DNS is the backbone of the internet, but it’s under constant threat. Learn how to protect it.
Michael Smith of Vercara delves into DNS’s critical role as foundational internet infrastructure and outlines essential steps to secure it against escalating cyber threats.
DNS is often referred to as the “address book of the Internet.” While this comparison is incredibly common, it underestimates the complex nature of DNS. At the basic level of DNS, it is as easy as adding resource records to a zone—be it a top-level domain, second-level domain, or subdomain—and publishing them on authoritative servers to guide users to websites or other services. Those with limited experience writing websites can build a basic zone from their bedroom.
However, there is a stark difference between running a personal DNS zone and running a zone for millions of concurrent users. DNS’s functionality and uses have significantly evolved from its initial design in Request for Comments (RFCs) 1034 and 1035, primarily to map human-readable domains to Internet Protocol (IP) addresses.
DNS has expanded to incorporate many functions, each with an increase in complexity of DNS zones and dependency on DNS availability:
This complexity and dependency cause a lot of issues. Every time we add use for DNS, it underscores a cold, hard fact: DNS is critical infrastructure that makes the Internet work. Critical infrastructure is a dependency chain. For instance, the government depends on the banking system for sending and receiving payments, which depends on telecommunications to signal the payments and DNS to route the money transfers to the right server. Cybercriminals know this – which is why they attack DNS.
Last year, the Forum of Incident Response and Security Teams (FIRST) DNS Special Interest Group (SIG) published a DNS Abuse Techniques Matrix. Inside it, they list 21 different attacks or abuses of DNS ranging from cache poisoning to Domain Generation Algorithms and registration of subdomains on public DNS domains like DuckDNS.
It is also not just point vulnerabilities. We have been dealing with issues around queries for non-existent names on our authoritative servers, what in the DNS world we call NXDOMAIN responses. At best, it is Internet blight and mildly annoying. At worst, it causes performance and availability issues like a small-scale Denial of Service attack.
To safeguard DNS like we would traditional critical infrastructure, consider the following best practices and steps:
While “one is none and two is one” is an often quoted saying about server redundancy, when it comes to DNS, the saying should be “five is none, and six is one.” Most zones, especially top-level domains, need redundancy across servers, data centers, networks, service providers, regions, and the planet.
Mitigation platforms and a Security Operations Center can counter DDoS attacks targeting authoritative DNS servers. Additionally, custom filters can block large volumes of standards-compliant queries caused by DNS water-torture attacks.
Many of the abuses in the FIRST Abuse Matrix, such as amplification attacks and subdomains vulnerable to hijacking, can be detected in an automated fashion. Vulnerability scanning services and some of the free scanning data provided by Shadowserver can help you identify these vulnerabilities and misconfigurations in your internet-accessible DNS servers.
One way to address the potential vulnerabilities in DNS is by implementing DNSSEC on both the authoritative and recursive servers. This protocol adds an extra layer of security to the DNS by digitally signing records and allowing for verification of their authenticity. By using DNSSEC, users can be assured that their responses from the DNS are legitimate and have not been tampered with.
Protective DNS, which operates as a cloud-delivered filtering resolver, can block a large category of DNS abuses that use DNS queries to work, such as phishing and malware. It incorporates threat intelligence feeds and big data techniques to correlate suspicious domains with previously detected malicious domains to protect endpoints such as laptops, desktops, mobile devices, and internet-connected devices.
Many organizations use the same domain for public-facing and internal resources, such as Microsoft Active Directory. To separate internal use from public resources and limit the impact of an incident spreading across trust zones, use a separate domain or subdomain.
The more complex a DNS zone becomes and the higher the volume of changes to that zone, the more you need to depend on change controls, the ability to monitor and predict changes, and the ability to fix errors introduced with a change.
Given its pivotal role in the foundational infrastructure of the internet, ensuring the resilience and security of the DNS is paramount for maintaining a trustworthy online presence. Treating DNS with the seriousness it deserves as critical infrastructure and adhering to a basic set of preventative controls shields your infrastructure and other services and safeguards your devices and users from potential harm.
Field CTO, Vercara
Recommendations to Advance career to next level as an IT system administrator?
Snap! — Saturn Energy Imbalance, Intelligent Plants, Safer Self-Driving, Self-Healing Glassy Gels
Unofficial Daily Trivia Question – Half a Nibble – 2024-06-21
© Copyright 2006 – 2024 Spiceworks Inc.
About The Author
More Stories
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections
Community Snapshot—March