Domain name system or DNS is one of the foundational components of the internet, yet at the same time, it’s one of the least secure protocols being used. When it comes to DNS security, you have to cover the basics before you can get into the complexities of decisions like ISPs and DNS over HTTPS.
The following gives a strong, general overview of DNS security and what you should know.
What Is DNS?
Domain name system or DNS is like a phonebook of internet addresses. DNS is how a computer knows what other computer or device to communicate with. An IP address is something that every computer and device has, and that string of numbers can be compared to an address.
For us as humans to be able to remember the address of sites we want to visit, it’s translated into words, which is the website name and URL.
Without DNS you would need to remember the IP address of any server you wanted to connect to, which would be nearly impossible.
There are a lot of DNS servers storing records throughout the internet—they’re not all stored on one server because that wouldn’t be possible.
When you want to visit a webpage, there are four DNS servers responsible for loading it. These are the DNS recursor, the root name server, the top-level domain server, and the authoritative name server.
Not all DNS records are public, which is something you may not realize. Some organizations use DNS so employees can access their private internal servers.
The Cyber Threat
Cybercriminals are always on the lookout for ways they can attack websites, companies, and even individuals.
Domain name system records are increasingly being selected as the target because so many businesses don’t take any steps to secure them.
Domain registries and domain name registrants are considered soft targets for attackers.
One of the biggest issues with DNS security is the fact that clients trust the components that make it up.
DNS traffic isn’t authenticated or encrypted, so if a client is connecting to an unsecured network, it’s easy to be duped into using a rogue DNS server.
Hackers can take advantage of DNS vulnerabilities and transfer DNS zones, modify resolvers to scam people by reporting different IP addresses, and they can also be used to redirect traffic.
A visitor to a website has no way of knowing their traffic is being redirected or that their email didn’t go to the server they meant for it to.
It’s worth mentioning DNSSEC as well. This is a way to authenticate a DNS response and ensure the integrity of the message. It’s part of DNS security, but it’s not the only component for true DNS security. DNSSEC can prevent things like cache poisoning, however.
Preventing DNS Attacks
Some of the general tips to keep in mind as far as preventing DNS attacks can include:
- Don’t use the same DNS server internally and externally. Your internal DNS should be behind the firewall and handled by its own server. You don’t want to have things that only employees should have access to be available to anyone.
- Audit your zones. Zones include subdomains and test domain names. Zone transfers happen between a primary and secondary server, but anyone can trigger a zone transfer.
- Use a DNS resolver. The DNS resolver serves as a cache for the DNS protocol so it has strong visibility over the network, and it can be used as a way to detect possible suspicious behavior. The DNS resolver can also help strengthen the security of components like DNSSEC.
- DNS traffic encryption is a growing way to secure DNS.
- Regularly check your domains for unauthorized updates.
- Your DNS servers need to produce logs so that you can make sure you’re getting alerts whenever there’s an actionable item. You need to be able to see any possible security issues quickly and efficiently.
It’s so important for businesses to stop letting their DNS be a point of weakness and vulnerability in terms of cybersecurity. DNS should always be checked and there should be security solutions in place to monitor domains. Your customers, as well as your vendors and anyone interacting with your business, rely on your domain name to find you and connect with you.
Your domain name is integral to your brand and all forms of online communication, and yet companies don’t understand how to protect it.
Not protecting it can have disastrous effects.
