Michael Smith of Vercara delves into DNS’s critical role as foundational internet infrastructure and outlines essential steps to secure it against escalating cyber threats.
DNS is often referred to as the “address book of the Internet.” While this comparison is incredibly common, it underestimates the complex nature of DNS. At the basic level of DNS, it is as easy as adding resource records to a zone—be it a top-level domain, second-level domain, or subdomain—and publishing them on authoritative servers to guide users to websites or other services. Those with limited experience writing websites can build a basic zone from their bedroom.
However, there is a stark difference between running a personal DNS zone and running a zone for millions of concurrent users. DNS’s functionality and uses have significantly evolved from its initial design in Request for Comments (RFCs) 1034 and 1035, primarily to map human-readable domains to Internet Protocol (IP) addresses.
DNS has expanded to incorporate many functions, each with an increase in complexity of DNS zones and dependency on DNS availability:
- We use DNS for load-balancing across servers and data centers.
- Service providers use CNAME chaining to onboard customers.
- Content targeting uses regional DNS resolution.
- Letsencrypt and other certification authorities use DNS TXT records to validate x509 certificates for Transport Layer Security (TLS).
- DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) in TXT records are used to authorize services to send email.
- We even validate answers inside DNS via Domain Name System Security Extensions (DNSSEC) and signed zones.
This complexity and dependency cause a lot of issues. Every time we add use for DNS, it underscores a cold, hard fact: DNS is critical infrastructure that makes the Internet work. Critical infrastructure is a dependency chain. For instance, the government depends on the banking system for sending and receiving payments, which depends on telecommunications to signal the payments and DNS to route the money transfers to the right server. Cybercriminals know this – which is why they attack DNS.
Last year, the Forum of Incident Response and Security Teams (FIRST) DNS Special Interest Group (SIG) published a DNS Abuse Techniques Matrix. Inside it, they list 21 different attacks or abuses of DNS ranging from cache poisoning to Domain Generation Algorithms and registration of subdomains on public DNS domains like DuckDNS.
It is also not just point vulnerabilities. We have been dealing with issues around queries for non-existent names on our authoritative servers, what in the DNS world we call NXDOMAIN responses. At best, it is Internet blight and mildly annoying. At worst, it causes performance and availability issues like a small-scale Denial of Service attack.
To safeguard DNS like we would traditional critical infrastructure, consider the following best practices and steps:
1. Ensure DNS redundancy
While “one is none and two is one” is an often quoted saying about server redundancy, when it comes to DNS, the saying should be “five is none, and six is one.” Most zones, especially top-level domains, need redundancy across servers, data centers, networks, service providers, regions, and the planet.
2. Protect DNS servers from DDoS.
Mitigation platforms and a Security Operations Center can counter DDoS attacks targeting authoritative DNS servers. Additionally, custom filters can block large volumes of standards-compliant queries caused by DNS water-torture attacks.
3. Scan DNS servers
Many of the abuses in the FIRST Abuse Matrix, such as amplification attacks and subdomains vulnerable to hijacking, can be detected in an automated fashion. Vulnerability scanning services and some of the free scanning data provided by Shadowserver can help you identify these vulnerabilities and misconfigurations in your internet-accessible DNS servers.
4. Use DNSSEC
One way to address the potential vulnerabilities in DNS is by implementing DNSSEC on both the authoritative and recursive servers. This protocol adds an extra layer of security to the DNS by digitally signing records and allowing for verification of their authenticity. By using DNSSEC, users can be assured that their responses from the DNS are legitimate and have not been tampered with.
5. Use protective DNS services
Protective DNS, which operates as a cloud-delivered filtering resolver, can block a large category of DNS abuses that use DNS queries to work, such as phishing and malware. It incorporates threat intelligence feeds and big data techniques to correlate suspicious domains with previously detected malicious domains to protect endpoints such as laptops, desktops, mobile devices, and internet-connected devices.
6. Separate public and non-public zones
Many organizations use the same domain for public-facing and internal resources, such as Microsoft Active Directory. To separate internal use from public resources and limit the impact of an incident spreading across trust zones, use a separate domain or subdomain.
7. Change control, audit, and rollback
The more complex a DNS zone becomes and the higher the volume of changes to that zone, the more you need to depend on change controls, the ability to monitor and predict changes, and the ability to fix errors introduced with a change.
Given its pivotal role in the foundational infrastructure of the internet, ensuring the resilience and security of the DNS is paramount for maintaining a trustworthy online presence. Treating DNS with the seriousness it deserves as critical infrastructure and adhering to a basic set of preventative controls shields your infrastructure and other services and safeguards your devices and users from potential harm.