Internet pioneer Dr. Paul Vixie wishes people would stop ignoring his advice and start taking security seriously. \u201cI am complaining about too many things,\u201d he tells me. \u201cIt couldn't be as bad as I say it is. Except it is.\u201dThe man who made extensive contributions to the Domain Name System (DNS) has just given the opening keynote at the CARO 2019 conference in Copenhagen, and once again has asked the security community to be more collaborative \u201cfor the good of all.\u201d The growth of the internet of things (IoT) poses new challenges in the field of DNS security, and so do government-sponsored hackers who have started targeting the backbone of the internet.I call Vixie right after the conference. He\u2019s on a train going to the far west of Denmark to pick up his BMW R100 classic motorcycle for a few days of fun. The monotonous train ride takes him back to the beginnings of the internet. Vixie reflects on the mistakes of the past and the things that could be done to improve DNS security.Half-baked and barely workingVixie spent the first half of his career making the internet easier to use, authoring many standards documents concerning the Domain Name System, the internet phone book that allows us to use human-readable names for websites instead of IP addresses. Then, he changed tactics.\u201cI\u2019ve spent roughly the second half [of my career]\u2026 trying to make communications harder... because of all the criminals and spammers that we brought with us,\u201d the tech veteran said in his Internet Hall of Fame acceptance speech in 2014.He tries to make communications safer with Farsight Security, a company he co-founded. Farsight passively collects internet data including domain names, IP addresses, and name servers, providing security teams both a real-time and a historical view of an organization\u2019s online presence to help them detect cyberattacks more quickly. Paul Mockapetris, who pioneered the first DNS architecture in 1983, serves on Farsight's board.Vixie is even better known for his contribution to Domain Name Systems Security Extensions (DNSSEC), a set of extensions to DNS that strengthens authentication, preventing someone from impersonating someone else. Although the solution has been around since 1996, not everyone is deploying it. \u201cA lot of people [in the industry] are resisting turning it on because it means more work for them,\u201d Vixie tells me.In fact, a fundamental theme of his career in security has been putting in effort and developing technologies that solve big problems but aren\u2019t adopted by everyone. \u201cAdvice like mine is ignored by people who can't believe that things are as bad as I say,\u201d he tells me. \u201cThe world does seem to keep turning and the lights do come on when you flip the switch on, and so it can\u2019t possibly be as hokey as I\u2019m describing.\u201dYet, he says that the tools we\u2019re building are neither well structured, nor well understood. \u201cEverything about technology is so half-baked, and so barely working, that really the part that is working for you right now, at any given moment, is the exception rather than the rule. A lot of it is individual acts of heroism by people that may someday be replaced by those who don't care as much.\u201dEverything about technology is so half-baked, and so barely working, that really the part that is working for you right now, at any given moment, is the exception rather than the rule.Vixie himself performed many acts of heroism or \u201cmidnight engineering,\u201d as he calls it. But he also had his share of blunders and opportunities not taken. \u201cProbably my biggest mistake was to use IP fragmentation as a way to get larger messages,\u201d he tells me. \u201cThat was clearly a bad idea.\u201dA missed opportunity for internet securityHe could have made the internet more secure in the late 1990s, when his implementation of DNS software was used on almost 100% of the servers. Yet, he and his friends thought the internet was too big to be rebuilt from scratch. \u201cWe were wrong. At the time, there were 3 billion users. Compared to the future, that network would have been pretty easy to change\u2026 That would have been the time to make a fundamental redesign.\u201dSome of his mistakes were obvious even at that time, he says, but there was nobody to challenge him and refute his work, in particular after the internet grew bigger. He regrets not being nice and kind enough to build a collaborative community around him that would have benefited the whole world.\u201cI wish I had been a lot more polite,\u201d he tells me. \u201cSeriously.\u201dI wish I had been a lot more polite.\u201cThe cultural norm within the DNS technical community right now is somewhat hostile and unforgiving. A lot of that comes from people following my earlier example. I should have been a better person.