Contents:
The Domain Name System (DNS), which supports the Internet presence of your company, is a centralized network run by different organizations worldwide. However, as its creator did not build it with security in mind, companies need to enforce professional DNS security measures, in order to keep a safe environment.
The Domain Name System comprises the operators of root and top-level domain servers, recursive name services, authoritative name services offered by managed DNS operators, and domain registrars that handle domain names.
Simply put, the DNS is a complex infrastructure without which the Internet as we know it today would not exist. And in the present digital world, with users demanding smooth and stable online interactions, DNS security has become more challenging to handle than ever. Here’s what you need to know about the topic and its importance in securing your organization.
Definition of DNS Security
The term DNS security refers to the protection measures that involve the DNS protocol. As we stated before, the DNS (Domain Name System) has not been created using a security-by-design approach. This is why security specialists created various DNS protection tools that help prevent or mitigate DNS attacks.
Back in 1983, when Paul Mockapetris invented this infrastructure, security threats did not prevail, as is now the case. During those times, we were dealing with a much smaller and much more secure environment. Over time, the more its magnitude and availability increased, the more promising it started to look in the eyes of malicious actors.
Secondly, throughout time, specialists made multiple additions to the infrastructure of the DNS – and sometimes, perhaps without much circumspection. These aspects have contributed to the lack of security of the DNS. Thus, it should come as no surprise that a myriad of DNS threats is now endangering companies large and small and regular consumers alike.
According to IDC’s 2022 Global DNS Threat Report:
- 88% of organizations were victims of DNS-based attacks.
- 24% experienced data stealing as a result of a DNS attack.
- On average, each organization was affected by 7 DNS attacks during the year.
- The average cost per attack was $942,000.
- DNS attacks determined application downtime for 70% of organizations.
- 43% of organizations are not using a dedicated DNS security solution.
As you might have gathered from the data above, there’s no way for infrastructure as complex and widespread as the DNS to be impervious to cyber aggression. Perhaps you have heard tales or ‘hearsay’ about Man-in-the-Middle Attacks, DNS poisoning, DNS hijacking, and so on. These types of attacks are the very reason why developers have rolled out what’s called DNSSEC, the first and oldest DNS security layer.
What Is DNSSEC?
In 1997, the IETF released the first RFC (Request for Comments) about DNSSEC (Domain Name System Security Extensions) – these are specifications that help protect the DNS. It’s called an extension because, by default, DNS queries are not secured. This could leave each one of the ‘actors’ involved in DNS resolution susceptible to one or more types of attacks.
DNSSEC ensures the security and confidentiality of data (an aspect that is not normally handled through DNS), serving as a cornerstone for digital trust and preventing DNS threats like cache poisoning. DNSSEC servers digitally sign all server answers. Through signature checking, a DNSSEC resolver can verify if the data that came from a valid server is identical to the data on the authoritative DNS server.
If this is not the case, the request will be denied. Also, DNSSEC can detect Man-In-The-Middle attacks thanks to the data origin authentication – however, keep in mind that it does not prevent these attacks. Therefore, DNSSEC is a subset of DNS security, not a synonym for it.
What about Secure DNS? DNSSEC and Secure DNS are somewhat interconnected, but not fused at the hip. The first refers to the methodology used to protect DNS servers, data, and clients from unlawful eavesdropping and data exfiltration.
Secure DNS is the way to apply the said DNSSEC methodology. One can consider Secure DNS the latest fad in anti-malware protection and an indispensable tool in threat intelligence. The reader should keep in mind the fact that security teams should implement Secure DNS alongside other DNS security measures.
Types of DNS Security Extensions
Some of the most common DNS Security extensions are:
- Cryptographic authentication of DNS data, usually with a symmetric key, since it consumes fewer network resources as compared to using asymmetric cartography.
- Authenticated DoE (Denial of Existence), which allows the DNS resolver to tell whether or not a domain exists. At the same time, it can confirm that the yet-to-be-resolved domain does, indeed, exists.
