DNS Security

A secure DNS is essential for an organization's online presence as well as for its applications on the internal private network. DNS attacks are becoming more frequent and sophisticated, so securing the DNS layer is essential to protecting revenue, users and brand reputation.

icon

DNS security is usually not at the forefront of enterprise security concerns

Attacks on DNS take many forms and have a variety of objectives. Some attacks such as DDoS are designed to make DNS unavailable. Others, like cache poisoning, are designed to misdirect users to malicious websites; and still others are designed to use DNS as a vector for exfiltrating private data.

Most organizations in any given year face one or more attacks on their DNS.

Outsourcing DNS to an external provider does relieve an organization of some security responsibilities, but IT and security teams should have a basic understanding of DNS security and the best practices for defending DNS from the wide variety of attacks that can be directed at it.

Read more to learn about:

  • Common DNS attacks
  • DNSSEC: What it does and doesn't do
  • 6 best practices for DNS security
  • Setting up DNS security yourself vs. using a managed service
  • NS1 - a next-generation DNS service built with security in mind
icon

Common DNS Attacks

While some attacks are aimed at taking down authoritative name servers to deny access to a domain, others manipulate DNS to redirect traffic to malicious destinations. Yet others allow attackers to take control of DNS infrastructure, with disastrous consequences to the DNS server’s owners and unwitting third parties.

Flood Attack

This is a form of DDoS attack that overwhelms the network capacity that connects authoritative servers to the internet. With the available bandwidth consumed with malicious traffic, the legitimate traffic carrying DNS queries cannot reach the authoritative servers.


Random Subdomain Attack

This is a denial of service attack which hits a domain’s authoritative name servers with a large number of requests for random, nonexistent subdomains (e.g. randomstring.example.com). The name servers become bogged down responding to these bogus requests and become unavailable to answer legitimate queries. Also referred to as NXDomain attacks, they can result in denial of service at the recursive resolver level.

Attacks on DNS Integrity and Protocol

Cache Poisoning

An attacker forges DNS data in the cache of a user’s DNS resolver. The user receives an incorrect IP address for a domain and is taken to another website, which may be malicious.


BGP Hijacking Attack

Attackers maliciously reroute Internet traffic using the Border Gateway Protocol (BGP). The attackers falsely announce ownership of IP prefixes, which they do not actually own. This type of attack can be used to direct traffic away from legitimate authoritative DNS servers to malicious name servers that in turn provide bogus DNS responses. While not an attack on DNS itself, this type of BGP attack is often used to direct users to fake, malicious DNS name servers.


DNS Protocol Attacks

This type of attack can take different forms, but typically involves using malformed packets that cause extra processing load on the DNS servers to the point that they cannot process legitimate queries.


DNS Tunneling

Attackers use protocols like TCP or SSH, encoded within DNS protocol requests, to pass malware or stolen data without being detected by firewalls. While not an attack on DNS, this form of attack can use DNS to exfiltrate data.


Attacks on DNS Management

DNS Hijacking (Credential Theft)

Attackers gain unauthorized access to the management of DNS servers. With this control they can alter or destroy zone data.





Domain Theft

Attackers change the registration of a domain name and assume ownership. Typically achieved by gaining unauthorized access to the registrar account for the domain, through credential theft or social engineering.

Attacks Leveraging DNS

DNS Amplification Attack (DNS Flood)

Attackers can amplify DDoS attacks using DNS responses that are larger than the initial query packet. Fake DNS lookups to open recursive servers can achieve a 25x to 40x amplification factor. The source IP of the fake lookups is the victim website.

icon

The NS1 Approach to DNS Security

The DNS that supports your business’ internet presence is a worldwide distributed system operated by many different entities. It includes the organizations that run the root and top level domain servers, providers of recursive name services, authoritative name services provided by managed DNS providers like NS1, and the domain registrars that manage internet names.

No one provider can secure the entire system, but your authoritative DNS plays a key role in maintaining the availability and integrity of your online presence. Every aspect of the NS1 DNS service is focused on ensuring 100% availability, performance, and security.

It starts with the network. Our globally anycasted network of POPS are connected to multiple Tier-1 providers in every region, supplemented by connectivity from over 20 regional providers and 10 peering exchanges. The result is a self-healing IP network of unparalleled reach, capacity and performance.


NS1 has designed a multi-faceted approach to DDoS defense that combines the raw power of our massively provisioned infrastructure, distributed network and autoscaling capabilities with sophisticated monitoring, detection and filtering capabilities at every level of the protocol stack. We are also obsessive about operational readiness. We constantly analyze attacks, update our DDoS defense playbooks, and conduct fire drills and simulations to ensure peak readiness to respond at all times.

