Google and Neustar, which posted the proposal on an IETF mailing list last week, would like to see the protocol extended to include significant significant IP address information about the computer making a DNS request. The extension to DNS would enable nameservers to understand roughly where a query was coming from, which would reduce the risk of attacks such as DNS poisoning, in which a nameserver can be convinced by a rogue computer that an illegitimate internet destination is the right one.
"It specifies an EDNSo option that carries IP address information (by default, only the first 24 bits to preserve privacy) of the user that triggered a DNS resolution," said the posting, made by executives from Google and Neustar. "This should allow authoritative name servers that keep geo-targeted responses to be more accurate, even in cases where the resolver and its users are close to each other."
The posting accompanied a 20-page document detailing the extension, which allows an authoritative name server to issue responses based upon the client's network address, rather than the network address of a recursive name server.
Google has been increasingly active in the battle to make the domain name service more secure. Ever since a fundamental flaw was discovered by researcher Dan Kaminskiy in 2008, the security of the service, which results URLs to IP addresses on the internet, has been in question.
Early last month, it was revealed that 80% of US federal agencies had failed to implement DNSSEC, a set of security extensions to DNS that use public-key encryption to help make the service more secure. The government had imposed a deadline of Dec. 31, 2009 for the upgrades.
Comments
Joe Baptista says:
01 February 2010
The claims made in this article that the Google protocol extension will contribute to security are incorrect. The protocol has nothing to do with security. It is a means of providing end users with geo-targeted content delivery. But the protocol will do nothing to improve or fix existing security issues.
It is the DNSSEC protocol that addresses security issues not the proposed Google DNS protocol extensions. And DNSSEC is not the best means of addressing existing security issues - which see my submission to the DOC NTIA http://bit.ly/EzoYt
regards
Joe Baptista
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.