DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe
All you need to find out about DNS security. Ways to secure your company-owned DNS server.
The Domain Name System (DNS), which supports the Internet presence of your company, is a centralized network run by different organizations worldwide. It comprises the operators of root and top-level domain servers, recursive name services, authoritative name services offered by managed DNS operators, and domain registrars that handle domain names.
Simply put, the DNS is a complex infrastructure without which the Internet as we know it today would not exist. And in the present digital world, with users demanding smooth and stable online interactions, DNS security has become more challenging to handle than ever. Here’s what you need to know about the topic and its importance in securing your organization.
Definition of DNS Security
The term DNS security refers to the protection measures that involve the DNS protocol. As you may already know, the DNS (Domain Name System) has not been created using a security-by-design approach.
Back when this infrastructure was invented, security threats were not prevailing, as is now the case. During those times, we were dealing with a much smaller and much more secure environment, but as its magnitude and availability increased, the more promising it started to look in the eyes of malicious actors.
Secondly, throughout time, multiple additions were made to the infrastructure of the DNS – and sometimes, perhaps without much circumspection. These aspects have contributed to the lack of security of the DNS. Thus, it should come as no surprise that a myriad of DNS threats is now endangering companies large and small and regular consumers alike.
According to IDC’s 2021 Global DNS Threat Report:
- 87% of organizations were victims of DNS-based attacks.
- On average, each organization was affected by 7.6 DNS attacks.
- The average cost per attack was $950,000.
- DNS attacks determined application downtime for 76% of organizations.
- 42% of organizations are not using a dedicated DNS security solution.
As you might have gathered from the data above, there’s no way for infrastructure as complex and widespread as the DNS to be impervious to cyber aggression. Perhaps you have heard tales or ‘hearsay’ about Man-in-the-Middle Attacks, DNS poisoning, DNS hijacking, and so on. These types of attacks are the very reason why developers have rolled out what’s called DNSSEC, the first and oldest layer of security of the Domain Name System.
What is DNSSEC?
In 1997, the IETF released the first RFC (Request for Comments) about DNSSEC (Domain Name System Security Extensions) – these are specifications that help protect the DNS. It’s called an extension because, by default, DNS queries are not secured. This could leave each one of the ‘actors’ involved in DNS resolution susceptible to one or more types of attacks.
DNSSEC ensures the security and confidentiality of data (an aspect that is not normally handled through DNS), serving as a cornerstone for digital trust and preventing DNS threats like cache poisoning. DNSSEC servers digitally sign all server answers. Through signature checking, a DNSSEC resolver can verify if the data that came from a valid server is identical to the data on the authoritative DNS server.
If this is not the case, the request will be denied. Also, DNSSEC can detect Man-In-The-Middle attacks thanks to the data origin authentication – however, keep in mind that it does not prevent these attacks. Therefore, DNSSEC is a subset of DNS security, not a synonym for it.
What about Secure DNS? DNSSEC and Secure DNS are somewhat interconnected, but not fused at the hip. The first refers to the methodology used to protect DNS servers, data, and clients from unlawful eavesdropping and data exfiltration.
Secure DNS is the way to apply the said DNSSEC methodology. One can consider Secure DNS the latest fad in anti-malware protection and an indispensable tool in threat intelligence. The reader should keep in mind the fact that Secure DNS should be implemented alongside other DNS security measures.
Types of DNS Security Extensions
Some of the most common DNS Security extensions are:
- Cryptographic authentication of DNS data, usually with a symmetric key, since it consumes fewer network resources as compared to using asymmetric cartography.
- Authenticated DoE (Denial of Existence), which allows the DNS resolver to tell whether or not a domain exists. At the same time, it can confirm that the yet-to-be-resolved domain does, indeed, exists.
- Data integrity and authentication, ensured by binding crypto-generated digital signatures to the corresponding Domain Name Systems RR sets. Quick clarification – as Microsoft’s DNS documentation eloquently puts it, RR (resource records) are the “building blocks of host-name and IP information and are used to resolve all DNS queries”. Furthermore, DNNSEC also covers origin authentication – provides an extra security boost.
- Response Policy Zones, which consist of laying down a set of rules regarding what your DNS queries can look and cannot look when interrogating a recursive DNS server. It is very useful in decreasing the chances of querying domain names that could be linked to malicious servers.
Heimdal® Threat Prevention
Choosing a DNS Security Solution for your Company
There are plenty of secure DNS solutions on the market – some are open-source and others are subscription-based. The question at hand is “does my company need secure DNS?”. It’s not exactly mandatory such as GDPR, but it’s slowly making its way up. DNS-driven attacks are not as common as ransomware or botnets.
Let me rephrase that: not yet. The status quo can change very fast and it’s of the utmost importance to take the necessary steps to prevent what can very well be a financial disaster for your company. Here are some pointers on choosing a DNS security solution for your company that will close all your gaps in security and protects crucial data assets from malicious actors.
#1 DNS Protocol Enhancement
DNSSEC shouldn’t be your only line of defense against DNS-based attacks. While its protective capabilities cannot be denied, there are also more advanced protocols out there, such as DNS over HTTPS (DoH) and DNS over TPC.
The DoH protocol encrypts all DNS requests sent from a browser to a server, preventing manmade attacks from circumventing encryption protections. A proposal has been made to extend DNSSEC to include DNS over HTTPS (DoH). The proposal is still in the early stages, but the idea behind this idea is that DNS over HTTPS would allow for authenticated requests that could then be validated through DNSSEC.
DNS over TPC is another protocol that is made to allow encrypted communications between two parties without launching a connection first because it will establish a dead drop for messages. These types of security layers add data privacy on top of traditional DNS communications, which means that the queries that are made on your company endpoints have lower chances of being intercepted.
#2 DNS Filtering
The first step towards a secure DNS is DNS filtering. Not exactly a cybersecurity novelty or true DNSSEC, nonetheless essential. Heimdal™ Threat Prevention employs a powerful DNS filtering engine, more than capable of intercepting malicious data packets that could harm your endpoints and network.
With Heimdal™ Threat Prevention, you will be one step closer to achieving true DNS Security. Our DNS filtering engine will decrease latency by relying on both local and cloud querying. Every time your machine makes a DNS query, our DNS traffic filtering engine will inspect data packets to see if anything’s hidden in the Internet traffic. Furthermore, if Heimdal™ Threat Prevention picks up any unusual activity during querying, it will automatically block the connection.
#3 DNS Activity Monitoring
By monitoring your DNS activity and logs, you can notice suspicious traffic patterns that can reveal key indicators of compromise. For example, unforeseen changes in the volume of traffic may suggest malicious DNS activity. For example, Heimdal™ Threat Prevention uses machine learning to establish compromise patterns and offers IOAs and IOCs, enabling a unique add-on that will enhance your endpoint security.
#4 Protective DNS Service (for Public Sector organizations only)
To inhibit the use of DNS for malware delivery, the Protective Domain Name Service (PDNS) was created. This is a free internet-accessible DNS service created by The National Cyber Security Centre (NCSC) and implemented by Nominet UK. Protective DNS is a recursive resolver (it finds answers to DNS queries). The control of your domains (authoritative DNS) is handled by the NCSC independently and will not be influenced by the Protective DNS service adoption.
DNS is a vital digital structure and one of the Internet’s foundations, which integrates everything related to the IT infrastructure – basically, all the information that circulates between servers and users. So, it is no wonder that it has turned into an attractive target for attackers. All in all, it’s imperative to take decisive steps to enforce and sustain DNS protection measures and keep your organization away from cybercrime.