- Data integrity and authentication, ensured by binding crypto-generated digital signatures to the corresponding Domain Name Systems RR sets. Quick clarification – as Microsoft’s DNS documentation eloquently puts it, RR (resource records) are the “building blocks of host-name and IP information and are used to resolve all DNS queries”. Furthermore, DNNSEC also covers origin authentication – provides an extra security boost.
- Response Policy Zones, which consist of laying down a set of rules regarding what your DNS queries can look and cannot look when interrogating a recursive DNS server. It is very useful in decreasing the chances of querying domain names that threat actors could link to malicious servers.
Heimdal® DNS Security Solution
Choosing a DNS Security Solution for Your Company
There are plenty of managed DNS operators and secure DNS solutions on the market – some are open-source and others are subscription-based. The question at hand is “does my company need secure DNS?”. It’s not exactly mandatory such as GDPR, but it’s slowly making its way up. DNS-driven attacks are not as common as ransomware or botnets.
Let me rephrase that: not yet. The status quo can change very fast and it’s of the utmost importance to take the necessary steps to prevent what can very well be a financial disaster for your company. Here are some pointers on choosing a DNS security solution for your company that will close all your gaps in security and protect crucial data assets from malicious actors.
#1 DNS Protocol Enhancement
DNSSEC shouldn’t be your only line of defense against DNS-based attacks. While its protective capabilities cannot be denied, there are also more advanced protocols out there, such as DNS over HTTPS (DoH) and DNS over TPC.
The DoH protocol encrypts all DNS requests sent from a browser to a server, preventing manmade attacks from circumventing encryption protections. DNS security specialists proposed to extend DNSSEC to include DNS over HTTPS (DoH). The proposal is still in the early stages, but the idea behind this idea is that DNS over HTTPS would allow for authenticated requests that could then be validated through DNSSEC.
DNS over TPC is another protocol that allows encrypted communications between two parties without launching a connection first because it will establish a dead drop for messages. These types of security layers add data privacy on top of traditional DNS communications. This means that the queries that are made on your company endpoints have lower chances of being intercepted.
#2 DNS Filtering
The first step towards a secure DNS is DNS filtering. Not exactly a cybersecurity novelty or true DNSSEC, nonetheless essential. Heimdal™ Threat Prevention employs a powerful DNS filtering engine, more than capable of intercepting malicious data packets that could harm your endpoints and network.
With Heimdal™ Threat Prevention, you will be one step closer to achieving true DNS Security. Our DNS filtering engine will decrease latency by relying on both local and cloud querying. Every time your machine makes a DNS query, our DNS traffic filtering engine will inspect data packets to see if anything’s hidden in the Internet traffic. Furthermore, if Heimdal™ Threat Prevention picks up any unusual activity during querying, it will automatically block the connection.
#3 DNS Activity Monitoring
By monitoring your DNS activity and logs, you can notice suspicious traffic patterns that can reveal key indicators of compromise. For example, unforeseen changes in the volume of traffic may suggest malicious DNS activity. For example, Heimdal™ Threat Prevention uses machine learning to establish compromise patterns and offers IOAs and IOCs, enabling a unique add-on that will enhance your endpoint security.
#4 Protective DNS Service (for Public Sector organizations only)
To inhibit the use of DNS for malware delivery, The National Cyber Security Centre (NCSC) created the Protective Domain Name Service (PDNS) while Nominet UK implemented it. PDNS is a free internet-accessible DNS service. Protective DNS is a recursive resolver, meaning it finds answers to DNS queries. NCSC handles the control of your domains (authoritative DNS) independently and the Protective DNS service adoption will have no influence on it.
Conclusion
DNS is a vital digital structure and one of the Internet’s foundations, which integrates everything related to the IT infrastructure. Basically, it handles all the information that circulates between servers and users. So, it is no wonder that it has turned into an attractive target for attackers. All in all, it’s imperative to take decisive steps to enforce and sustain DNS protection measures and keep your organization away from cybercrime.
Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook or Youtube to keep up to date with everything we post!