Finally, NS1 makes it easy for you as a user to maintain secure control over your DNS. Our security capabilities include award winning implementation of DNSSEC, easy to use options for redundant DNS, strong authentication and support for DNS security protocols.

What is DNSSEC?

Domain Name System Security Extensions (DNSSEC)is a suite of extensions to the DNS standard, which uses digital signatures to validate the authenticity of DNS responses.

DNSSEC prevents attacks that inject false information into DNS resolvers, such as DNS spoofing, cache poisoning and man in the middle attacks. When DNSSEC is enabled, resolvers look for a valid digital signature in the DNS record provided by authoritative DNS servers. Attackers are not able to forge this signature, protecting users from being misdirected to fake of malicious websites.

How DNSSEC Works

With DNSSEC, when a resolver requests information from an authoritative DNS server, the response is digitally signed. This provides validation that the response comes from a trusted source and has not been altered in transit. Validation is performed all the way to the top of the DNS tree - DNS responses are signed by DNS root servers, top level domain (TLD) servers, and authoritative name servers for specific domains. This prevents resolvers from accepting fake DNS information and serving it to end users.

DNSSEC relies on several additional DNS record types: RRSIG, DNSKEY, DS, NSEC, NSEC3 and NSEC3PARAM.

While many managed DNS services today support DNSSEC, most businesses have not enabled DNSSEC for their DNS zones. Many companies believe that the risk of attacks prevented by DNSSEC does not warrant the effort and trade-offs of enabling it. Recent events such as BGP hijacking attacks targeting DNS have shown that the risks are real. At NS1 our implementation of DNSSEC is easy to use and has none of the trade-offs that come with implementations on most other DNS platforms.

Because DNS is a mission critical service, administrative access to DNS management should be tightly controlled. There are several recommended measures for securing administrative access to DNS systems:

Strong password enforcement

2-Factor authentication

Role based access controls (RBAC)

Admin session timeouts and forced re-login

IP address whitelisting - restricting admin access to trusted sources

Single Sign On (SSO)

Activity logging


DNSSEC Online Signing vs. Offline Signing

Most DNS providers implement DNSSEC with offline signing . This means DNS information is signed in advance, before it is requested in a DNS lookup. This mode is incompatible with DNS traffic management features such as geo-routing and active failover. As a result, many companies opt out of using DNSSEC because they rely on those traffic routing features to improve the performance and uptime of their applications.

The reason for this issue is with DNSSEC, the entire resource record set for a zone (e.g. all the A records in the zone) is digitally signed. That signature is sent to the resolver, along with the A records themselves. The resolver validates those records against the signature. The resolver in turn sends one of the A records to the requester, typically using round robin.

In a traffic routing scenario, the authoritative server sends only one A record from the zone to the resolver. That record is dynamically selected based on, for example, the location of the DNS query. The result is a signature mismatch - the resolver received a signature based on all the A records but only received one dynamically selected A record.

The NS1 implementation of DNSSEC uses online signing. After receiving a DNS query, the optimal record from the zone is selected based on whatever traffic management criteria are used, and that response is signed "on the fly." The result is no signature mismatch at the resolver. The response is fully validated using standards compliant DNSSEC and there is no loss of traffic management capabilities

6 Best Practices for DNS Security

1. Use DNSSEC

At NS1 we took extra steps to implement DNSSEC using “online signing.” By securely signing DNS responses on the fly we retain support for all the real time DNS traffic management features of our platform for zones secured with DNSSEC. This is a big win for our customers as they can use DNS to optimize end user experience, manage multiple CDN providers and migrate to the cloud while ensuring their zones (and by extension, their end users) are protected. DNSSEC can also complicate maintaining a redundant, dual DNS architecture. Most providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. At NS1 our redundant DNS solution Dedicated DNS is fully compatible with DNSSEC. This allows our customers to deploy DNSSEC in a redundant architecture while retaining full traffic management capabilities. No other provider can do this.

Although modern managed DNS services are designed for high availability, they are not immune from outages. Full or partial outages can result from denial of service attacks, failures in critical network infrastructure, or configuration errors. The result of a DNS outage is that your applications and content are no longer available to users.

3. Strong Access Controls for DNS Administration

Because DNS is a mission-critical service, administrative access to DNS management should be tightly controlled. There are several recommended measures for securing administrative access to DNS systems:

Strong password enforcement

2-Factor authentication

Role based access controls (RBAC)

Admin session timeouts and forced re-login

IP address whitelisting - restricting admin access to trusted sources

Single Sign On (SSO)

Activity logging

5. Implement Redundant DNS

DNS redundancy is now a must-have for many enterprises, but deploying a redundant DNS infrastructure often involves trade-offs in cost, manageability, and performance. You might find yourself cobbling together management of different vendors and settling for minimally viable, common features shared between the vendors.