\u201dThe high-speed train that\u2019s taking Vixie to his classic motorcycle in West Denmark enters a long tunnel. Soon, I lose him.Attackers becoming more capable, sophisticatedDNS security has been grabbing headlines in the past two years, as domain hijacking incidents increased. Both government-sponsored hackers and cybercriminals have targeted the backbone of the internet in a number of ways, in spite of the United Nations cyberwarfare norms that call against attacks on critical infrastructure.\u201cIf DNS is the phone book of the internet, then hijacking DNS is making prank calls with real-life consequences,\u201d says Stefan Tanase,\u00a0security researcher at\u00a0Ixia.If DNS is the phone book of the internet, then hijacking DNS is making prank calls with real-life consequences.I meet him in a cafe just outside his company\u2019s office in Bucharest, Romania. He grabs a thick stack of papers from his backpack. All are on DNS security, one of the topics he has been following throughout his career. Tanase says that hackers targeting DNS are becoming more capable and more sophisticated.\u201cA few years ago, we mostly had opportunistic attacks, often performed by hacktivists like the Syrian Electronic Army, who claimed responsibility for taking over the New York Times\u2019 website in 2013,\u201d he says.Today, the researcher sees more targeted actions. His team has recently discovered a campaign in which traffic meant for PayPal, Gmail, Netflix, Uber and some Brazilian banks and hosting services was redirected to malicious websites. Hackers targeted home routers, which are often left unpatched. They leveraged known firmware vulnerabilities to change DNS server settings.\u201cAs routers get more RAM, more processing power and more storage space, they become more appealing to cybercriminals,\u201d Tanase says. Victims often don\u2019t know they are hit. \u201cThey have an antivirus installed on their computer and think they are safe. Truth is, their router could be hacked, or the router of the ISP, or the DNS of the TLD.\u201dTanase says hackers use plenty of techniques, some of which take advantage of the growth of the internet of things. He mentions DNS rebinding attacks on IoT networks, in which a malicious web page makes visitors run a script that targets other machines on the network. There are also DNS amplification DDoS attacks, in which vulnerabilities in the DNS servers are exploited to turn small queries into larger packets that flood a victim's servers.The researcher has also seen hackers who used DNS queries to communicate with command-and-control servers. \u201cWhy? Because sysadmins often fail to log DNS requests,\u201d he says. \u201cCybercriminals buy a domain, and they set up a DNS server so that it accepts requests for any subdomain of that domain. Then, they use encrypted commands as subdomains to communicate with command and control servers.\u201dTanase sips his coffee and tells me that some of the most prolific DNS cybercrime gangs he has followed are based in Latin America, probably because legislation against such crimes is falling behind in this region.State-sponsored attackers targeting DNS serversIt\u2019s not just cybercriminals who abuse DNS to carry out dubious work. Cisco Talos has recently analyzed at least two separate state-sponsored actors, Craig Williams, director of outreach, tells me in a video call. The first campaign his team monitored was DNSpionage, which stole login credentials from government organizations and companies in the United Arab Emirates and Lebanon. It hijacked the DNS servers of the entities they targeted and redirected the traffic to internet addresses it controlled. The campaign used two malicious websites that had job postings, and the victims downloaded Microsoft Office documents with embedded macros.\u201cThat's actually incredibly common for state-sponsored actors,\u201d Williams tells me. \u201cA lot of people hear state-sponsored and they think they must have had a zero-day or some sort of undetectable attack. That's almost never the case. Generally, a state-sponsored attack is something very simple, something that's very reliable.\u201dGenerally, a state-sponsored attack is something very simple, something that's very reliable.Willams tells me that this campaign was fascinating to study. \u201cDNSpionage would actually have a complete C2 system that would tunnel over DNS, which is relatively unusual... [But] they used self-signed certificates from Let's Encrypt, which is very common.\u201dShortly after DNSpionage, Cisco Talos found a second state-sponsored campaign, the Sea Turtle, which poses an even more severe threat. The actor behind these attacks hit 40 different organizations in 13 countries, especially from the Middle East and North Africa. Among the victims were ministries of foreign affairs, military and energy organizations, intelligence agencies, but also DNS registrars, telecom companies, and internet service providers. In fact, according to Cisco Talos, the campaign was probably the first known case of a domain name registry organization being compromised for cyber espionage operations.