3 ways to achieve DNS security

three tips for DNS security

DNS security is proving increasingly challenging as servers are targeted on a grand scale.

The domain name system (DNS) is an essential part of the worldwide networking infrastructure. DNS is basically a phone book for the Internet, where computers and servers can look up domain names to find the numeric IP address associated with the destination server or Website. But DNS security is constantly challenged, and attackers are increasingly targeting DNS servers, rendering the very foundation of the Internet quite shaky.

While denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks garner the most headlines when they bring down servers, there are other dangers, such as DNS spoofing and rogue DNS servers interfering with domain name queries. Adversaries can modify a server’s DNS data as part of a cache poisoning attack—or DNS spoofing—so that users are re-directed to fake Web sites, despite having typed the correct URL into their Web browser. Rogue DNS servers can also broadcast incorrect IP address information to DNS queries, and affected servers wind up sending users to the wrong sites.

So how do you ensure DNS security?

Network security is all about layered defense, in which different security approaches are combined for comprehensive protection. DNS security is no different. Administrators can configure DNS correctly, deploy DNS Security Extensions (DNSSEC), and monitor traffic to and from the enterprise DNS infrastructure. Here are three tips:

1. Setting proper configurations

According to the Open DNS Resolver Project, there are more than 27 million open DNS servers vulnerable to spoofs or other DDoS attacks. More than 25 million of these “pose a significant threat,” according to the project.

To aid DNS security, different DNS functions should be separated so that each system can be secured independently. Caching and authoritative DNS servers are vulnerable to different kinds of attacks and the steps to protect them are different, so it makes sense to not have them on one box. Access to caching servers can be restricted exclusively to authorized users, which is something administrators can’t really do for authoritative servers as they need to be open to queries from the Internet.

By specifying the IP address ranges of clients that are allowed to query the DNS server, queries from clients that shouldn’t be hitting the caching server gets filtered out. This is a first level of defense against DoS attacks.

Some DNS cache corruption can be the result of unintentional mismatches between requests and responses, as might happen with a misconfigured name server. DNS resolvers should put in basic validity checking of response packets and of name server credibility to verify the credibility and relevance of name server responses.

2. DNS security: Understanding DNSSEC

Domain Name System Security Extensions (DNSSEC) is a separate DNS security standard that authenticates DNS traffic. DNSSEC modifies DNS to add support for cryptographically signed responses, so that IP address data cannot be tampered with. DNSSEC allows name servers to validate answers cryptographically, thus protecting against DNS spoofing and other man-in-the-middle attacks.

Many top-level zones, including .ARPA, .GOV, .com, .net, .edu, and .ORG, as well as root, have already been signed using DNSSEC

3. DNS Security: Monitoring in/out DNS traffic

Administrators need to monitor the network to figure out which IP addresses are using the most bandwidth and experiencing high network volume. Monitoring systems can automatically alert security teams if there is a sudden spike in DNS queries hitting the server, or recursion contexts above normal values.

When a DNS query can’t be answered from the DNS cache, the next step is to perform a recursive lookup to get an answer from the proper authoritative server elsewhere on the Internet.  DoS attacks frequently send queries for random domains to force the DNS server to make those recursive lookups, and eventually consume all the available processing power and bring the server to standstill. Increasing the number of recursion contexts in the DNS can temporarily “absorb” these kinds of attacks.

DNS hacking is not anything new, but the techniques to break the system keep getting better. Administrators have to deploy DNSSEC and stop assuming their DNS servers are configured correctly. Making sure the correct servers are in place, and regularly monitoring traffic to detect problems as early as possible, will keep administrators from falling behind the rising threats.

About the Author

Fahmida Y. Rashid is a contributor to EnterpriseEfficiency.com, a UBM Tech community.

Fahmida Y. Rashid
Fahmida Y. Rashid is an analyst for networking and security at PCMag.com. She focuses on ways businesses can keep their data and networks secure without going bankrupt chasing after the wrong kinds of protection. Prior to landing at PCMag, she was a senior writer covering security, core Internet infrastructure, and open source at eWEEK. She was also a senior technical editor at CRN Test Center reviewing open source, storage, and networking products from 2007 to 2008. Before setting out her journalism shingle, she was a technology consultant, first at PricewaterhouseCoopers, and later with the Business Consulting Services group in IBM Global Services. She has worked in the trenches as help-desk, QA tester, software and Web developer, and network administrator.
Fahmida Y. Rashid
Fahmida Y. Rashid
Fahmida Y. Rashid
Tags: IT Security,Technology