Ali Sleiman, Technical Director Middle East and Africa at Infoblox, suggests 10 ways to improve DNS security.
The amount of data that the Internet contains is growing at an astronomical pace. A single computer doesn’t hold it all, of course; this much data must be distributed across countless computers all over the world. Even so, with an Internet connection, you can navigate to any file on the Internet as easily as you find a file on your own hard drive. This amazing capability comes from the Domain Name System or DNS. DNS is the tool that your browser uses to quickly find a file that might be stored in a computer anywhere on earth.
DNS is becoming a more common target of network attacks. As one of the oldest and most relied-on protocols of the modern Internet, DNS is the cornerstone to almost all other services and protocols. This makes DNS an appealing target to attackers. Because it is one of the most relied-on protocols, stopping attacks can’t be as simple as adding a firewall rule.
10 keys to improving DNS security
- Use dedicated DNS appliances- If you host your own DNS servers, make sure you use the right hardware. You should employ a dedicated DNS hardware appliance or non-open-source DNS software.
- Keep DNS server software up-to-date – As with any other computer application, service, or protocol, new DNS vulnerabilities continuously crop up. Attackers dedicate a lot of time to discovering these weaknesses and figuring out how to exploit them. That’s why keeping your DNS server software updated with the current software versions and security updates is a job that you can never permanently cross off your to-do list. Whether you find a dedicated appliance that applies updates for you or have to apply updates manually, you simply must stay on top of it.
- Have an onsite DNS Backup – Even if you outsource your DNS to a managed DSN service provider, you should host your own dedicated backup DNS server. Neither Internet service providers nor managed DNS service providers are impervious to attack. In 2016, DNS service provider DYN and Internet service provider Deutsche Telekom were both victims of massive DDoS attacks that caused widespread outages. A co-ordinated attack on your vendor isn’t the only reason to have a backup. More commonly, hardware or network failures can cause slow DNS performance or an outage.
- Avoid single points of failure – A single point of failure is a part of your network that, if it stops working, shuts down the entire process. Eliminating single points of failure throughout any system or network is a basic principle of secure, resilient design. One important way to avoid single points of failure is to have multiple Internet links from different ISPs pointing to your websites. By introducing different ISPs, you increase the authoritative DNS servers that cache your links and reduce the risk of cache poisoning diverting your visitors.
- Run authoritative DNS servers inside DMZs – If attackers manage to compromise an authoritative DNS server, they can change the DNS data of any domain for which that server is authoritative. The effect can be devastating. These changes quickly replicate across the Internet and, in some cases, take days to fix. Stop these problems before they start by setting up your authoritative DNS servers inside a secure network demilitarised zone (DMZ). The DMZ allows the importing of DNS records only from a secure primary server that is also located inside your DMZ.
- Turn off recursion – As much as possible, you want to control who can ask your authoritative DNS server for information. You can restrict zone transfers to the specific IP addresses of your secondary DNS servers, for example, to prevent attackers from getting hostnames and IP addresses for your network. For another example, you can digitally sign your zone transfer records to prove their authenticity
- Use threat intelligence – Threat intelligence is information about your network’s weakest points and the most likely attacks you are likely to receive. You can use this information to make decisions and set priorities about how to protect your company.
- Use response policy zones – A Response Policy Zone (RPZ) allows you to set policies for specific domains.
- Use IPAM – As your network grows, even keeping visibility into everything becomes a challenge. With an enterprise-grade IP Address Management (IPAM) solution, you can consolidate information about your core network infrastructure into one comprehensive and authoritative database. This solution lets you see your entire network topology.
- Automate security tasks whenever possible – Tasks that you can automate with DNS security software include many common scenarios:
- When your DNS security solution detects DNS-based data exfiltration or malware from an infected host, it should notify an endpoint security solution to clean the infected endpoint.
- When a new device joins the network, your DNS security solution should trigger a vulnerability scan.
- Until the completion of the vulnerability scan and mediation of any problems, your DNS security solution should trigger a network access control (NAC) solution to prevent the endpoint from getting on the network until it is compliant.