DNS Security & Privacy discussed at e-AGE18

The Internet Society continued its engagement with Middle East networking community by participating in the e-AGE18 Conference, where we took the opportunity to promote the importance of DNS Security and Privacy. The conference was held on 2-3 December 2018 at the Marriott Hotel in Amman, Jordan and was organised by the Arab States Research and Education Network (ASREN) and co-sponsored by the Internet Society.

Kevin Meynell from the Internet Society’s Middle East Bureau, highlighted the importance of implementing DNSSEC which allows DNS resolvers to authenticate the origin of data in the DNS through a verifiable chain-of-trust. This reduces the possibility of spoofing where incorrect or corrupt data is introduced into a resolver, or a man-in-the-middle attack whereby DNS queries are re-directed to a name server returning forged responses.

Unfortunately, only the Saudi Arabia ccTLD (.sa) has operationally deployed DNSSEC in the Middle East region at the present time, although Iran (.ir) and Iraq (.iq) have deployed it on an experimental basis. On the positive side, around 18% of DNS queries originated from Middle East countries are being validated compared to 12% globally, with Yemen (45.1%), Saudi Arabia (32.1%), Iraq (30.6%), Bahrain (23.2%) and Palestine (22.5%) leading the way. This is possibly because there is a greater prevalence of the use of third-party DNS resolvers (e.g. Cloudflare, Google, Quad9 in the region.

Of course, whilst DNSSEC ensures that DNS records have not been modified without the owner’s consent, it does not keep the queries themselves confidential. DNS queries reveal what site a host is communicating with, and as they are (by default) sent in clear text, they can easily be eavesdropped.

The IETF DNS Private Exchange (DPRIVE) Working Group has therefore recently developed mechanisms to encrypt queries and responses to/from resolvers and therefore provide some confidentiality of DNS transactions. These include DNS-over-TLS (DoT), DNS-over-DTLS (DoD) and DNS-over-HTTPS (DoH), and with the exception of DoD, there are already several public DNS resolvers (Cloudflare, Quad9 & CleanBrowsing) and a few clients (Stubby 1.3+, Unbound 1.6.7+, Knot 2.0+, Mozilla Firefox 62+ and Android 9 Pie) that support these mechanisms.

It should be pointed out that clients and resolvers need to be upgraded to support DoT and DoH, and all these mechanisms currently only encrypt DNS communications between client (stub-resolver) and recursive resolver, not between recursive resolver and authoritative DNS servers. Support for the latter would require all authoritative DNS servers to be upgraded to support DoT and DoH, and there are concerns about the increased computing requirements that would required on the more heavily name servers to initiate the encrypted connections.

In addition, providers of the recursive resolver are in the position to monitor and log queries and responses, so need to be trusted. Nevertheless, these are important developments towards improving the security and confidentiality of the DNS.

Last but certainly not least, attention was drawn to DNS Flag Day which is important to be aware of. DNSSEC and other extended features of the DNS require EDNS0 (Extension Mechanisms for DNS – RFC 6891), and properly implemented name servers should either reply with an EDNS0 compliant response, or provide a regular DNS response if they don’t understand.

However, a lot of name server software is not implemented properly which has meant resolvers have had to incorporate workarounds when name servers don’t respond correctly, but these cause unnecessary retries, delays, and prevent the newer features of the DNS being used. The vendors of the most commonly used DNS software (BIND, Ubound, PowerDNS and Knot) are therefore removing these workarounds as of 1 February 2019, with the consequence is that hostnames served by broken DNS implementations will no longer be resolved. So please check whether your domain is affected!

ASREN is a non-profit association of National Research and Education Networks in the Middle East that aims to connect institutes to enable access to services, applications and computing resources within the region and around the world, and to boost scientific research and cooperation amongst its members. Its mandate covers 22 countries, and it has partnered with the major regional R&E networking initiatives elsewhere in the world, including GÉANT (Europe), Internet2 (United States), CANARIE (Canada), WACREN (West Africa) and RedCLARA (Latin America). International connectivity is supported by the EU-funded EUMEDConnect3 project.

Deploy360 can also help you deploy DNSSEC, so please take a look at our Start Here page to learn more.

Further Information

The post DNS Security & Privacy discussed at e-AGE18 appeared first on Internet Society.

Non-Lethal Weapon: DOD seeks to use lasers to create shouting will-o-the-wisp

The Department of Defense’s Joint Non-Lethal Weapons Development Program (JNLWD) is closing in on a directed energy weapon that can literally tell people to go away—creating sound waves with laser pulses that can annoy, frighten, or otherwise send the message to people approaching a military unit that getting closer is not a good idea.

The Non-Lethal Laser-Induced Plasma Effect (NL-LIPE) system can be used to manipulate air molecules, creating a ball of plasma that oscillates to create sound waves with a stream of femtosecond-long laser bursts. A first laser creates the plasma ball, and a second then oscillates the plasma ball to create the sound. As Defense One’s Patrick Tucker reports, the current Laser-Induced Plasma Effect implementation can only manage an indistinguishable mumble—though it can create a wide variety of very distinguishable sounds, as demonstrated in the video below.

A video of the Laser-Induced Plasma Effect in action.

David Law, JNLWD’s Technology Division chief, believes that, within the next three years, the system will be able to create intelligible speech from a glowing ball of plasma hovering in the air at a distance. “We’re this close to getting it to speak to us,” Law told Tucker. “I need three or four more kilohertz.”

Read 3 remaining paragraphs | Comments

The Army’s costly quest for the perfect radio continues

SITREP: The Army’s costly quest for the perfect radio. Click here for the transcript.

