rvlsoft – Fotolia
There are many ways organizations can reduce DNS security issues and improve the safety of this vital service. DNSSEC is a great way to help ensure that tampering with DNS responses is detected before clients are sent to the wrong destinations.
Additional security practices are needed to adequately secure DNS, and these are outlined and explained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81-2, “Secure Domain Name System (DNS) Deployment Guide.” SP 800-81-2 identifies three groups of security concerns: the DNS hosting environment, the DNS transactions themselves and the security administration of the DNS and DNS Security Extensions (DNSSEC) implementations. Let’s take a closer look at each of these groups and what you can do to address the concerns.
The DNS hosting environment encompasses all the components of the servers, from their operating systems and applications to the DNS data they store, access and manipulate. Securing hosting environments is generally straightforward. It includes hardening the operating systems and applications, configuring access controls so only the necessary activities are permitted for authorized users and properly maintaining the environment through patching, reconfiguring, monitoring, auditing and more.
DNS data is stored on DNS servers in a zone file. Protecting the integrity of the zone file is incredibly important. NIST SP 800-81-2 recommends using a tool called a zone-file integrity checker. This tool should be run frequently on the zone file to make sure it doesn’t contain any records with unusual values. The tool must be configured with what the acceptable and unacceptable values are for various record fields, which may vary from one organization to another.
DNS transactions include DNS queries and responses as well as several types of record management actions. DNSSEC is the primary mechanism for protecting DNS query and response integrity. However, DNSSEC does not protect other types of DNS transactions.
One of the transaction types needing protection is zone transfers. A zone transfer is when the contents of a DNS zone file are duplicated on another server. Zone transfers should be restricted so that only authorized parties can initiate them. NIST SP 800-81-2 details several methods for doing this, including using transaction signatures, public key cryptography and network layer security (e.g., a VPN).
Another transaction type of concern is dynamic updates. In a dynamic update, a DNS client informs a DNS server of changes it should make to its zone file. As with zone transfers, dynamic updates should only be allowed from authorized parties, and risk can be mitigated through transaction signatures, public key cryptography and VPNs.
Security administration can be used to reduce DNS security issues. It includes which cryptographic algorithms are used and how cryptographic keys used for DNS are managed throughout their lifecycles. The vast majority of the security administration recommendations found in NIST SP 800-81-2 involve key management for DNSSEC. Organizations should have robust key management policies and processes in place before deploying DNSSEC so that they are prepared for any key management needs.
For example, if an incident involving DNS security issues related to a server occurs, an organization may need to perform key rollovers immediately. If these rollovers are not performed correctly and quickly, attackers might be able to take advantage of the situation, or DNS operations might be disrupted, causing organizational IT resources to be temporarily unavailable. Organizations should plan for the worst possible DNS security issues so that they’re ready to respond if a problem occurs.
E-Handbook: How to best secure DNS? There’s more than one approach
Up Next
Few aspects of the internet are as crucial as the domain name system. It may be that a ‘passive’ approach to DNS security is the most effective approach.
Securing the DNS protocol is no joke. Learn what the DNS Security Extensions are and the efforts the United States government is taking to push DNSSEC adoption.
Get up to speed fast on means and methods for reducing or eliminating security-related issues in DNS, an integral service upon which the internet depends.
IP addresses and subnets are necessary for effective network communications. Learn how IP addresses and subnets work, and compare…
It’s not enough to build network automation workflows. It’s important to secure those workflows, as well. Access control, …
Despite early discussions about the potential of Wi-Fi 7, many enterprises are still catching up with the rapid pace of Wi-Fi …
Quantum computing shows great potential for faster problem-solving, among other benefits. Discover key areas where the enterprise…
What’s happening in the metaverse? More than you might think. Read about three areas for growth, the concept of spatial computing…
The White House wants to divide regulatory authority for new commercial space industry activities between the DOC and DOT, a move…
The simplest way to fix a broken Windows 11 registry is to restore a backup, but that isn’t always possible. Find out different …
Intel’s Core Ultra CPUs now contain embedded AI neural processing, which adds options for device manufacturers to divide demand …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
The techniques used to build hybrid cloud architectures have come a long way, but managing these environments long term is plenty…
Why choose between public cloud and private systems when you can have both? With hybrid cloud, enterprises can address workload …
Outages might be rare, but they are rarely cheap — any amount of downtime can cost you money. Learn how to minimize the risks …
As 2023 draws to a close, it is time to look ahead at what enterprise leaders should be focusing their IT sustainability efforts …
In the year that gave life to four new government departments, Whitehall bosses have continued to fly the flag for technology, …
Generative AI is the buzzword on every financial services IT professional’s lips as the technology promises to accelerate the …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation