Two sessions on DNS took place at TLDCON 2020
The second day of TLDCON 2020 began with a discussion on how DNS analysis helps ensure internet security and develop business, marketing, and social research among many other things. Together with moderators Yelena Voronina (MSK-IX) and Alexei Rogdev (ICT), experts discussed why DNS is a source of valuable data for cybersecurity specialists, DNS architects, marketing experts and analysts, and what benefits can be derived from the use of DNS analytics.
Alexei Lukatsky (Cisco) spoke about analyzing DNS infrastructure to expose hidden interconnections between malicious domains and their owners, predict attacks and identify cybercriminals.
“Malicious domains are hosted on the same IP addresses and have the same owners. DNS makes it possible to not only analyze domain names, but, for example, analyze relationships between their administrators. DNS can even help us predict future cyberattacks and, by analyzing IP, block access from such domains,” Lukatsky said.
He added that by identifying just one phishing or otherwise malicious website, it is possible to expose an entire network of such domains by IP and neutralize the entire fraudulent cyber system.
Alain Durand (ICANN) presented Identifier Technology Health Indicators, a method developed by ICANN to measure the “health” of identifier system. He noted that the project had been ongoing for several years, and data had been collected from various sources such as DAAR and other ICANN projects as well as its partners’ projects. He invited other participants in the session to cooperate.
Pavel Khramtsov (MSK-IX) presented an extensive overview of methods and directions to collect and process DNS statistics. He especially noted the Russian project statdom.ru, which is run by the Technical Center of Internet and focuses on statistics and data analysis of Russian ccTLDs, as well as Netoscope, a domain space security project by the Coordination Center for TLD .RU/.РФ.
Quoc-Anh Pham (GoDaddy Registry) described how GoDaddy uses DNS data in its work. Alexander Venedyukhin (ICT) analyzed DNS uses for publishing auxiliary data structures and talked about securing websites with cryptographic keys.
TLDCON 2020 included a session where participants discussed the use of DNS in the context of internet security. Mikhail Anisimov (ICANN), the moderator of the session “DNS: The red lines,” suggested discussing which issues of internet security were within the competence of registries, registrars, and other members of the domain name ecosystem and who could and had to counter which outbreaks.
James Galvin (Afilias) talked about how DNS and domain names were misused, and what registrars and registries could do to prevent it. He noted that registries and registrars must promptly investigate DNS abuse: “This is our role and function in the ecosystem. Our task is to ensure that the internet is safe for everyone.” Irina Danelia (Coordination Center for TLD .RU/.РФ) added that registries felt responsible for what the internet was like:
“National registries are starting to take an increasingly proactive stance on network security. We have settled in the virtual world quite recently, and perhaps this is the reason for such close attention to the internet from regulators in all countries. But regulatory instruments are still at the very source.”
Danelia spoke about the self-regulation steps that the Coordination Center took almost ten years ago, initiating interaction between a number of companies and creating a body of competent organizations. At the same time, Irina Danelia drew attention to the fact that it is very important to be responsible for decisions regarding the cancellation of domain name delegation. She also presented a new project by the Coordination Center, Domain Patrol, which is aimed at telling all internet users about the work of competent organizations and their interaction with the Coordination Center.
Alexander Kalinin (Group IB) explained how competent organizations operate. Group IB was among the first companies to join the institution of competent organizations back in 2011. The speaker talked about the company’s work during the pandemic when the number of cybercrimes had risen significantly. He noted that while the number of malicious domains grew, the competent organizations’ response time to requests from registrars and hosting providers increased too.
“We see that phishing cases have almost doubled, and it is clear that the DNS abuse policy has to be updated, expanded and adapted to the new reality,” Mikhail Anisimov noted.
Roland van Rijswijk-Deij (University of Twente) added that trusting the information source was the most important factor when making decisions on countering illegal websites. He also stressed that research organizations were ready to present their analytical research on DNS abuse to law enforcement bodies, but that demanding that researchers catch criminals in unrealistic.
Summing up the session, Mikhail Anisimov said: “Attempts to create data repositories on domains and violations are taken today both at the international and national levels.”