DNS security is usually not at the forefront of enterprise security concerns
Attacks on DNS take many forms and have a variety of objectives. Some attacks such as DDoS are designed to make DNS unavailable. Others, like cache poisoning, are designed to misdirect users to malicious websites; and still others are designed to use DNS as a vector for exfiltrating private data.
Most organizations in any given year face one or more attacks on their DNS.
Outsourcing DNS to an external provider does relieve an organization of some security responsibilities, but IT and security teams should have a basic understanding of DNS security and the best practices for defending DNS from the wide variety of attacks that can be directed at it.
Read more to learn about:
- Common DNS attacks
- DNSSEC: What it does and doesn't do
- 6 best practices for DNS security
- Setting up DNS security yourself vs. using a managed service
- NS1 - a next-generation DNS service built with security in mind
DNS Security with NS1
NS1 is a next-generation DNS designed with security in mind. We’re the only DNS provider that offers advanced traffic routing that works seamlessly with state of the art DNS security. Our security features include DNSSEC, DDoS protection and an industry-first redundancy solution with two separate DNS networks with single pane of glass management.
Common DNS Attacks
While some attacks are aimed at taking down authoritative name servers to deny access to a domain, others manipulate DNS to redirect traffic to malicious destinations. Yet others allow attackers to take control of DNS infrastructure, with disastrous consequences to the DNS server’s owners and unwitting third parties.
This is a form of DDoS attack that overwhelms the network capacity that connects authoritative servers to the internet. With the available bandwidth consumed with malicious traffic, the legitimate traffic carrying DNS queries cannot reach the authoritative servers.
Random Subdomain Attack
This is a denial of service attack which hits a domain’s authoritative name servers with a large number of requests for random, nonexistent subdomains (e.g. randomstring.example.com). The name servers become bogged down responding to these bogus requests and become unavailable to answer legitimate queries. Also referred to as NXDomain attacks, they can result in denial of service at the recursive resolver level.
Attacks on DNS Integrity and Protocol
An attacker forges DNS data in the cache of a user’s DNS resolver. The user receives an incorrect IP address for a domain and is taken to another website, which may be malicious.
BGP Hijacking Attack
Attackers maliciously reroute Internet traffic using the Border Gateway Protocol (BGP). The attackers falsely announce ownership of IP prefixes, which they do not actually own. This type of attack can be used to direct traffic away from legitimate authoritative DNS servers to malicious name servers that in turn provide bogus DNS responses. While not an attack on DNS itself, this type of BGP attack is often used to direct users to fake, malicious DNS name servers.
DNS Protocol Attacks
This type of attack can take different forms, but typically involves using malformed packets that cause extra processing load on the DNS servers to the point that they cannot process legitimate queries.
Attackers use protocols like TCP or SSH, encoded within DNS protocol requests, to pass malware or stolen data without being detected by firewalls. While not an attack on DNS, this form of attack can use DNS to exfiltrate data.
Attacks on DNS Management
DNS Hijacking (Credential Theft)
Attackers gain unauthorized access to the management of DNS servers. With this control they can alter or destroy zone data.
Attackers change the registration of a domain name and assume ownership. Typically achieved by gaining unauthorized access to the registrar account for the domain, through credential theft or social engineering.
Attacks Leveraging DNS
DNS Amplification Attack (DNS Flood)
Attackers can amplify DDoS attacks using DNS responses that are larger than the initial query packet. Fake DNS lookups to open recursive servers can achieve a 25x to 40x amplification factor. The source IP of the fake lookups is the victim website.
The NS1 Approach to DNS Security
The DNS that supports your business’ internet presence is a worldwide distributed system operated by many different entities. It includes the organizations that run the root and top level domain servers, providers of recursive name services, authoritative name services provided by managed DNS providers like NS1, and the domain registrars that manage internet names.
No one provider can secure the entire system, but your authoritative DNS plays a key role in maintaining the availability and integrity of your online presence. Every aspect of the NS1 DNS service is focused on ensuring 100% availability, performance, and security.
It starts with the network. Our globally anycasted network of POPS are connected to multiple Tier-1 providers in every region, supplemented by connectivity from over 20 regional providers and 10 peering exchanges. The result is a self-healing IP network of unparalleled reach, capacity and performance.
NS1 has designed a multi-faceted approach to DDoS defense that combines the raw power of our massively provisioned infrastructure, distributed network and autoscaling capabilities with sophisticated monitoring, detection and filtering capabilities at every level of the protocol stack. We are also obsessive about operational readiness. We constantly analyze attacks, update our DDoS defense playbooks, and conduct fire drills and simulations to ensure peak readiness to respond at all times.
Finally, NS1 makes it easy for you as a user to maintain secure control over your DNS. Our security capabilities include award winning implementation of DNSSEC, easy to use options for redundant DNS, strong authentication and support for DNS security protocols.
