6 Ways to Strengthen DNS Security

By Vincent DAngelo
Vincent DAngelo

The domain name system (DNS) grew to prominence during the initial, innocent days of the internet. During that time, early internet users tended to work for government or education organizations where trust was assumed, and security was not even a consideration. Since the online community was small and the internet was sparsely used, the importance of DNS was not widely understood, and as a consequence, left undefended.

Fast-forward to today, and you can see the resulting problems. Recent cyberattacks highlight specific techniques bad actors use to intercept and manipulate a company's legitimate web traffic, harvest information like credentials or email addresses, and perform other malicious activities, such as phishing. In some cases, free digital certificates — that require low validation — were used to increase the credibility of the scams, compounding the issue for brands and customers. Consumers are weary of their personal information being accessible to and stolen by criminals; thus, breaches hurt the reputation and bottom line of companies around the globe. There's also the exploding problem of distributed denial of service (DDoS) attacks, often aimed at DNS to cripple online businesses.

For businesses, the stakes are simple: no functioning DNS means no website or internet presence. If DNS fails, customers attempting to visit a website will simply not reach their destination. Nor will employees be able to send or receive company email. If a company relies on VoIP to make and receive phone calls, access is cut off. If DNS goes down, companies will have to resort to using landlines and mobile devices to reach customers. Below are six ways to help strengthen your DNS security.

1. Mitigate DDoS attacks with multilayered protection

Volumetric DDoS attacks have exploded in size with present-day attacks exceeding 1 Terra bit per second (Tbps). Some of the largest attacks on record were aimed at DNS.

There are numerous types of DDoS attacks that target DNS

DNS amplification is one of many attack methods. In this assault, attackers exploit the vast number of open DNS servers on the internet, which can be used to respond to any and all small look-up queries with a spoofed IP of the target. The target then receives much larger DNS responses that quickly overwhelm its capacity. The goal: block legitimate DNS queries by exhausting network capacity. Another common type of attack is DNS floods, which are directed at the DNS servers hosting specific website(s). These try to drain server-side assets, for instance, memory or central processing unit (CPU), with a barrage of user datagram protocol (UDP) requests, generated by running scripts on compromised botnet machines.

Multiple layers of DDoS protection

To defend against all types of DNS-based attacks, use a solution that comes with multiple layers of DDoS protection. DNS nodes should be equipped with DDoS mitigation equipment to constantly monitor for malformed traffic as well as traffic from suspicious locations in higher than normal volumes. In many cases, mitigation happens locally. If an attack is supersized, malicious traffic should automatically re-route to a mitigation network, a completely separate, purpose-built infrastructure. This limits any potential damage to the target nameserver's IPs. With the impact isolated, a 24/7 security operations team is free to be more aggressive in their countermeasures.

2. Isolate nameservers through segmentation

Throughout the industry, highly scalable DNS has become a cloud-based service with hundreds or thousands of customers — each with numerous domains — clustered on single networks and sharing a nameserver.

This increases the chances you'll feel someone else's pain. If you use a third-party DNS provider, most attacks on their network won't be aimed at you, but at a domain sharing your provider assigned nameserver.

It's smart to isolate the impact of a DDoS attack

Choose a DNS provider that organizes the DNS network into segments, each with a nameserver announcement shared by only a small group of customers. With fewer customers sharing hostnames and IP addresses, you face drastically lower odds of feeling a ripple effect.

Here's an analogy.

Imagine being in a large hall with 10,000 people and one person jumps up, screaming so loudly that nobody can hear the speaker. Now imagine that same scenario, but with just 20 other folks. The impact of the screamer is limited to just the 20. Assuming the screamer is a DDoS attack, when the screamer (attack) starts, the nameserver segmentation, and DDoS mitigation strategy instantly moves the entire room to a soundproof area, removes the well-behaved audience members, and works to muffle the screamer before bringing everyone else back in. You can see how with only 20 people, the screaming affected fewer people who were easier to navigate through that attack.

Be protected whether you or someone else is hit

This approach enables individual nameserver announcements to move from the DNS network to the DDoS mitigation network without significantly delaying query resolutions. Your DNS provider should be able to provide effective, immediate mitigation to those under attack, AND prevent any collateral impact for customers still on the DNS network.

