DNS, or Domain Name System, is the protocol used for converting fully qualified domain names (FQDNs) like www.google.com into machine-usable IP addresses that computers use to communicate with each other. Without a working DNS protocol, it would be almost impossible to have an Internet of Things that communicate with each other and organizations would not have a cyber-presence. In short, the internet as we know it would not exist without a robust DNS infrastructure.
Given that DNS servers are mission-critical infrastructure, it is crucial that they continue to respond to queries even when they are under attack. When designing a DNS infrastructure, it is important to build an environment that is not only sufficient for current needs, but also provides room for future growth. In addition, while architecting the DNS, it is also important to understand the security threats the DNS might be vulnerable to.
Securing the DNS platform against hacking
Hacking of DNS servers is becoming more prevalent every day. Conventional DNS servers have multiple attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. Hackers can use these ports to access the operating system (OS) and hack the servers. If an enterprises’ DNS servers don’t support tiered security privileges, any user could potentially gain access to OS-level account privileges and cause configuration changes that could make the servers vulnerable to hacks.
In order to protect DNS services from various hacks, DNS servers should be secured in the following ways:
Defending against DNS attacks
Another consideration is the protection of the DNS infrastructure from external attacks. Authoritative DNS servers are reachable from the internet. Even though the server sits behind a firewall, most of these attacks cannot be mitigated by typical firewalls. Firewalls are ill-prepared to protect DNS against application-layer attacks. The ones that do, the so-called NextGen (News - Alert) firewalls, tend to have very little coverage for DNS protocols. These solutions typically spread their security policies across a large number of protocols and sacrifice depth for breadth of coverage.
There is a whole spectrum of attacks that can target DNS:
Protection from these attacks should be done at the DNS level. The DNS appliance should have:
Preventing Malware and APTs from Using DNS
Data breaches are growing at a staggering pace. Investing in next-generation firewalls or Intrusion (News - Alert) Prevention Systems (IPSs) can stop some Malware from entering the network, but not all. Trends like Bring Your Own Device (BYOD) complicate the situation further and provide new avenues for Malware to enter and go undetected for longer periods of time.
Malware and APTs evade traditional defences by using DNS to find and communicate with botnets and command-and-control servers. Botnets and command-and-control servers hide behind constantly changing combinations of domains and IP addresses. Once internal machines connect to these devices, additional malicious software is downloaded or sensitive company data is infiltrated.
Sometimes Malware and APT (News - Alert) attacks are hidden or disguised by external attacks on networks. During an external attack, IT staff are distracted in protecting the network and might miss alerts or warning logs about Malware and APT activity within the network.
In order for DNS to detect and block queries for malicious domains and networks, a Response Policy Zone (RPZ) must be configured and implemented. At a very minimum the RPZ must have the following capabilities:
Security built in is better than security bolted on
Many IT organizations today are using load-balancers, IPS and firewall devices, generic DDoS protection solutions and cloud-based solutions to try and counter DNS-based attacks. All of these solutions are limited in what they can and cannot protect. Most of them are external solutions that are “bolted on” rather than built from the ground up to secure enterprises’ DNS against attacks. None of them can compare to the effectiveness of a purpose-built, DNS-specific defence solution.