Tips for Domain Name System (DNS) Security

By Ernest Hamilton , Updated Jul 25, 2019 10:40 AM EDT

Companies need to have domain name system security measures in place. DNS security solutions are important because an estimated 77% of companies have faced a DNS attack in the past few years, and many lead to what they describe as "irreparable damage."

Some of the damage businesses report when they deal with DNS security threats include loss of business, intellectual property theft, and downtime of applications. 

Why Are DNS Servers Such a Point of Weakness?

DNS servers, DNS zones, domains, and IP addresses are all points of potential vulnerability for businesses, yet they overlook them when it comes to developing strategies for IT and cybersecurity. 

DNS is what your work computers use to connect to websites, and they are one of hackers' favorite targets. Instead of focusing on DNS security, administrators will often spend their time securing things like database systems and web servers, leaving DNS services entirely vulnerable. 

When a hacker targets a DNS server configuration and it doesn't have the proper security in place, it can allow them to do serious harm, such as redirecting web and email traffic. A visitor to your business website would have no idea they were being redirected to another server. 

Do An Audit of All of Your DNS Zones

When as you're preparing a strategy to secure your DNS services, your first step should be conducting an audit of all of your zones. 

This includes your subdomains as well as test domain names. These can have outdated software that leaves you vulnerable. 

If you go with a complete DNS security solution, then it's much easier to do an audit and continually monitor all of your domains and subdomains.

Know How the Most Common Attacks Work

It's difficult to protect against a threat if you don't understand what it is. 

There are a few common DNS threats. 

First, there is something called DNS poisoning, which was already briefly mentioned. With DNS poisoning, attackers will redirect your web traffic. It's very difficult for people visiting your site to identify that they're being redirected because they're typing in the correct web address. 

Once web traffic is redirected, phishing can be used to steal victims login and personal information. 

Another common threat is cache poisoning. This occurs because of compromised caches. 

In this scenario, if you have a compromised cache, then again people using it can be redirected to fraudulent websites. 

The technicalities of cache poisoning occur when corrupt data is put into the cache database of your DNS name server. 

The cybercriminals will send forged responses from a fake DNS, which then allows for rerouting to a new IP address. 

A cache poisoning attack is how things like malware and computer worms are transmitted. 

Advanced cache poisoning attacks can include what are called man-in-the-middle attacks.

Man-in-the-middle attacks are a way for a malicious party to put themselves in a conversation and impersonate each party while gaining access to the information each was sending to one another. The outside party has no idea until the damage is done. 

These occur in real-time transactions and conversations. 

A third fairly common threat is called a DNS amplification attack. This uses weaknesses and vulnerabilities of your DNS services to then commit a DDoS attack. 

DNS Security Solutions

There are holistic DNS security solutions available,and these can be the best option for a lot of businesses for a few different reasons.

First, these are a high-level, comprehensive way to protect against the gaps you might face with traditional security strategies that leave your DNS servers vulnerable. 

A DNS security solution is a cost-effective and simple way to protect your DNS servers,and these platforms include unique innovations that you might not get if you try a patchwork approach to DNS server security. 

At a minimum, when it comes to DNS server protection, you will want to use firewalls that control access. You should put firewalls in place that allow queries only from servers using caching-only forwarders. You want to block internal users from connecting to external DNS servers as well. 

Running your own Name Servers can be a good way to protect your organization, but if you do this it's up to you,andit's imperative that you keep them updated. Along with keeping your name servers up-to-date you also have to keep their operating system up-to-date. 

Using a patch management system is an option if you're not using a holistic DNS security solution.

© 2020 Game & Guide All rights reserved. Do not reproduce without permission.

Join the Conversation

Real Time Analytics