Most people, even seasoned IT professionals, don't give DNS (the Domain Name System) the attention it deserves. As TCP/IP has become the dominant networking protocol, so has the use of DNS. Most organizations use DNS to not only direct customers to their website, but to conduct almost every aspect of their day-to-day business operations. DNS is the hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It converts the hard to remember numerical IPv4 & IPv6 device addresses into easy to understand names (e.g. mail.domain.com). On private networks it can be used to address even the most mundane things like printers and servers. On the Internet, we use it to address websites (A records), VoIP phone calls (SRV records), email servers (MX records), and a myriad of other critical services. Advanced organizations even use DNS to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way.
Due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. This can be a huge mistake! If your DNS is maliciously attacked — altering the addresses it gives out or taken offline, your business is not only stopped in its tracks, but your brand can be damaged for years to come. End users seldom take the time to understand the security issues — they simply go to your competitor. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target business.
The Most Common Security Issues For DNS:
Unauthorized Authoritative DNS Record Changes – Changes to authoritative DNS records which point end users to computer systems outside of your control can have the most damage to your business's brand. This type of attack is typically done to either send users to a site which provides a negative marketing message, or to a location mirroring your site where account credentials can be harvested. This attack is particularly devastating because users are typically unaware anything untoward has happened.
Denial of Service Attacks – Denial of Service (DoS) or Distributed Denial of Service Attacks (DDoS) are done to make your DNS service unavailable and thus create the impression your business is offline or closed down (website, portals, VPNs, FTP, VoIP, email, etc.). This type of attack is one of the easiest to perform and can be one of the hardest to defend against. One of the least recognized impacts to a business that suffers a DNS outage from a DDoS attack is the negative effect it has on your search engine rankings.
Recursive DNS Spoofing/Cache Poisoning – Outside of a business's control, the Recursive DNS server an end user utilizes is typically set by the user's network administrator. Recursive DNS servers communicate the Authoritative DNS records a business sets to an end user's device. Unfortunately, many Recursive DNS servers are not well maintained or protected and can be easily compromised to give out false responses. This has the same down stream effect of an Unauthorized Authoritative DNS record change.
Security Best Practices for DNS:
Registrar Lock Your Domain Names – One of the simplest protections you can do is lock all of your domain names at your registrar.
Outsource Your DNS Services – In today's world it is typically unrealistic to maintain your own DNS name servers in a way that both protects them from attacks and maintains global performance, and it is naive to use the free DNS services of a domain registrar. Cloud based managed service providers are your best bet for both Authoritative & Recursive DNS. Neustar (UltraDNS), DynDNS, Verisign, Amazon (Route 53), and Community DNS (European focused) are some of the top IP Anycasted Authoritative DNS providers to consider. OpenDNS, Neustar (UltraDNS), DynDNS & Google are the top Recursive DNS providers to consider. The investment in a cloud based DNS provider will protect your business from many of the common attacks, and free you from having to manage the devices yourself.
Utilize Strong Access Controls – As with any critical IT infrastructure, only allow users access to DNS administration for what they need to manage, lock down access to these critical accounts to known IP ranges, utilize strong password controls, and whenever possible use two factor authentication.
Activate DNSSEC On Your Domain Names – DNSSEC counters cache poisoning attacks by verifying the authenticity of responses received from name servers. It effectively prevents responses from being tampered with, because in practice, signatures are almost impossible to forge without access to the private keys. If your DNS provider is not DNSSEC capable… make a switch.
Continuously Monitor Your Critical Services & DNS Records – Utilize an advanced SIEM like the one available from Savanture to monitor all of your critical services and monitor your DNS records for changes from outside your network. UltraTools.com provides a free DNS monitoring service that many top organizations use. Additionally, monitoring the activity level on your services can show when traffic suddenly gets directed away.
Promote The Use of Protected Recursive DNS Servers – If you are not already using one of the top Recursive DNS providers listed above for your business's network, make the switch now. Many times there is no cost to this, only a configuration change. After you select a provider, promote it to your end users, inside & outside of your business.
Protect Your DNS Service Against DDoS Attacks – If you aren't using one of the top Authoritative DNS providers listed above that also provides DDoS protection for your DNS service, add it. For your other public facing services that require DDoS protection, lower your DNS Time to Live (TTLs) settings to 300 (5min) so you can redirect traffic quickly if you come under attack and need protection.
By Rick Rumbarger, Technology Executive
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»