|
Most people, even seasoned IT professionals, don’t give DNS (the Domain Name System) the attention it deserves. As TCP/IP has become the dominant networking protocol, so has the use of DNS. Most organizations use DNS to not only direct customers to their website, but to conduct almost every aspect of their day-to-day business operations. DNS is the hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It converts the hard to remember numerical IPv4 & IPv6 device addresses into easy to understand names (e.g. mail.domain.com). On private networks it can be used to address even the most mundane things like printers and servers. On the Internet, we use it to address websites (A records), VoIP phone calls (SRV records), email servers (MX records), and a myriad of other critical services. Advanced organizations even use DNS to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way.
Due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don’t spend much time worrying about it. This can be a huge mistake! If your DNS is maliciously attacked—altering the addresses it gives out or taken offline, your business is not only stopped in its tracks, but your brand can be damaged for years to come. End users seldom take the time to understand the security issues—they simply go to your competitor. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target business.
The Most Common Security Issues For DNS:
Unauthorized Authoritative DNS Record Changes – Changes to authoritative DNS records which point end users to computer systems outside of your control can have the most damage to your business’s brand. This type of attack is typically done to either send users to a site which provides a negative marketing message, or to a location mirroring your site where account credentials can be harvested. This attack is particularly devastating because users are typically unaware anything untoward has happened.
Denial of Service Attacks – Denial of Service (DoS) or Distributed Denial of Service Attacks (DDoS) are done to make your DNS service unavailable and thus create the impression your business is offline or closed down (website, portals, VPNs, FTP, VoIP, email, etc.). This type of attack is one of the easiest to perform and can be one of the hardest to defend against. One of the least recognized impacts to a business that suffers a DNS outage from a DDoS attack is the negative effect it has on your search engine rankings.
Recursive DNS Spoofing/Cache Poisoning – Outside of a business’s control, the Recursive DNS server an end user utilizes is typically set by the user’s network administrator. Recursive DNS servers communicate the Authoritative DNS records a business sets to an end user’s device. Unfortunately, many Recursive DNS servers are not well maintained or protected and can be easily compromised to give out false responses. This has the same down stream effect of an Unauthorized Authoritative DNS record change.
Security Best Practices for DNS:
Registrar Lock Your Domain Names – One of the simplest protections you can do is lock all of your domain names at your registrar.
Outsource Your DNS Services – In today’s world it is typically unrealistic to maintain your own DNS name servers in a way that both protects them from attacks and maintains global performance, and it is naive to use the free DNS services of a domain registrar. Cloud based managed service providers are your best bet for both Authoritative & Recursive DNS. Neustar (UltraDNS), DynDNS, Verisign, Amazon (Route 53), and Community DNS (European focused) are some of the top IP Anycasted Authoritative DNS providers to consider. OpenDNS, Neustar (UltraDNS), DynDNS & Google are the top Recursive DNS providers to consider. The investment in a cloud based DNS provider will protect your business from many of the common attacks, and free you from having to manage the devices yourself.
Utilize Strong Access Controls – As with any critical IT infrastructure, only allow users access to DNS administration for what they need to manage, lock down access to these critical accounts to known IP ranges, utilize strong password controls, and whenever possible use two factor authentication.
Activate DNSSEC On Your Domain Names – DNSSEC counters cache poisoning attacks by verifying the authenticity of responses received from name servers. It effectively prevents responses from being tampered with, because in practice, signatures are almost impossible to forge without access to the private keys. If your DNS provider is not DNSSEC capable… make a switch.
Continuously Monitor Your Critical Services & DNS Records – Utilize an advanced SIEM like the one available from Savanture to monitor all of your critical services and monitor your DNS records for changes from outside your network. UltraTools.com provides a free DNS monitoring service that many top organizations use. Additionally, monitoring the activity level on your services can show when traffic suddenly gets directed away.
Promote The Use of Protected Recursive DNS Servers – If you are not already using one of the top Recursive DNS providers listed above for your business’s network, make the switch now. Many times there is no cost to this, only a configuration change. After you select a provider, promote it to your end users, inside & outside of your business.
Protect Your DNS Service Against DDoS Attacks – If you aren’t using one of the top Authoritative DNS providers listed above that also provides DDoS protection for your DNS service, add it. For your other public facing services that require DDoS protection, lower your DNS Time to Live (TTLs) settings to 300 (5min) so you can redirect traffic quickly if you come under attack and need protection.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Rick,
Good article! I definitely agree that DNS security doesn’t get the attention it deserves. I agree with most of your points, particularly about deploying DNSSEC, but I am not entirely comfortable encouraging people to outsource their recursive resolver to an external party. Using an external provider for an authoritative server makes sense to me, but if you use an external recursive resolver there is the potential for an attacker to get in between the external resolver and the end user and provide bogus DNS data back to the end user.
I’m much more of a fan of running the recursive DNS resolver as close to the end user as possible, particularly if it is performing DNSSEC validation. In many typical configurations this would mean ideally running the recursive resolver at the network edge of the local network, whether that is a home network or business or office network. If that’s not possible my next choice would be using the resolvers at the ISP for the end user. (In a truly ideal world the DNSSEC validation might occur on the end user’s machine itself or in the end user’s application to truly minimize the attack surface.)
Anyway, outside of that I agree with your points and do hope more people will pay attention to DNS security in 2014!
Thanks for writing this,
Dan
To perfectly illustrate your point of why you need to lock your names at your registrar, this article shows how incredibly easy it was for someone to change a domain name to point to a different website:
http://blog.rootshell.be/2014/01/15/dns-hijacking-with-just-one-mail/
In his case, it was a legitimate request, but it could have easily been from an attacker instead!
Well, to be more precise, the article I just linked to demonstrates the need to have strong access control because the change was actually to the DNS zone records that were published by the DNS hosting provider part of the registrar in question.