DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe
All you need to find out about DNS security
DNS Security alludes to the protection measures that involve the DNS protocol. As you may already know, the DNS (Domain Name System) has not been created using a security-by-design approach. And in today’s digital world, with Internet users demanding smooth and stable online interactions, DNS has become more challenging to handle than ever.
What is DNS?
DNS was built in the early 1980s with the purpose to solve the issues posed by the early Internet (the ARPAnet), which used to hold names to address translations in a single table on a single host (HOSTS.TXT). In 1983, Paul Mockapetris proposed a new framework that involved a dynamic, distributed system – the DNS.
Following the official creation of the Internet Engineering Task Force (IETF) in 1986, DNS turned into one of the first Internet Standards. Instead of merely looking up hostnames, DNS now provided readily recognizable IP address names, enabling the Web to become more convenient for regular usage.
Without it, the Internet as we know it today wouldn’t exist.
To provide more context into the DNS resolution process, every time a domain is purchased from one of the domain registrars, a unique IP address gets assigned to it, which allows for the localization of the site. Whenever someone wants to visit a website, a DNS query is run. Simply put, the DNS server searches for the IP address and after it has been found, your browser will connect to the server that hosts the website. This process includes multiple steps (that are performed in a split second), which I’ve described in this article.
Essentially, the DNS, which supports the Internet presence of your company, is a centralized network run by different organizations worldwide. In short, it comprises the operators of root and top-level domain servers, recursive name services, authoritative name services offered by managed DNS operators, and domain registrars that handle domain names.
Is DNS secure?
In the best-case scenario, whenever you type in a domain name (which is translated into an IP address), you will end up on your desired website. This is commonly the case, however, a simple DNS query might not always turn out as planned, which means that a secure DNS service can’t always be guaranteed. In fact, it’s not news anymore that many – both simple and sophisticated – DNS threats are often encountered in the wild. DNS spoofing/poisoning, Man-in-the-Middle-Attacks, DDoS Attacks, to name a few, are DNS threats lurking out there.
Why is DNS insecure?
The answer is simple. First of all, back when the DNS was invented, security threats were not prevailing, as it is now the case. During those times, we were dealing with a much smaller and much more secure environment, but as its magnitude and availability increased, the more promising it started to look in the eyes of malicious actors.
Secondly, throughout time, multiple additions were made to the infrastructure of the DNS – and sometimes, perhaps without much circumspection. These aspects have contributed to the lack of security of the DNS. Thus, it should come as no surprise that a myriad of DNS threats is now endangering companies large and small and regular consumers alike. Yet, ensuring DNS security is important for the digital identity of any business, as well as for maintaining the security and integrity of its internal applications.
According to IDC’s 2020 Global DNS Threat Report:
- 79% of organizations were victims of DNS-based attacks.
- On average, each organization was affected by 9.5 DNS attacks.
- The average cost per attack was $924k.
- DNS attacks determined application downtime for 82% of organizations.
- 75% of attacks were not mitigated automatically.
As you can see, DNS threats are to be taken seriously and addressed properly as they are getting more common, complex, and costly.
Therefore, it is crucial to safeguard the DNS layer and protect your organization’s money, customers, and reputation.
How to achieve DNS security
Malicious hackers can leverage the DNS in different ways, either by altering the way it works or by abusing the DNS servers’ vulnerabilities.
In any case, the aftermath of all DNS attacks will most probably have a huge impact on your organization. Without DNS security protection measures in place, your business will be left exposed. Therefore, in addition to other threat prevention and mitigation methods that your company ought to have in place (such as patch management, email security, and email fraud protection, Privileged Access Management, and Endpoint Antivirus), it’s also essential to keep DNS security as a fundamental part of your cybersecurity foundation.
Below I’ve listed some essential DNS security protection measures that you can deploy and maintain security in DNS:
1. DNSSEC (DNS Security Extensions)
In 1997, the IETF released the first RFC (Request for Comments) about DNSSEC (Domain Name System Security Extensions) – these are specifications that help protect the DNS.
DNSSEC ensures the security and confidentiality of data (an aspect that is not normally handled through DNS), serving as a cornerstone for digital trust and preventing DNS threats like cache poisoning. DNSSEC servers digitally sign all server answers. Through signature checking, a DNSSEC resolver can verify if the data that came from a valid server is identical to the data on the authoritative DNS server. If this is not the case, the request will be denied. Also, DNSSEC is able to detect Man-In-The-Middle attacks thanks to the data origin authentication – however, keep in mind that it does not prevent these attacks.
2. DNS Filtering
DNS filtering is a great solution to prevent access to malicious domains and web pages. As I’ve already explained in this article, in very simple terms, the DNS server searches for the IP address of the domain you want to access, which then allows your browser to load the website. Now, referring to the DNS resolution process in relation to how DNS filtering works, you must also bear in mind an additional step. This means that before the DNS resolution is completed, every new request will be checked. Should a webpage or domain be known as malicious, the DNS filter will block the request and the browser will be directed to a webpage that states the site can’t be accessed. For instance, Heimdal Security’s DNS-filtering technology scans your traffic and blocks access to malicious websites that can potentially infect your system with malware.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
In a nutshell, we maintain a blacklist of malicious IP addresses/webpages and ensure that access to them is restricted. Not only that, but by using the Darklayer GUARD™ engine, a highly advanced endpoint traffic-based DNS security solution and the best DNS filter on the market, our customers can Hunt, Prevent, Detect, and Block DNS threats. Through its unique Threat to process correlation (TTPC) technology, we also offer the ability to identify users and processes at risk and proactively hunt for network-based threats. Furthermore, Darklayer GUARD™ offers a full Category based (Social, Advertising, etc.) blocking system for system administrators to choose from.
DarkLayer GUARD™ is deployed in tandem with VectorN Detection™ and they provide our users with HIPS/HIDS and IOA/IOC capabilities by using Neural Network Transformed AI for device-to-infrastructure communication to stop attacks that traditional Antivirus and Firewalls are unable to detect. Thanks to the Bloom filter that we are using, this becomes an extremely low-latency solution, which guarantees no delay when accessing safe websites. We deploy these DNS security technologies both at the endpoint level and at the perimeter level (with Heimdal Threat Prevention).
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
3. Monitoring DNS activity
By monitoring your DNS activity and logs, you can notice suspicious traffic patterns that can reveal key indicators of compromise. For example, unforeseen changes in the volume of traffic may suggest malicious DNS activity. For example, our VectorN Detection™ uses machine learning to establish compromise patterns and offers IOAs and IOCs, enabling a unique add-on that will enhance your endpoint security.
4. Protective DNS Service (for Public Sector organizations only)
To inhibit the use of DNS for malware delivery, the Protective Domain Name Service (PDNS) was created. This is a free internet-accessible DNS service created by The National Cyber Security Centre (NCSC) and implemented by Nominet UK. Protective DNS is a recursive resolver (it finds answers to DNS queries). The control of your own domains (authoritative DNS) is handled by the NCSC independently and will not be influenced by the Protective DNS service adoption.
DNS is a vital digital structure and one of the Internet’s foundations, which integrates everything related to the IT infrastructure – basically, all the information that circulates between servers and users. So, it is no wonder that it has turned into an attractive target for attackers. All in all, it’s imperative to take decisive steps to enforce and sustain DNS protection measures and keep your organization away from cybercrime.
How do you ensure DNS security in your organization? Leave us a comment in the section below!