Critical Infrastructure Security , Fraud Management & Cybercrime , Social Engineering
Government Launching a DNS ServiceDesigned to Help Ensure More Secure Internet Browsing
The Indian government plans to launch its own Domain Name System hosting service, the office of National Informatics Center confirms to Information Security Media Group.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"India's public DNS will work towards preventing our citizens from inadvertently browsing malicious sites," says Neeta Verma, NIC's director general.
"Furthermore, configuring and maintaining a DNS is an expensive proposition, hence Indian's own public DNS will give a boost to the small Indian ISP's as they need not configure their own DNS," says Verma.
The NIC will execute the roll out in the next four months, Verma says.
According to an official in the Ministry of Electronics and Information Technology, or MeitY, the NIC already is using the new government-run public DNS to support government networks.
The use of the new government DNS service will be optional for others. An official with MeiTY tells the Economic Times: "It is not that users will compulsorily need to shift to India public DNS. A user is free to choose any DNS."
Dilip Panjwani, CISO at Larsen and Toubro Infotech, a construction company in India, says the government's new DNS hosting service will help ensure fast, secure access as well as enhanced availability.
"The issues of data privacy and data localization will be addressed to a large extent if, indeed, this move proves successful," Panjwani says. "It will be one of the key components to ensure internet resilience in the face of faults and challenges to normal operation."
Some security practitioners, however, warn that maintaining a DNS hosting service could prove challenging for the government, because DNS servers could be targeted by cybercriminals as a way to launch a widespread attack.
"Some attacks include DNS spoofing, DNS cache poisoning, DNS hijacking and DNS changer," says Delhi-based Sandeep Arora, co-founder and CEO at Cyberimmersions, a digital forensics and data protection and privacy firm.
Helping to Ensure Availability
NIC has planned multiple steps for the roll out of the process. For instance, threat intelligence across multiple sources will be integrated with this implementation. Verma says threat intelligence reports will help NIC to block the malicious content and sites for those accessing the internet using India's new public DNS , thus providing a safer browsing experience.
The new public DNS service will be launched in phases. In the beta phase, service will be available for users of selected ISPs and users in a few smart cities. After intensive testing, service will be launched for all internet users, Verma says.
According to the Economic Times, the government's new DNS hosting service will offer two-factor authentication. The government has installed a server in Delhi, and for disaster recovery, it has deployed another in Hyderabad, says the report.
While some experts argue that the proposed move will give the government an excuse for data surveillance and data localization, a MeitY official tells ISMG that isn't the main aim behind the move. "These are byproducts of this move. But that isn't our main motive. Data localization is being handled separately in the data protection bill. What is important is that we would like people not to visit illegal sites and the same will be communicated to other DNS providers as well."
The new government DNS hosting service would help ensure the privacy of local data, some security practitioners say.
"Browsing history or data of users will be limited within the country and help in curbing malicious or illegitimate sites," says Rohan Vibhandik, a Pune-based security researcher.
Vibhandik says the new DNS service could also help in controlling and blocking of content, including hate speech or fake news. "Government to a large extent can control improper content, child pornography and social abuse," he says.
Arora adds: "The advantage with web traffic going through a government-owned DNS server is that better security and controls can be implemented to block known malware, in the process reducing the attack surface for cybercriminals. When using a third party or a public DNS server like Google, users' information is all gathered and stored on the third-party server, which can be easily monitored and targeted for advertisements."
It remains to be seen how the government might track user information, he notes.
Some lawmakers say the government-owned DNS hosting service could help support forensic investigations, because more data and history will be locally available. This will help overcome challenges with jurisdiction issues faced when attempting to retrieve data from DNS hosting services in other nations, some experts say.
"One of the main [security] issues is that DNS lookups are not encrypted, Vibhandik says. "This is dangerous, since DNS servers are vulnerable to DDoS attacks, DNS poisoning and DNS spoofing attacks."
Vibhandik suggests that the government should use protocols, including DNS Security Extensions DNSSEC, to mitigate the threat.
"DNSSEC protects against attacks by digitally signing data to help ensure its validity, integrity and security," he says.
Vibhandik also recommends the use of DNS forwarders, caching-only DNS servers, DNS advertisers and DNS resolvers. "All this will ensure protection against cache pollution and limit DNS to secure connections only," he says.
NIC says it has in-house staff with the necessary skills to ensure the required security is in place for this implementation. "As part of this implementation, we have also [plan to] include academic institutes for continuous research on how to make the service more secure and faster," Verma says.