With the scope and sophistication of network-focused attacks increasing rapidly (BGP, DDOS, man-in-the-middle attacks, etc.), there are a few critical steps that can be taken to secure the DNS layer. Here are five of the most important steps you can take.
- Use DNSSEC to sign and verify your web applications, avoiding potential hijacking and phishing.
- Deploy a secondary DNS network. Redundancy ensures that if one network falls under duress, that the other will subsume the queries for the pair ensuring that queries don't go unanswered.
- Borrow a page from the cloud computing playbook and leverage a managed DNS solution with a globally distributed, anycast network.
- Your network is only as strong as the weakest entry point, so ensure every user who has access to security management and network accounts has two-factor authentication enabled.
- When using zone transfers, whitelist the transfer IP addresses of your secondary providers and leverage TSIG to sign the transfers with your private key and limit exposure.
Many organizations have held back from using DNSSEC because doing so meant giving up the DNS traffic management capabilities they rely on to deliver high quality online services. It does not have to be that way. With NS1, you can use all the advanced traffic management capabilities of our platform on your DNSSEC signed zones.
DNSSEC in Brief
The Domain Name System Security Extensions (DNSSEC) provide a very effective defense against so-called “cache poisoning attacks.” These attacks seek to place false information in DNS resolvers – false information that causes the resolvers to send your end users to websites operated by the attackers themselves rather than to your website. Because of the serious consequences of such attacks, more and more security aware enterprises are protecting their DNS zones with DNSSEC.
All DNSSEC Implementations Are Not Created Equal
All DNSSEC implementations are not the same and the differences have consequences to your business. It is generally easier for DNS providers to implement DNSSEC using what is known as “offline signing.” Unfortunately this approach is incompatible with DNS traffic management features such as georouting, monitoring, and load balancing. In effect, it takes DNS back to the 1990’s when no traffic management was available.
At NS1 we took the extra steps to implement DNSSEC using “online signing.” By securely signing DNS responses on the fly we retain support for all the real time DNS traffic management features of our platform for zones secured with DNSSEC. This is a big win for our customers as they can use DNS to optimize end user experience, manage multiple CDN providers and migrate to the cloud while ensuring their zones (and by extension, their end users) are protected.
DNSSEC can also complicate maintaining a redundant, dual DNS architecture. Some providers cannot support DNSSEC and also function as a secondary DNS to another provider, or be primary in a dual provider set-up. At NS1 we support dual provider configurations. We also support DNSSEC with our in house redundant solution, Turnkey Dedicated DNS. This allows our customers to deploy DNSSEC in a redundant architecture while retaining full traffic management capabilities.
Finally, set up and management of DNSSEC on the NS1 platform is easy and straightforward. A zone can be signed in seconds with a couple of mouse clicks or via a single call to our API.
Redundant DNS Configurations
NS1's Dedicated DNS
With Dedicated DNS, you get a DNS service deployed on a separate network and servers from your NS1 Managed DNS. Dedicated DNS is deployed on anycasted infrastructure and it is provisioned to meet the your load and geographic distribution requirements. NS1 takes care of design, deployment, and management. Your Dedicated deployment is not shared with any other customers, so it is not exposed to the effects of attacks targeting other customers on the NS1 Managed service or attacks on the service itself. Dedicated DNS is ideal for NS1 enterprise customers that use the advanced traffic management capabilities of NS1 Managed DNS.
Redundant DNS with Another DNS Provider
Many NS1 customers use our service in conjunction with another DNS provider. Because different providers implement DNS traffic management in different ways, there can be complexities in ensuring records are fully synchronized in a dual provider set up. NS1 is experienced in working with customers to ensure there are no record synchronization issues and is happy to provide the assistance needed to establish dual provider redundancy. We also support toolkits like OctoDNS and Terraform to make working with multiple DNS providers as easy as possible.
A dual provider approach is ideal for customers that are not heavy users of complex DNS traffic management algorithms.