Skip to main content

DNS and the Internet of Things: Opportunities, Risks, and Challenges

The ICANN Security and Stability Advisory Committee (SSAC) has recently published SAC105, a report on the interplay between the Domain Name System (DNS) and the Internet of Things (IoT). Unlike typical SSAC publications, SAC105 does not provide particular recommendations to the ICANN Board, but instead is informative in nature and intends to trigger and facilitate dialogue in the broader ICANN community.

This is the first paper (that the SSAC is aware of) aimed at distilling the unique interactions between the DNS and the IoT and, as such, should be important to most members of the ICANN community. The paper frames the risks that the IoT presents to the DNS ecosystem, and strives to remove much of the confusion and angst around the IoT.

The paper asks some provocative questions, and the SSAC is looking for input from the community on what further work we should do in this space. Please read the document and send us your thoughts and feedback to!

The IoT is an emerging Internet application that is widely expected to enhance our daily lives by seamlessly interacting with our physical environment through tens of billions of connected sensors and devices. These interactions make the IoT vastly different from traditional Internet applications, such as email and web browsing, because data exchange often takes place passively and without human involvement or awareness. IoT devices interact continuously with the DNS, relying on it for their operations and updates, as well as impacting the DNS in many different ways. It is vitally important that the DNS community understand the effects of IoT on the DNS, and that IoT manufacturers understand how the DNS is vital to a healthy IoT ecosystem.

SAC105 Key Findings: Opportunities, Risks, Challenges

The IoT represents an opportunity for the DNS, as IoT devices sense and act upon physical environments and will require new security, stability, and transparency requirements that the DNS can help fulfill. For example, DNSSEC can help ensure a connected door lock only communicates with its intended service and not a malicious one.

At the same time ,the IoT is a risk because it can cause stress on the DNS. Recent measurement studies show that IoT botnets can grow to hundreds of thousands of infected devices, such as light bulbs, cameras, and doorbells, and then launch large Distributed Denial of Service (DDoS) attacks against Internet infrastructure. IoT botnets are difficult to eradicate because devices may require device-specific cleanup procedures and often operate unattended.

SAC105 also examines various challenges to take advantage of the opportunities and address the risks. One challenge is to develop a library that makes DNSSEC validation and other DNS security facilities available for IoT software engineers. Another challenge is developing a shared system that enables different DNS operators to automatically and continuously share information on IoT botnets, allowing them to more quickly respond to those botnets and the DDoS attacks they generate.

We encourage you to learn more about the DNS and the IoT by watching the recent video interview with SSAC member Cristian Hesselman, the Chair of the SSAC IoT Work Party that produced the report. We also encourage you view the presentation on SAC105 given by SSAC member Jacques Latour at the ICANN65 Tech Day, and of course to read the full report.

SAC105 is an easy and approachable read for non-technical audiences, yet still covers many complex issues not covered in other reports on the IoT.

We look forward to your feedback!


    Denisha Coonce  07:20 UTC on 13 October 2019

    Thank u

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."