DNSSEC, Secure DNS for Internet on the Way
DNSSEC (DNS Security Extensions), a more secure DNS protocol is to be implemented on May 5th. With the rise of DNS Poisoning and Man-in-the-Middle attacks rising, the Domain Name System will be going to a secure version of DNS next month.
The changes will add digital signatures to the DNS protocol. This will reduce the risk that users will be redirected to rogue sites masquerading as the real deal. But these changes are being implemented with caution. Normal DNS packets are under 512 bytes. According the The Register, the new secure DNS packets will be much larger than 512 bytes and some existing firewalls could reject them:
Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it’s probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.
The changes are being implemented at the ISP level, so home user/small business routers should not be at risk. “Should not” being the key words there. For more information on DNSSEC, see wikipedia.