Why DNS Security Matters

What is a Domain Name System (DNS)?

The Domain Name System is a centralized global system maintained by many organizations. DNS has a hierarchical system that keeps track of these names. When using a phone, a person can be reached from the phone book by typing his name instead of his number, and with the same logic in DNS, it provides access by name without typing the server’s IP address to be accessed.

In this system, there are TLD servers, which is the first step of task distribution. It is in a tree structure with root servers at the top. Each subdomain is called a domain, and each piece that leaves these domains is called a subdomain.

Examples of certain TLDs used by commercial organizations, such as ‘com.’ The DNS domain’s division into subdomains provide ease of management. Organizations are responsible for the management and protection of all data in the subdomain they own.

How Does the Domain Name System (DNS) Work?

DNS protocol works over UDP. The working process of DNS; The client requests to go to an address, the DNS server with which the client communicates searches for the IP address, and after finding it, the client’s browser ends up connecting to the server hosting the website. While proceeding in the form of request and response, the size of the request packet should be around 40-60 bytes, and the DNS response should be less than 512 bytes.

DNS queries come in two forms, iterative and recursive. Iterative queries work as asking each other. When the client requests a domain name, the DNS server it is connected to communicates with the root DNS server, and the root DNS server sends the address of the TLD server it knows according to the requested domain name to the local DNS server in response.

Then the local DNS server goes to the given address, and the TLD server sends the address of the DNS server for which the subdomain is authoritative as a reply. The local DNS server also goes to the address in the reply and asks for the address.

If the DNS server authorized by the subdomain knows the address, it gives the address to the local DNS server by saying I know, and the local DNS server forwards this address to the client, and the process is completed.

If he does not know, he sends the DNS server address of the domain he knows, and the process continues until the local server finds the authoritative DNS server. When it finds it, it sends the IP address in response to the client, and the client accesses the server where the website files are located.

When a client requests a domain name in a recursive query, the local DNS server interacts with the root DNS server and requests the domain name’s address. On the other hand, the root DNS server, at this stage, instead of returning a response to the local server, tells the relevant sub-DNS server to find the address of this domain name. This way, it continues in the same hierarchy until it reaches the DNS server where the domain name is authoritative.

The answer of the authoritative DNS server is provided to reach the root DNS server through the upper DNS servers. The root DNS server gives the local DNS server the relevant address, and the local DNS server sends the IP address of the domain name to the client, and the client accesses the server where the website’s files are located. In this instance, the parent hierarchy bears an excessive load, but caching helps mitigate this.

How to Ensure Domain Name System (DNS) Security?

DNS task structure is critical for the healthy functioning of the internet infrastructure. For this reason, systems whose DNS is compromised may face incredible dangers. An attack on a country’s DNS servers can lock that country’s internet flow, causing disruptions and significant financial losses in most digitizing industries. Since DNS servers are request-response mechanisms, they pose significant threats when configured incorrectly or incompletely.

Another security vulnerability arising from the DNS protocol is DNS cache poisoning. A man-in-the-middle attack occurs when the client uses the attacker’s IP address instead of the IP address he intends to go to due to abusing the cached data in the local DNS server.

To minimize such attacks, apart from measures such as configuring DNS servers correctly, making updates, limiting DNS servers to specific IP addresses, it can create defense with the DNSSEC protocol developed in addition to the DNS protocol.

DNSSEC, in short, verifies the information of the IP address corresponding to the web page or services that the user wants to connect to by verifying the source, which the DNS protocol cannot do, and provides secure communication.

What are DNS Security Threats?

While DNS has always been a vital protocol, the increasing use of cloud-based services has made it even more critical. The IP addresses of most services today change regularly, and a DNS system is required to ensure that users of these services connect to the suitable device.

DNS is one of the most critical components of the internet. Without DNS, which is responsible for translating domain names to their respective IP addresses, websites become largely inaccessible. If a system already knows the target site’s IP address, it may reach it without using DNS.

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

However, the consequences of a compromise or loss of DNS service availability make these precautions much more critical. DNS can be hacked in several different ways. These include DNS DDoS, spoofing, and amplification attacks.

DNS DDoS

DNS DDoS assaults can harm any organization. Because DNS is hierarchical, an internal DNS server manages an organization’s internal domains, targeted by an assault.

A DDoS mitigation solution is required to protect against DNS DDoS attacks. This should keep malicious requests out while allowing valid queries to pass through.

DNS spoofing

An attacker can use DNS spoofing to redirect visitors to sites controlled by the attacker, causing a DNS server to produce an incorrect answer to a DNS query. DNS spoofing creates the opportunity for an attacker to steal sensitive data or exploit vulnerabilities in a user’s browser to release malware.

To reduce DNS spoofing, both DNS server operators and users can protect against DNS hijacking attempts. DNS operators should:

  • Multi-factor authentication should be used to access DNS servers.
  • DNS servers need to be patched and kept up to date.
  • Unnecessary applications in DNS servers should be uninstalled or disabled.
  • DNSSEC must be enabled to ensure DNS responses are digitally signed.

