WE DO ASCII

Detox: sys4 and BSI make DNS more secure

The vulnerability of the Domain Name System may come across as astonishing. Of course, this vulnerability was never the intention of the DNS’s inventors, and it can be seen as an expression of the innocence of a bygone era.

There are many ways to manipulate the DNS. One notorious method is what is known as DNS cache poisoning. This involves manipulating entries in the DNS in order to misdirect address queries.

The attack vector has been known since 2013. Appropriate name server patches temporarily gave cause for hope that the problem had been eliminated. However, it quickly became clear that DNS cache poisoning is still taking place. On behalf of the German Federal Office for Information Security (BSI), sys4 investigated the extent of the problem and what can act as an antidote. In the process, sys4 identified an effective measure to immunize the DNS against cache poisoning: Limiting DNS responses via the User Datagram Protocol (UDP) to a maximum size of 1232 bytes.

Getting the dose right: Gradually dispensing email authentication

Email authentication with SPF, DKIM and DMARC is a powerful tool in the fight against phishing and spammers. Those who opt for this trinity strengthen their reputation and their ability to act on the Internet – as long as its introduction in production is done with the necessary caution.

Those who act too rashly run the risk of inadvertently strangulating their company's email communications. The precisely orchestrated staging of SPF, DKIM and DMARC is a necessary condition for success. The policy must be made progressively more stringent.

This often reveals things that were previously in the shadows – at least from the IT perspective. A classic example is the server on which half-forgotten email forms are running. Or external mailing lists, used by colleagues in the company, where contributions are forwarded using their sender addresses. Or: The external email marketing platform used by the marketing department without the knowledge of the IT department.

Modern Internet

Email

The use of email continues to grow. We are a global leader in high-performance platforms that combine high delivery rates, stability, and optimal protection against malware.

DNS

The DNS is the key to identity management. We are the specialists for the setup and modernization of a future-proof and resilient DNS.

IP

IPv6 makes IT more powerful, robust, and cost-effective. We help with the migration. With world-leading expertise.

Platforms

We design and build platforms for the critical infrastructure (CI) sector. Our strength is solution design based on extensive practical experience.

Abuse

Abuse jeopardizes business. On the national and international level, we develop industry standards for countermeasures. We have reduced the system load of one provider by a factor of 1000.

Blog

Peter Eckel
May 6, 2026

NTAS as a tool for mitigating DNSSEC issues

At the DDI roundtable last April, the conversation turned to "Negative Trust Anchors" (NTAs), as described in RFC7646. As the topic took me completely by surprise, I wasn’t able to contribute much at the time, but I resolved to look into it in more detail. Put simply, NTAs are instructions to resolvers to ignore failed DNSSEC validations for queries regarding records from specific DNS zones designated in the NTA, and to respond as if the zone were unsigned rather than returning an …
Patrick Ben Koetter
Apr 22, 2026

Combating Abuse on the Internet in Germany – A Status Report

Abuse encompasses many dimensions, and because abuse always involves the use of violence against a victimized person or organization, it is difficult to speak objectively and calmly about abuse or how to address it — it is simply associated with far too much harm, and the resulting pain evokes feelings of powerlessness, anger, and hatred. In this article, I would like to discuss my work as head of the “Anti-Abuse” expert group at the eco Association. I want to write about what I have learned in …
Michael Schwartzkopff
Feb 6, 2026

StrongSwan VPN with Windows Native Client

If you have a strongSwan VPN server, is is quite easy to connect from hosts that have the strongSwan client installed. This client exists for a wide variety of operating systems and especially for the mobile platforms like Android. But sometimes you want to use the native VPN client of the OS. In this blog article I want to describe the setup of the Windows 11 native client when using certificates. The setup is not quite straight forward since authentication methods, certificate attributes and …
Contact