Despite being a critical component of website security, most business owners don’t pay DNS security the attention it deserves. DNS or (Domain Name System) is a building block of the internet. The system acts as a virtual phone book of IP addresses, allowing it to record the location of countless websites across the Internet.
However, as evidenced by the increase of (DDoS) attacks, cybercriminals can also use it as a means to launch devastating cyber attacks on companies. These attacks temporarily wipe out access to websites for millions of users in a single attack.
Even some of the world’s leading brands such as Amazon, Reddit, New York Times, and Paypal have succumbed to this threat and had their applications temporarily sent out of the grid. This is why DNS has a foundational role in ensuring the operation and security of both external and internal network applications.
The naming system is also crucial for services such as external web access, email, voice over IP (VoIP), and file sharing. With that said, there are several steps that network administrators must take to ensure that their DNS infrastructure is safe from security pitfalls and performs resiliently against all security threats.
In this article, we will outline five DNS security best practices to ensure a reliable and secure DNS website.
Where Do Most Network Administrators Go Wrong?
DNS data has a critical role in identifying and rapidly respond to emerging threats, as well as for highlighting underlying threat in the infrastructure. As businesses shift to cloud-based services, most of the traditional on-site infrastructure is also shifted to remote websites.
Most of these websites are under the control of a third party. Because of this, after an attack, most organizations are unable to access remote infrastructure to resolve the matter comprehensively, grinding their business to a halt.
Aside from assigning IP addresses for Internet domain names, the DNS system gives businesses critical security information, necessary for securing the organization’s network. This includes records created to ensure that the information provided by the DNS server is reliable, as well as records created counter spamming and phishing attempts.
The bulk of computer security efforts are directed at security measures based on log analysis, so most experts just focus on securing endpoint or edge devices. Nevertheless, DNS queries and responses are a vital asset because they give you substantial security information related to network activity. Therefore, security analysts have an easier time identifying potential attackers.
Unfortunately, some network analysts disable query logging on name servers to improve performance. Although it marginally improves the performance, doing so can rob a company of a primary for detecting malicious elements on its DNS infrastructure.
Five DNS Security Best Practices
Network administrators should use DNS servers in a high-availability (HA) cluster or pair. This will help the company in case one of them fails, the remaining server(s) take on the load.
Ensuring a high-availability cluster enables you to provide continuous availability for all DNS server resources, regardless of whether it has an authoritative or recursive, or secondary or primary name server.
However, for publicly-accessible servers in a company, it’s essential to provide servers that are geographically diverse in domain name registration. This will help you cope with physically localized events.
Aside from that, doing so will help you route diversity, especially if you have unique ASNs (Autonomous System Numbers). This can minimize the threat of large-scale DDoS attacks that hinder you from serving DNS data.
Restrict Availability of Data and Servers
One most important things for businesses is to make sure that the server only hosts the information needed by the parties. For instance, if a server has domain names to be resolved by the public, then you should let the general public access that server and data.
Aside from that, all other DNS data and servers should be restricted to just internal access. Furthermore, companies should make sure publicly accessible servers are only authoritative-instead of acting recursively.
This means that users external to the organization shouldn’t use or access your recursive name servers. Instead, those users should only use name servers give by their respective internet service providers (ISP).
It’s always helpful to utilize name servers local to the company’s users. For instance, a company that has several regional or branch offices must have both authoritative and recursive name servers on-site so you can serve those locations, instead of relying on limited name servers installed in the headquarters.
Using infrastructure like this can help you distribute a load of queries across several servers, helping you to resolve names are soon as possible. In most cases, a single web page can contain several dozens of linked resources with every single one requiring a DNS lookup so the page can load. Increasing the latency between the assigned name server and the end-user results in unwarranted delays and further burdens the help-desk load.
It’s also necessary to protect the zone transfers with the help of firewall ACLs, on-server access control lists (ACLs), as well as transaction signatures (TSIGs). You should only make maintenance and upkeep servers access to primary name servers.
However, you should do this not just through monitored account management. Instead, it would be better to limit connections to name servers with the help of the hosts those employees use.
Similarly, it’s ideal for letting secondary name servers deny zone transfer requests all the time. If your name servers are delivering authoritative data, you should avoid letting your server serve as recursive servers, as well.
Following this precaution can ensure the availability of many name servers as it limits the attack surface of any potential cyber attack. Any traffic directed towards the name server has to be restricted using firewall-based ACLs, as well as the ACLs on the server.
Configuring ACLs, in this manner, limits the traffic to the server, which leads to fewer classes of attacks like DDoS attacks. Furthermore, it also helps ensure that any traffic that reaches the server has been authorized to use the service.
Hiding Primary Servers
Any server that hosts the master copy of a zone needs to remain hidden as a primary. The purpose of such servers should be exclusive to serving data to secondary name servers across the company. You should make sure that these servers are accessible to end-users and are not listed as name servers for any particular zone.
Secondary name servers are responsible for answering queries. This is why you should refrain from making primary name servers accept or respond to any DNS query from an end-user. It’s best to restrict primary name servers access to users responsible for maintenance and storing data in those servers, as it helps you ensure DNS data integrity.
However, if your company has externally available name servers, you should configure the primary name servers behind a firewall. If those servers have the right firewall rules in place, you can configure the secondaries to execute queries and transfers from the primaries.
Although the risk of DNS-related attacks always looms over our heads, we can mitigate or eliminate a considerable number of attacks existing attacks using a well-organized DNS infrastructure. It not only restricts access of servers to those who legitimately need it but also helps ensure the integrity of data users according to their designated role.