For DNS users, detecting a hijacked DNS server can be more difficult. Some best practices include:

  • You can use a free and reliable DNS such as Google Public DNS.
  • Check a domain’s historical data to see if the record has changed.
  • Check the age of the issued certificate and cross-check with the DNS record age.

DNS hijacking or Redirecting

DNS hijacking or redirection attacks can occur when a computer connects to a malicious or compromised DNS server. Because a DNS server provides a conversion from domain names to IP addresses, a DNS server that provides an incorrect IP address will cause the client computer to visit the wrong website.

DNS cache poisoning

Caching is a common technique to reduce latency. A server stores a copy of the response to common queries, eliminating the need to fetch it for each user. DNS cache poisoning attacks are designed to place an incorrect DNS record in a server’s cache.

This is done by populating a local DNS server with DNS responses hoping that one of the responses will match a request that the server sent recently. In this case, the local DNS server will use the malicious response until the cache expires.

DNS amplification

DNS amplification attacks use DNS servers to amplify the impact of DDoS attacks. DNS is valid for these attacks because it uses UDP and has responses that can be much larger than the associated request.

In a DNS amplification attack, the attacker sends a DNS request to a DNS server with the source address spoofed with the target machines. The DNS server responds to this query and sends a large amount of data to the destination.

Because website owners control DNS records, attackers can have custom domains designed to give the target much more data than the attacker. This increases the impact of a DDoS attack.

It can be challenging to prevent DNS amplification attacks on DNS servers, as it is difficult to distinguish the target’s legitimate DNS requests from fake attack traffic. However, a DNS amplification attack target can perform filtering using stateful packet inspection, which leaves any inbound DNS response without a corresponding outbound DNS request.

DNS Security Best Practices and Hardening Guide

DNS servers are a frequent target of cyberattacks. Securing the DNS infrastructure by implementing hardening steps is a crucial step in preventing breaches against your organization. To avoid a significant impact on your DNS setup, be sure to follow the DNS security best practices and hardening steps outlined below.

Use Private DNS Devices

DNS Devices are purpose-built like any other network device and are therefore configured in both hardware and software for ease of management, security, and performance. Standard OS servers cannot match the settings offered by these devices.

DNS devices take full advantage of other network devices, including but not limited to redundant ports, limited driver requirements, limiting other network conversations on interfaces, and maximizing RAM availability.

Keep DNS Server Software Updated

With DNS becoming an increasing attack target, it has become imperative to keep your software up to date. Hackers don’t wait to see if the latest exploit is stable. That’s why your software should always be up to date. Having the latest software also allows you to mitigate the latest attacks.

Since DNS is a flexible protocol, it does not slow down or warn when it is outdated. Therefore, you should be proactive about patches and upgrades.

Have On-Site DNS Backup

No matter how flawless your design is, it would help if you were always prepared for the worst. Having a backup in place allows you to swiftly back up and operate your DNS operations, as well as, perhaps more crucially, everything that relies on your DNS.

A centralized solution that allows you to rotate a complete DNS architecture at once is, once again, a significant benefit. Typically, these solutions can be backed up in a single file. When possible, automate your backups and maintain the frequency consistent enough that reverting to those backups causes no problems.

Things like dynamic DNS happen in near real-time. There’s no way you can always have a perfectly proper backup, but dictating the frequency isn’t what you want to do.

Daily backups will suffice for most organizations, but what you need to watch out for is the speed with which your DNS data changes and the time it takes to get your services backed up and running as fast as possible.

Avoid Single Points of Failure

Like all critical parts of your network infrastructure, avoiding single points of failure applies to DNS. Given that the web, mail, chat, and voice depend on DNS, DNS should be considered a critical network component.

While DNS inherently provides protocol redundancy, this is not always sufficient in today’s world. The time it takes to switch between servers varies with many factors, including the client operating system and the server software running on the proxy servers.

While these failovers are tolerable for easy use, they can’t compete with providing hardware redundancy to protocol redundancy and make failures faster and invisible to clients because the server’s IP doesn’t change.

Turn off Recursion on Proxy Servers

DNS attacks fall into two categories: those that target your authoritative servers, such as DDoS attacks, and those that target your recursive servers’ cache capabilities. The distributed nature of DNS is that recursive servers have to talk to the DNS server that the master servers are sending them to. This implies you have no control over the other servers with whom your DNS servers interact.

It’s not best practice to let your servers holding your authoritative servers talk to any DNS server in the world. So, adding a custom recursive caching layer to your network design means connecting your proxy servers only to private caching recursive servers that don’t contain your organization’s data.

Also, a central cache can speed up the resolution as it can be more robust and cause less DNS traffic to be sent.

Allowing recursion on your outbound DNS servers has long been a disgrace. It makes it simple for attackers to uncover flaws in the caching functions, which could cause the server’s ability to reply to authoritative data to be reduced or stopped. Open recursive servers are what they’re called.

When you mix authoritative and recursive functions on a server, you increase the danger of server reboots and buffer overflows, to name a few examples.

