Skip to main content

Securing the DNS layer to increase resilience

Securing the DNS layer to increase resilience
(Image credit: Pixabay)

Internet security is an increasing concern for businesses, and while IT software and applications can be protected by antivirus software and endpoint security software solutions, DNS protection requires a different approach. 

The role of foundational technologies like DNS, DHCP and IP Address Management (DDI)—when modernised by specialist providers to support cloud and hybrid deployments—is essential in delivering secure and resilient infrastructure, now more than ever.   

About the author

Mark Fieldhouse is general manager for EMEA at NS1.

The importance of DNS makes it a target

DNS is often the target of threats to IT infrastructure management and application delivery because attackers aim to take advantage of the central role it plays in orchestrating all Internet and application traffic. By taking down authoritative name servers to deny access to a domain or to manipulate DNS to redirect traffic to malicious destinations, attackers can cause havoc in the enterprise. 

If malicious actors take control of DNS infrastructure, an organisation’s applications can disappear from the Internet, or domain names can be hijacked for disruption, manipulation or phishing attempts.

Securing the DNS servers from increasingly sophisticated attacks is essential to protecting revenue, users and brand reputation. Fortunately, a basic, layered approach can dramatically reduce the impact of DNS-related attacks, and better position organisations to withstand the impact of downtime whilst increasing application resiliency.

Here we'll explore some of the DNS security basics:

Upgrade DNS in the Application Infrastructure

Attention to DNS can be seriously lacking as organisations embrace next generation computing environments with multiple connected clouds, data centres and CDNs. To avoid cracks in the infrastructure, it is vital that DNS and other security technologies and policies are adapted and upgraded.

Deploy a Second DNS Network for Redundancy and Resiliency

Sites that bounce back quickly from cyberattacks are those that have deployed a mission-critical strategy: redundant DNS. Even with anycasting, there is still a single point of failure for technical errors, outages and security events. Managing redundant networks can be challenging for some providers. Just like a multitude of clouds, not all DNS networks easily share information, or have the same levels of security.

Strong Access Controls For DNS Administration

DNS is a mission-critical service, which means that administrative access to its management should be tightly controlled. Recommended measures include strong password enforcement, two-factor authentication, role-based access controls, admin session timeouts and forced re-login, Single Sign-on, activity logging and IP address whitelisting (restricting admin access to trusted sources).

Implement DNSSEC Without Compromise

In January the UK’s National Cyber Security Centre issued an alert following an emergency directive from the US Department of Homeland Security after tracking a series of attempts to tamper with DNS infrastructure. 

Recently, the Internet Corporation for Assigned Names and Numbers (ICANN) echoed these calls for urgent action by domain registrars against significant risks to DNS infrastructure with a checklist of actions that includes the deployment of Domain Name System Security Extensions (DNSSEC) across all domains to detect unauthorised modification or misdirection of DNS services. 

DNSSEC adoption has been slow due to the impact on advanced traffic management features, such as geo-routing and global server load balancing, which organisations use to ensure optimal performance for applications. These technical barriers have also made it impossible to leverage DNS security extensions when using multiple DNS providers (platforms)—a DNS security best practice—which has limited enterprise adoption, leaving organisations unprotected.

New approaches to DNSSEC however, are now emerging, which allow for implementation without compromising performance. A new multi-signer DNSSEC industry standard has recently been developed by NS1, Salesforce and others designed to keep the Internet safer. Multi-signer DNS also enables redundancy and security without sacrificing the key proprietary features that ensure optimal performance.

Enable Business and Security With DDI

Software-defined, flexible and intuitive, DDI is effective in bolstering security posture and improving an organisation’s operational velocity, resiliency and performance. DNS logs provide critical insight for security teams in addition to cloud logging services

By monitoring DNS activity and IDS logs, a company can more easily observe DNS configuration changes and shifting traffic patterns, which can reveal key indicators of compromise. For instance, unexpected and unplanned changes to DNS record configurations or sudden changes in traffic volume can indicate malicious DNS activity. 

Additionally, IP Address Management (IPAM) provides network and security teams with a single source of truth regarding devices that have been connected to the network, which is used in investigations. Both can be useful along with analytics software in identifying patterns that can reveal breaches or other network abuse.

As we head into the next decade…

We are likely to see pressure from all sides. Consumers and enterprises are growing more concerned about the increasing frequency of attacks against the business applications they use, and this, in turn, compromises both data and trust. 

Businesses are equally concerned with delivering highly-performance infrastructure and applications. These two worlds will more frequently collide as IT and security leaders discover the performance and security gains that come from using modern DNS, DHCP and IP Address Management.

 

Mark Fieldhouse is general manager for EMEA at NS1.