What is DNSSEC?
Domain Name System Security Extensions (DNSSEC)is a suite of extensions to the DNS standard, which uses digital signatures to validate the authenticity of DNS responses.
DNSSEC prevents attacks that inject false information into DNS resolvers, such as DNS spoofing, cache poisoning and man in the middle attacks. When DNSSEC is enabled, resolvers look for a valid digital signature in the DNS record provided by authoritative DNS servers. Attackers are not able to forge this signature, protecting users from being misdirected to fake of malicious websites.
How DNSSEC Works
With DNSSEC, when a resolver requests information from an authoritative DNS server, the response is digitally signed. This provides validation that the response comes from a trusted source and has not been altered in transit. Validation is performed all the way to the top of the DNS tree - DNS responses are signed by DNS root servers, top level domain (TLD) servers, and authoritative name servers for specific domains. This prevents resolvers from accepting fake DNS information and serving it to end users.
DNSSEC relies on several additional DNS record types: RRSIG, DNSKEY, DS, NSEC, NSEC3 and NSEC3PARAM.
While many managed DNS services today support DNSSEC, most businesses have not enabled DNSSEC for their DNS zones. Many companies believe that the risk of attacks prevented by DNSSEC does not warrant the effort and trade-offs of enabling it. Recent events such as BGP hijacking attacks targeting DNS have shown that the risks are real. At NS1 our implementation of DNSSEC is easy to use and has none of the trade-offs that come with implementations on most other DNS platforms.
Because DNS is a mission critical service, administrative access to DNS management should be tightly controlled. There are several recommended measures for securing administrative access to DNS systems:
Strong password enforcement
Role based access controls (RBAC)
Admin session timeouts and forced re-login
IP address whitelisting - restricting admin access to trusted sources
Single Sign On (SSO)
DNSSEC Online Signing vs. Offline Signing
Most DNS providers implement DNSSEC with offline signing . This means DNS information is signed in advance, before it is requested in a DNS lookup. This mode is incompatible with DNS traffic management features such as geo-routing and active failover. As a result, many companies opt out of using DNSSEC because they rely on those traffic routing features to improve the performance and uptime of their applications.
The reason for this issue is with DNSSEC, the entire resource record set for a zone (e.g. all the A records in the zone) is digitally signed. That signature is sent to the resolver, along with the A records themselves. The resolver validates those records against the signature. The resolver in turn sends one of the A records to the requester, typically using round robin.
In a traffic routing scenario, the authoritative server sends only one A record from the zone to the resolver. That record is dynamically selected based on, for example, the location of the DNS query. The result is a signature mismatch - the resolver received a signature based on all the A records but only received one dynamically selected A record.
The NS1 implementation of DNSSEC uses online signing. After receiving a DNS query, the optimal record from the zone is selected based on whatever traffic management criteria are used, and that response is signed "on the fly." The result is no signature mismatch at the resolver. The response is fully validated using standards compliant DNSSEC and there is no loss of traffic management capabilities
6 Best Practices for DNS Security
Only NS1 Implements all Six DNS Security Best Practices
NS1 gives you state of the art DNS security without trade-offs in DNS functionality and manageability. The best security does not interfere with or get in the way of functionality and useability. These are the design principles guiding our approach. The result is DNS security that is effective and easy to implement.
Setting up DNS Security Yourself vs. Using a Secure Managed Service
Every business with a presence on the internet needs a DNS to connect users to its web or application services. DNS can be outsourced to managed DNS providers, or it can be self-hosted. The security considerations for each of these options are summarized below:
When considering outsourcing to a managed DNS provider, enterprises should conduct “due diligence” to determine that the provider employs best practices in addressing these security requirements, and that their service supports as many as possible of the best practices listed above - DNSSEC, TSIG, etc.
Self Hosted DNS for Internal Networks
Most enterprises require a self-hosted DNS solution for their private internal networks. The DNS can be based on open source platforms like as BIND or PowerDNS, proprietary DNS server software, or appliance-based.
Self-hosting an open source DNS server comes with additional security considerations:
Need to “lock down” host systems
Need to stay informed about and install security updates to DNS software
Security setup is often more complex because some security features are not built into the open source server
Secure Managed DNS or Secure Private DNS
NS1 is not only a highly secure, next-generation managed DNS service. It also provides its high performance DNS server as a software product you can deploy on local networks. By using NS1’s Private DNS instead of open source solutions, you shift the burden of security from local teams to NS1’s DNS experts.Deploying NS1 Private DNS behind your firewall gives you state of the art DNS security out of the box, combined with advanced features like fast service discovery, containerization support, traffic management and robust DNS-based load balancing.Learn More
NS1: the Next-Generation DNS Service Built with Security in Mind
NS1 is a DNS provider which offers state of the art DNS protection, covering all six of the best practices above: