How to defend your business against Domain Name Server attacks

DNS attack image
Traditional endpoint security won't cut it against them

EfficientIP, a developer of DDI solutions, recently launched the industry's first hybrid DNS engine in response to the growing number of DNS cyber attacks such as Denial of Service (DoS) and cache poisoning.

Whereas most DNS servers run a single DNS engine, EfficientIP's SOLIDServer Hybrid DNS Engine (HDE) combines three DNS engines, managed in a single appliance.

According to the company, this approach provides greater protection to large enterprises, operators and ISPs as it eliminates single point of failure following security alerts, creates a highly complex security footprint and enabling DNS engines to be switched to protect service availability.

David Williamson, CEO, EfficientIP explains what's behind Domain Name Server attacks and why different approaches are needed to DNS security.

TechRadar Pro: Why are DNS servers particularly vulnerable to attack? What's all the fuss about?

David Williamson: DNS Servers play a central role in managing user access to websites, email and other web apps, translating between IP address numbers and domain names. Because DNS servers are public by design, they are open to the world to allow access to a web site or a web-based application.

As a result, today's hackers are very familiar with the security holes and vulnerabilities of DNS servers and their software, which makes them targets for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

In the last quarter of 2013 alone, the total number of DDoS attacks increased 26% from the same period the year before. The average attack lasted 23 hours with many attacks consuming over 100 Gbps of bandwidth.

TRP: What are the potential outcomes of a DNS attack, and what does it really mean for today's Internet-dependent businesses?

DW: DNS attacks can appear in several forms with differing outcomes. If the DNS server is attacked it not only can prevent individuals and organisations from connecting to the right website, but can also flood sites with traffic and cause them to crash, as in the case of a DoS attack.

DNS protocols and software are potentially subject to security breaches that can cripple the network, reveal confidential internal information and even turn an entire corporate network into one huge botnet. Simply put, if the DNS server is compromised, the business is too, risking loss of revenue and potentially irreparable damage to its reputation and business relationships.

TRP: Can't DNS attacks be avoided with traditional endpoint security and if not, why not?

DW: Traditional endpoint security solutions are designed to secure the endpoint on the network that has been created by a device. They include antivirus, antispyware, firewalls and host intrusion prevention systems that validate user credentials and scan the device to make sure that it complies with defined corporate security policies before allowing access to the network.

They don't, however, protect the DNS server itself. This means that businesses need to protect themselves from cyber criminals that try to abuse and manipulate the DNS server software so that it contains bogus or fraudulent IP addresses.

If the hack is successful, the targeted name server then responds to client requests with these phony IP addresses. The misdirected client then communicates with the wrong servers, which are potentially owned and controlled by the hackers themselves.

TRP: What are the advantages of using multiple DNS engines in the same server appliance and why won't they be affected by a full on DoS attack?

DW: Hybrid DNS technology provides the highest-level of security for name servers because it makes their security footprint baffling to hackers. It achieves this by running a different type of algorithm for each DNS engine.

Having an active DNS engine running plus at least one alternative DNS engine ready for use, has several benefits; when a new security alert is issued, a network owner can quickly and temporarily switch to another engine.

The alternative engine can remain in place while DNS programmers patch, test and validate a security upgrade for the first engine. The other key benefit is that with multiple DNS engines in place, hackers will never be sure which name server software is running and so the task of analysing DNS network packet footprints to discover its vulnerabilities is complex and virtually impossible.

TRP: Why is separating authoritative and recursive functions in the name server code important in defending against DNS attacks?

DW: The most popular and widely deployed name server is the Berkley Internet Name Domain (BIND). It's regarded as an excellent compromise between speed and security, ease of administration and robustness and RFC standards integration and universal applicability.

However, its very popularity means it is potentially at greater risk as its vulnerabilities are well known to hackers and its key authoritative and recursive functions are contained within the same code. By incorporating a second DNS engine in the same appliance with separate authoritative and recursive functions the security and reliability of critical DNS services are significantly increased.

By using an alternative DNS engine that is based on two different name server products such as Unbound and NSD, not only is performance significantly improved over using BIND alone, but also a more robust environment is created.

Unbound, for example, is a validating, recursive and caching DNS resolver that is designed for high performance while NSD is an authoritative only, high performance name server. At any moment, one DNS engine is active and the other is on standby, waiting to be activated to restore the service when it is needed.

TRP: Is name server software performance important when it comes to handling DoS attacks?

DW: Performance speed is vital to ensure a fast response and significantly reduce the risk of attack. NSD, for example, is around twice as fast as BIND, which means that NSD offers a significantly more robust environment in the case of a DoS attack. This is particularly important for telcos, ISP's and other Managed Service Providers whose businesses rely on delivering fast and reliable Internet connectivity.

TRP: How well are organisations currently able to defend themselves against these attacks and what steps should they be taking now?

DW: To date organisations have not been able to out manoeuvre cyber criminals in this way, as a hybrid solution has not been available. They have only been able to analyse the severity of the attack once it has occurred, by which time it is too late, as the damage will have been done.

One of the most secure approaches to protecting name servers against vulnerability is the use of multiple name server engines so that when an attack occurs, management software can automatically switch to a different standby name server.

As businesses require IT to deliver more in even shorter timeframes, the risk of error dramatically increases. Manual processes increasingly need to be automated to maintain both quality of service and availability of the network to the business.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.