The decisions that the Department of Defense made about its “radios of the future” more than 20 years ago are still having an impact on the communications gear the military services purchase today. The Joint Tactical Radio System program may have ended, but it left behind a legacy that the US Army is now trying to get away from—while still holding fast to parts of JTRS’ framework.

JTRS, as Ars reported in 2012, was DOD’s quest to build the perfect set of communications gear based on software-defined radio (SDR) technology. SDR was in its infancy in the mid-1990s, but the Joint Program Office JTRS (the organization driving the DOD-wide program) was convinced that investing early would pay off with cheaper hardware in the longterm, and the government-owned software (a sort of closed open source, with a library available to all vendors) would prevent lock-in with a limited set of contractors.

CORBA style

JPEO JTRS is gone, but its software lives on. The Joint Tactical Networking Center (JTNC) has taken over management of the Software Communications Architecture, the application framework and POSIX-based real-time operating system that powers all the software-defined radios birthed from JTRS-descendant communications gear, along with libraries for the various mission-specific “waveforms” used by different radios. SCA provides an interface for software to manipulate the field-programmable gate arrays (FPGAs) in radio hardware to reconfigure how they function. And until recently, those interfaces required radio developers to use the Common Object Request Broker Architecture (CORBA) to access them.

Read 9 remaining paragraphs | Comments

DOD napalms $950m AWS buy, burning it back by 90 percent

A major Department of Defense commercial cloud deal has contracted considerably after officials experienced buyer’s remorse―or maybe after Oracle protests used a Jedi mind trick.

Last year, as part of a program spurred by the Defense Innovation Unit Experimental (DIUx), the US Transportation Command inked a deal with Amazon Web Services reseller REAN Cloud to start moving five of its logistics applications into the commercial cloud. Since USTRANSCOM relies a great deal on commercial logistics and transportation providers to get things places, this was a relatively easy sell to Department of Defense top brass.

The migration went so smoothly (by DOD standards) that the “Sprint to the Cloud” team at USTRANSCOM won the program an honorable mention in the DOD CIO’s Cyber and Information Technology Excellence awards. And it came at a time when DOD leadership—and Deputy Defense Secretary Patrick M. Shanahan (a former Boeing executive) in particular—has been pushing for the DOD to offload more stuff to the commercial cloud.

Read 3 remaining paragraphs | Comments

Japan to get latest Aegis ballistic missile interceptors from US

The US Defense Department’s Defense Security Cooperation Agency (DSCA) announced on December 9 that the US government plans to allow the sale of four Raytheon Standard SM-3 Block IIA missiles and compatible Mk 29 launch canisters from BAE Systems to Japan. The estimated cost will be $133.3 million. The US State Department has approved the sale, and the DSCA has notified Congress of the pending sale.

The SM-3 Block IIA is the latest version of the US Navy’s air defense missile, used by ships equipped with the Aegis Ballistic Missile Defense (Aegis BMD) system. The missiles can potentially be used to shoot down ballistic missiles in flight, even outside the Earth’s atmosphere. In theory, the new missiles would give Japan a better shot at shooting down a ballistic missile arcing over Japan.

The sale comes on the heels of the Japanese National Diet’s approval of a plan to build an Aegis Ashore missile defense system (the National Diet is Japan’s parliamentary-style bicameral legislature). That system would be based on the land-based missile defense facilities the US Navy has deployed in Romania and is preparing to activate in Poland. Japan’s only current land-based ballistic missile defense is the Patriot system, including Patriot Advanced Capability 3 missiles—and the PAC-3 is more of a point defense system, with much shorter range.

Read 2 remaining paragraphs | Comments

Army tells troops to stop using DJI drones immediately, because cyber

The US military has a lot of drones—and an unending demand from troops in the field for more. As a result, the Army has for some time allowed units to purchase hundreds of off-the-shelf drones made by DJI, the Chinese consumer drone maker. The Army Aviation Directorate has provided “airworthiness releases” for DJI drones over 300 times for a variety of missions, according to a memorandum issued by the directorate’s deputy chief of staff.

But now all of those drones are getting pulled from service, as the result of classified findings in a May study by the Army Research Lab at Aberdeen Proving Grounds in Maryland, as well as a Navy memorandum citing “operational risks” in using DJI drones. The memorandum ordering the ban was obtained by Small UAS News.

The reason may be related to information gathering by DJI’s products that could include geographic location of flights, audio, and video.

Read 6 remaining paragraphs | Comments

DOD successfully tests terrifying swarm of 104 micro-drones

The Department of Defense has released video of a test of swarming drones conducted in the skies over the US Navy’s test range at Naval Air Weapons Station China Lake in California. In the October test, conducted by the Department of Defense Strategic Capabilities Office in collaboration with the Naval Air Systems Command, three FA-18 Hornet aircraft dispersed 104 Perdix micro-drones from onboard flare dispensers. The drones then communicated with each other, swarmed, and performed a series of designated “missions”—including finally swarming in a circle around a designated point on the ground.

The sound of the drone swarm, audible from the ground at the designated rendezvous point (at about 2 minutes into the video below), might be described as terrifying. But we’ll leave that judgment to the reader. In the course of the test, the drones demonstrated advanced swarm behaviors, including self-healing communications, self-adapting formation flying, and collective decision-making.

Watch the skies…

The battery-powered Perdix drones were developed at MIT’s Lincoln Labs, and can be largely produced with a 3-D printer. “Due to the complex nature of combat, Perdix are not pre-programmed synchronized individuals, they are a collective organism, sharing one distributed brain for decision-making and adapting to each other like swarms in nature,” Strategic Capabilities Office Director William Roper explained in a statement about the test. “Because every Perdix communicates and collaborates with every other Perdix, the swarm has no leader and can gracefully adapt to drones entering or exiting the team.”

Read 2 remaining paragraphs | Comments