Enable DNS Logging

DNS log is the most effective way to monitor DNS activity. It notifies you when problems with debug logs, DNS queries, updates, and client activity. The logs will let you know if someone has tampered with your DNS servers.

DNS logs also show traces of cache poisoning. In this case, an attacker modifies the data stored in the cache and drives clients off their route. Although DNS debugging can improve security, some system administrators may want to disable logging to improve performance.

Monitoring network activity can help you detect attacks, such as DDoS, but cannot detect attacks such as cache poisoning. Therefore, we strongly recommend that you enable DNS to debug logs.

Lock DNS Cache

DNS finds the information and caches it for future use when a query comes in from a client. This allows the server to respond faster to the same queries. Attackers can exploit this feature by modifying the stored information.

One step beyond enabling DNS debug logs, it locks the DNS cache. This property determines when cached data can be changed. The server retains call information for the period (lifetime) defined by the TTL.

Information may be rewritten before the TTL ends if cache locking is deactivated. This opens the door to cache poisoning attacks.

Cache locking may be enabled by default, depending on the operating system. The cache locking scale can go all the way up to 100%. It is challenging to replace data for 70% of the TTL when the value is 70. Changing the cached information is blocked by setting the cache lock to 100 until the TTL expires.

Filter DNS Requests to Block Malicious Domains

DNS filtering is an effective way to block users from accessing a website or domain. The primary reason for blocking name resolution for a domain is that it is suspected of being harmful. When a client searches for a prohibited website on a DNS server, the DNS server disconnects the client from the internet.

DNS filtering dramatically reduces the chances of viruses and malware reaching your network. When a client fails to reach a malicious page, the number of threats that can crawl inside your infrastructure is minimal. That way, your IT staff doesn’t have to work around the clock to clean up viruses.

An organization may ban a domain for a variety of reasons. DNS can filter requests by a user, a group, or all users, and social media, gaming, video streaming pages, and other websites may be on the list of blacklisted domains.

DNS filtering is standard in modern software security and firewall solutions. Some of these gadgets keep lists of harmful domains up to date regularly. Using off-the-shelf software, you can automate DNS filtering and avoid manually adding new entries.

Verify DNS Data Integrity with DNSSEC

Users receive valid results to their requests thanks to Domain Name System Security Extensions (DNSSEC). Data integrity is ensured by digitally signing DNS data provided to nameservers by DNSSEC. When the end-user submits a query, a DNS server provides a digital signature with the response. Therefore, customers know that they have received valid information for the request they sent.

This additional layer of security helps combat DNS protocol attacks. Because DNSSEC provides data integrity and resource authority, DNS spoofing and cache poisoning are successfully prohibited. Users make sure they visit the pages they intend to visit next.

Configure Access Control Lists

Access Control Lists (ACLs) are another way to protect DNS servers from unauthorized access and spoofing attacks. Only authorized system administrators should have access to your primary DNS. Configuring ACLs to allow inbound connections from specific hosts to a nameserver ensures that only the intended personnel can communicate with your servers.

In addition, ACLs must define which servers can transfer zones. Attackers can try to determine your zone setup by sending zone transfer requests through secondary DNS servers.

If you block all zone transfer requests through secondary servers, the attacker cannot obtain zone information. This configuration prevents third parties from gaining insight into how you organize the internal network.

Hide Primary DNS Server

If your primary nameserver is only used to serve data to dependent nameservers, it makes it much easier to perform maintenance and upgrades without making your domain inaccessible.

The organization’s primary DNS server should be hidden from public view, according to system administrators. Therefore, they should configure the publicly visible DNS servers as slaves while specifying the primary DNS server as a master name server that is not publicly visible.

A secret master nameserver does not store NS records in a publicly accessible DNS database. Only dependent nameservers are publicly accessible. Slave and hidden master architecture prevent public querying of nameservers via zone or query transfer.

Also, such an architecture ensures that the integrity of the DNS databases of the slave nameservers remains intact since only the secret master can elevate the slave servers through the push process.

Harden Name Servers

Close unnecessary ports and disable useless services to reduce the attack surface of your DNS servers. DNS devices typically offer robust operating systems with automatic updates and protection against denial-of-service attacks, but you should be able to apply updates and patches.

Nameserver computers must run only the nameserver software and the installed operating system. The nameserver computer must also perform a unique role in supporting network activities. Installing other software products on the nameserver computer will only increase the attack surface.

A nameserver’s only connection should be to the internet to receive updates and reply to DNS queries. The attack surface is increased by adding more network cables or opening ports. In addition, additional software can reduce the performance of the name server computer and cause the computer to crash if there are errors.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Related posts

Latest posts

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

How to Define PCI DSS Scope

The PCI DSS scope of a business or organization includes all people, processes, and technologies that can affect and interact with cardholder data security.

Why DNS Security Matters

DNS security best practices are similar to those for most other systems. Restrict access, utilize multi-factor authentication (MFA), activate security settings, and maintain everything up to date.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!