\u201cSea Turtle was a very brazen actor,\u201d Williams tells me. It didn\u2019t stop operating after it was detected, which is unusual for government-sponsored attackers. \u201cEven after our write-up was published, they still kept doing it, and they're probably still doing it right now,\u201d Williams says.He fears that the success of such operations might prompt government-sponsored actors to target DNS more broadly, which will have devastating effects for everyone. \u201cIf they ever decide to attack corporations or commercial [entities], it would undermine the fundamental trust that people have in DNS,\u201d he says. \u201cThat trust keeps e-commerce going and keeps the internet working.\u201dWilliams believes there should be a global agreement on what\u2019s illegal and immoral when it comes to governments hacking each other. He fears that the lack of such a treaty will intensify attacks against the DNS.\u201cWe\u2019re living in a Wild West model of the internet, where everybody seems to attack anything with no regard to what happens,\u201d he says. \u201cWe need to come together as users of the internet and agree that there should be some things that are off-limits. Without some sort of agreement, we're going to continue to have these types of attacks escalate, and I don't know at what point it stops.\u201dWe\u2019re living in a Wild West model of the internet, where everybody seems to attack anything with no regard to what happens.\u201cIf government A wants to attack government B, that's great. Let's hack each other, but don't break DNS while you're doing it!,\u201d Williams says.Giving the good guys an edgeMeanwhile in Denmark, Paul Vixie\u2019s train exits the tunnel, and I\u2019m able to talk to him a little bit longer. I remember one of the things he said at a conference, when he asked his peers in the security community to reflect more on the kind of world they help build. \u201cA number of us have really been focused on 1s and 0s without understanding the social implications of what we create,\u201d he told the audience at the Hack.lu in Luxembourg last year.Back then, he introduced SIE Europe, an initiative that allows organizations to share passive DNS data to help investigations, but also reduce risk from phishing, ransomware and other attacks. He built SIE together with Christoph Fischer, the CEO of BFK, and Peter Kruse, co-founder of CSIS Group.Vixie believes that information sharing as well as regulations could address some of the security issues the world is facing right now. \u201cI love GDPR [the European Union\u2019s General Data Protection Regulation],\u201d he tells me. \u201cAnd some of my friends are petitioning Washington, DC right now to create an accountability framework.\u201dAs for DNS hijacking, the tech veteran says he doesn\u2019t worry too much about high-value domains such as Google.com or Amazon.com, because they are well protected against this type of attack, at least through the registrar system. Yet, smaller websites, which invest less in security, will continue to be hit, he says.In his opinion, hijacking is just the tip of the iceberg. \u201cAs a technologist with some decades of experience with DNS, when I look at security problems, my biggest worry is not hijacking, but protocol misuse, when you are able to spoof someone else\u2019s content,\u201d Vixie says. The solution to that would be the extension he helped create, DNSSEC, which should be used by everyone, but isn\u2019t....my biggest worry is not hijacking, but protocol misuse, when you are able to spoof someone else\u2019s content.It\u2019s our unwillingness to do complicated things and to see the big picture that keeps us at risk, he says. \u201cDo you want to know why the world doesn't get better, why we continue to live with corruption in our governments or malfeasance in our financial institutions?\u201d he asks. \u201cIt's because there are too many problems for people to be bothered by and [they] really just want to live their lives.\u201dRegardless of what comes next, Vixie plans to keep working to make the internet safer. \u201cI've only got... some number of days of my life remaining to me, and I'm not gonna spend any of them in a way that does not also move the needle on human history,\u201d he said during one of his talks. Jamie Rain \/ Lunch Break HeadshotsThe fight to protect the internet often seems futile and exhausting. That\u2019s why it helps to take a break from work every now and then. The train rolling through West Denmark is slowing down. In a short while, Vixie will arrive at his destination to pick up his motorcycle.