1. Use DNSSEC
At NS1 we took extra steps to implement DNSSEC using “online signing.” By securely signing DNS responses on the fly we retain support for all the real time DNS traffic management features of our platform for zones secured with DNSSEC. This is a big win for our customers as they can use DNS to optimize end user experience, manage multiple CDN providers and migrate to the cloud while ensuring their zones (and by extension, their end users) are protected. DNSSEC can also complicate maintaining a redundant, dual DNS architecture. Most providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. At NS1 our redundant DNS solution Dedicated DNS is fully compatible with DNSSEC. This allows our customers to deploy DNSSEC in a redundant architecture while retaining full traffic management capabilities. No other provider can do this.
Although modern managed DNS services are designed for high availability, they are not immune from outages. Full or partial outages can result from denial of service attacks, failures in critical network infrastructure, or configuration errors. The result of a DNS outage is that your applications and content are no longer available to users.
3. Strong Access Controls for DNS Administration
Because DNS is a mission-critical service, administrative access to DNS management should be tightly controlled. There are several recommended measures for securing administrative access to DNS systems:
Strong password enforcement
Role based access controls (RBAC)
Admin session timeouts and forced re-login
IP address whitelisting - restricting admin access to trusted sources
Single Sign On (SSO)
5. Implement Redundant DNS
DNS redundancy is now a must-have for many enterprises, but deploying a redundant DNS infrastructure often involves trade-offs in cost, manageability, and performance. You might find yourself cobbling together management of different vendors and settling for minimally viable, common features shared between the vendors.
NS1 eliminates the need to settle for something less with our unique solution for redundancy called Dedicated DNS . With Dedicated DNS you get two independent DNS networks under single pane of glass management. You get all of NS1's advanced DNS routing and record management without any need to synchronize or transfer records across both systems. It is all automatic.
2. DDoS Protection for the DNS Layer
DDoS attacks against DNS infrastructure are common and can result in prolonged outages.
If you run your own DNS infrastructure, make sure you:
Protect against volumetric DDoS attack that deny access by overwhelming network links. DDoS protection services can help by absorbing large amounts of malicious traffic upstream from your network links.
Protect against application-level DNS attacks, such as the random subdomain attack. There are specialized appliances that provide DNS application layer protections.
Overprovision your DNS infrastructure to absorb traffic spikes.
You can avoid having to take these measures yourself by outsourcing your DNS to a managed service like NS1's suite of Managed DNS Services.
NS1 Managed DNS is designed to withstand DDoS and other risks to availability by combining the following:
Massive capacity to absorb traffic spikes.
An advanced globally anycasted network with tier 1 and tier 2 internet connectivity.
Advanced, automated filtering to identify and block malicious traffic at ingress points, in switches and DNS servers.
24x7x365 monitoring by expert teams.
4. Leveraging Anycast for High Availability
DNS infrastructure based on the anycast protocol is another way to achieve high availability and resiliency. With anycast, when a DNS recursive resolver sends a query to an authoritative name server, the anycast protocol automatically routes the query to the name server that is the fewest network hops from the resolver. This improves performance and provides a faster and more reliable response in case of name server outage.
Anycast is a highly resilient routing method. As soon as servers go down, are impacted by DDoS or become unavailable due to global connectivity issues (e.g. a cut fiber or congestion in a certain Internet segment), anycast dynamically diverts DNS requests to an available server.
NS1 Managed and Dedicated DNS services are anycasted.
6. Secure Zone Transfers with TSIG Authentication
When operating a secondary DNS zone, DNS zone information is frequently copied from primary to secondary server - this is called a zone transfer. Attackers might intercept these communications and use it to inject fake DNS records into secondary DNS servers, as part of a DNS spoofing attack.
TSIG (Transaction Signature) is a DNS networking protocol that provides enhanced security for zone transfers. TSIG uses cryptographic shared keys to digitally sign zone data, before it is sent to the secondary DNS server. This validates that the source of the zone transfer (the primary DNS server) is legitimate and can be trusted, and that the zone transfer itself was not altered in transit.