineering Task Force) that seeks to make looking up IP addresses more secure. DNSSEC seeks to protect look-up requests by using multiple servers to verify that the URL look-up returns the correct IP address. By securing DNS requests, users are protected from malicious redirects on compromised servers. Browsers will request IP addresses from multiple DNS servers to reduce the risk that they will receive a malicious IP address to a compromises site.
Security experts are opposed to the DNS blocking provisions in SOPA because the methods contradict the very secure environment that standards bodies have been working for years to implement. SOPA would require ISPs to filter every person's DNS requests (the URL typed into the browser), and to block and/or redirect any requests for websites accused of copyright infringement of US rights holders. This very action goes against DNSSEC and opens the door to a less secure Internet. If ISPs are forced to invalidate DNSSEC, browsers will be forced to poll otherwise untrusted servers and what is to stop so called hacking groups and others of malicious intent from compromising DNS servers oversees and redirecting legal and valid URLs to compromised web sites and drive by downloads of malware and trojan viruses? DNSSEC is not perfect; however, it was a big step in the right direction in keeping DNS look-up requests reasonably secure. SOPA tears down that wall with a reckless abandon for the well being of citizens. Stewart Baker, former first Assistant Secretary for Policy at DHS and former General Counsel of the NSA has stated that SOPA would result in "great damage to Internet security" by undermining the DNSSEC standard, and that SOPA was "badly in need of a knockout punch." Various other Internet experts have expressed further concerns that the DNS provisions in SOPA would greatly reduce the effectiveness of the DNS system and would greatly effect the integrity of the Internet including the CEO of (anti-virus company) ESET, the head of OpenDNS, and security experts Steve Crocker and Dan Kaminsky.
While the suspension of the DNS redirecting provisions is a good thing, such actions are too little and too late. And in one respect, by (for now) removing the DNS provisions, Congress may have made it that much easier to pass the bill into law. After all, it would be much easier to amend DNS blocking onto SOPA once it's law later than fight to get the foothold passed at all. From the perspective of an Internet user and content creator, I really do not want to see SOPA or PIPA pass (I've already ranted about the additional reasons why so I'll save you this time from having to read it again). While I really want to be excited about this DNS provision removal, it's just not anywhere near the same thing as stopping the entire bill. I can't shake the feeling that removing DNS blocking is only going to make it that much easier for Congress to pass SOPA, and for the Internet to become much less free. We hear about the death of PC gaming or any number of other proclamations made by content creators expressing themselves and exercising their rights to free speech every year, but PC gaming and most things are still around. Please, call and write you congressmen and implore them to vote against SOPA and PIPA so that the last proclamation I read about is not about the death of the Internet!