When using cloud-provided DNS services, being on a segmented nameserver announcement is an effective way to protect your DNS traffic.

3. Use a non-open source resolver

DNS resolvers — the servers that respond to domain name requests — ensure that users are routed to the correct sites. The most common software application used to manage DNS is Berkeley Internet Name Domain (BIND). Developed at the University of California at Berkeley in 1983, BIND still accounts for the vast majority of global nameserver implementations. Now fully in the public domain, the source code to BIND is open source, and therefore readily available to be explored and exploited by malicious hackers.

Avoid resolver threats

CSC chose to partner with Neustar because they solved that problem years ago. They developed a proprietary code and asked third-party security auditors to look for vulnerabilities. They found none that attackers could exploit remotely, either to steal restricted privileges or hamper directory resolution.

Besides supporting standard DNS specifications and request for comments (RFCs), they have enhanced their resolvers to extend the DNS capabilities while providing extra redundancy and security. Most legacy DNS server implementations never come close.

4. Deploy DNS security extensions (DNSSEC)

As they help internet users find the sites they need, DNS servers query one another. To speed things up, servers cache results for a specified length of time. If there's a query for the same name before the resource record times out, a server will give the cached answer instead of querying another machine.

DNS cache poisoning enables pharming attacks

While this improves efficiency, it also invites cache poisoning. This occurs when a DNS server, usually compromised by criminals, supplies a false answer to a DNS request. Users wind up on phony sites that ask for personal information or simply activate malware. How can it happen? In many cases, DNS servers don't verify that the responses they receive from other servers relate to the original query. A server will cache bad information and pass it along to others that are DNS clients of the compromised machine.

The key to protection is DNSSEC

DNSSEC is a set of security extensions that authenticate DNS responses. The secret is a series of public and private key combinations to sign information resources. It works by providing a public key that allows the user's resolver to confirm that a DNS answer matches the cryptographic version. All transactions are signed — attackers can't simply spoof the packets.

In more basic terms, DNSSEC secures the DNS process by protecting against cache poisoning, pharming attacks, and other serious threats. Ensure you have this turned on. CSC's Cyber Security Reports show that over the past few years, there is an alarmingly low DNSSEC adoption rate that varies between 0% to 5% among large global companies across different industries.

5. Increase resilience with a private DNS network

As the old security adage goes, you're only as strong as your weakest link. But what if you could improve your strength posture by eliminating the weak links? By reducing the dependency on public internet connections, the private network has essentially cut out the middle — and most dangerous — part of the DNS transaction where the vast majorities of DDoS attacks and DNS cache poisoning attempts take place. Ask if your provider offers this as an additional service.

A private network offers three key benefits:

Lower latency – In some cases, even if the DNS is working flawlessly, other internet connection issues could cause degradation in DNS performance, thus leading to poor user experience. The private network provides an online experience that is both fast and efficient because the DNS traffic avoids general internet networking.

Enhanced security – The current Internet of Things-enhanced DDoS attacks that make the internet inaccessible will soon become a thing of the past. A private network for DNS resolution within provider networks minimizes exterior threats like DDoS attacks and cache poisoning attempts.

Better reliability – In the event of a DDoS attack or significant outage, queries will continue to resolve within the private networks where DNS is deployed. This resiliency ensures a superior internet experience for users looking for websites and other vital online assets.

6. Leverage an intelligent dashboard to identify security blind spots for your vital digital assets

Companies need to be able to identify their business-critical domains and monitor them continually to ensure they're secured with the right protections. Also, since new digital regulations have rolled out, like the General Data Protection Regulation (GDPR), it is imperative to identify threats around vital domains and within the DNS infrastructure on which they sit. This will help:

Download the Best Practices Guide.

Source: "Five Ways Neustar Strengthens DNS Security" by Neustar.

By Vincent DAngelo, Global Director at CSC Digital Brand Services

Related topics: Cybersecurity, DDoS Attack, DNS, DNS Security

Comments

Good Overview Christopher Parente  –  Jan 07, 2020 1:13 PM PST

Liked the overview of protection steps. Nice analogy of heckler in a hall. Don't think you're being totally fair to the latest version of BIND though. Doesn't it incorporate DNSSEC? Outsourcing recursive DNS is one thing, having a proprietary software corner the DNS market seems quite another. Maybe topic for another post.