NS1 eliminates the need to settle for something less with our unique solution for redundancy called Dedicated DNS . With Dedicated DNS you get two independent DNS networks under single pane of glass management. You get all of NS1's advanced DNS routing and record management without any need to synchronize or transfer records across both systems. It is all automatic.



2. DDoS Protection for the DNS Layer

DDoS attacks against DNS infrastructure are common and can result in prolonged outages.

If you run your own DNS infrastructure, make sure you:

Protect against volumetric DDoS attack that deny access by overwhelming network links. DDoS protection services can help by absorbing large amounts of malicious traffic upstream from your network links.

Protect against application-level DNS attacks, such as the random subdomain attack. There are specialized appliances that provide DNS application layer protections.

Overprovision your DNS infrastructure to absorb traffic spikes.

You can avoid having to take these measures yourself by outsourcing your DNS to a managed service like NS1's suite of Managed DNS Services.

NS1 Managed DNS is designed to withstand DDoS and other risks to availability by combining the following:

Massive capacity to absorb traffic spikes.

An advanced globally anycasted network with tier 1 and tier 2 internet connectivity.

Advanced, automated filtering to identify and block malicious traffic at ingress points, in switches and DNS servers.

24x7x365 monitoring by expert teams.

4. Leveraging Anycast for High Availability


DNS infrastructure based on the anycast protocol is another way to achieve high availability and resiliency. With anycast, when a DNS recursive resolver sends a query to an authoritative name server, the anycast protocol automatically routes the query to the name server that is the fewest network hops from the resolver. This improves performance and provides a faster and more reliable response in case of name server outage.

Anycast is a highly resilient routing method. As soon as servers go down, are impacted by DDoS or become unavailable due to global connectivity issues (e.g. a cut fiber or congestion in a certain Internet segment), anycast dynamically diverts DNS requests to an available server.

NS1 Managed and Dedicated DNS services are anycasted.

6. Secure Zone Transfers with TSIG Authentication

When operating a secondary DNS zone, DNS zone information is frequently copied from primary to secondary server - this is called a zone transfer. Attackers might intercept these communications and use it to inject fake DNS records into secondary DNS servers, as part of a DNS spoofing attack.

TSIG (Transaction Signature) is a DNS networking protocol that provides enhanced security for zone transfers. TSIG uses cryptographic shared keys to digitally sign zone data, before it is sent to the secondary DNS server. This validates that the source of the zone transfer (the primary DNS server) is legitimate and can be trusted, and that the zone transfer itself was not altered in transit.

Setting up DNS Security Yourself vs. Using a Secure Managed Service

Every business with a presence on the internet needs a DNS to connect users to its web or application services. DNS can be outsourced to managed DNS providers, or it can be self-hosted. The security considerations for each of these options are summarized below:

When considering outsourcing to a managed DNS provider, enterprises should conduct “due diligence” to determine that the provider employs best practices in addressing these security requirements, and that their service supports as many as possible of the best practices listed above - DNSSEC, TSIG, etc.

Self Hosted DNS for Internal Networks

Most enterprises require a self-hosted DNS solution for their private internal networks. The DNS can be based on open source platforms like as BIND or PowerDNS, proprietary DNS server software, or appliance-based.

Self-hosting an open source DNS server comes with additional security considerations:

Need to “lock down” host systems

Need to stay informed about and install security updates to DNS software

Security setup is often more complex because some security features are not built into the open source server

icon

NS1: the Next-Generation DNS Service Built with Security in Mind

NS1 is a DNS provider which offers state of the art DNS protection, covering all six of the best practices above:

DNSSEC with Online Signing

Enabling advanced traffic management features while DNSSEC is active, using online signing.


Anycasted

Anycast for High Availability

A fully anycasted international DNS


DDoS Protection

DDoS Protection for the DNS Layer

Massive overcapacity and advanced filtering to block malicious traffic and prevent interruption in case of attack.

2FA

2-Factor Authentication for DNS Administration

Secured access to DNS administration


Redundancy

Secondary DNS for Redundancy

Only NS1 lets you run two completely isolated DNS networks with the same provider, enabling easy management and advanced traffic routing.


TSIG

Secure Zone Transfer with TSIG

Authenticated transfer of DNS information

Request a Demo

Contact Us

Get Pricing