It doesn't normally get a lot of attention, but the DNS (Domain Name System) plays a critical role in the presence of an online business––website, online services, cloud connection and applications. When DNS fails, end users cannot find you online. For all intents and purposes, your business is just as “down” as it would be in a complete data center outage.
This, as one might imagine, makes DNS an attractive target for attackers. Like the security of any other business-critical service, enterprises should take steps to secure the availability and integrity of their DNS deployments.
In this eWEEK Data Point article, domain expert Jonathan Lewis, Vice-President of NS1, offers readers a list of six things to know about making sure an enterprise DNS is secure, available and performant.
Data Point No. 1: Diversify for added resiliency
As organizations increasingly embrace a new generation of “cloud-first” computing environments with multiple cloud providers, data centers and CDNs (content delivery networks), they may also get their DNS services from those same providers. Many cloud and CDN providers include DNS offerings with their services. However, relying on a single provider for all critical infrastructure and services is an avoidable risk. Companies should consider using a DNS solution that is independent of their cloud, CDN or data center. If the provider goes down, the company will still have a functioning DNS to direct users to its other facilities, which builds resiliency into the entire application delivery stack.
Data Point No. 2: Design for security and availability
An organization hosting its own DNS in support of online services should position DNS servers in more than one location. Each location should have at least two servers configured for high availability--typically behind a load balancer. The DNS servers should also be on their own, separate DMZ. It is important to restrict internet traffic to only the protocols required for the DNS. The company should also stay current with security patches on its DNS software if it is running open source, such as BIND, or stay current with vendor patches if using a DNS appliance.
Data Point No. 3: Protect DNS servers from DDoS
DNS is one of the top targets of DDoS attacks. An organization hosting its own DNS should take care to implement protections from this very widespread form of attack. It can subscribe to DDoS protection services from its internet service provider, deploy specialized DDoS protection appliances in front of the DNS servers or even do both. It is also prudent to overprovision, ensuring there is enough spare capacity to absorb sudden spikes that can occur as a result of DDoS. A rule of thumb is to provision to handle at least ten times expected peak load.
Data Point No. 4: Practice good DNS management hygiene
The DNS system is business critical, so an organization should implement strict access controls over who in the organization is allowed to do what on the DNS. This applies whether the company uses a managed DNS provider or runs its own DNS. If the company has multiple DNS administrators, it can assign different functions to different users depending on their role, as well as restrict update access to only the zones and records they need to do their job. It is important to strengthen access controls by implementing two-factor authentication and single sign-on. If the company uses scripts or APIs to update DNS, it should use strong authentication keys and restrict key usage to valid sources only (i.e. IP whitelisting).
Finally, the company should use secure practices in interfacing with its domain registrar and keep the list of authorized contacts with the registrar up to date. This will allow the company to maintain control over its domain name and avoid missing an expiration notice from the registrar.
Data Point No. 5: Use DNSSEC
DNS hijacking and DNS cache poisoning are particularly nasty attacks because they can go undetected, untraced and result in direct financial loss. The nature of these attacks is such that end users making a DNS query are fed bogus information that sends them to a bogus website masquerading as the legitimate one. Within the past few months, we have seen this type of attack successfully used against cryptocurrency sites, and the victims, end users who entrusted their crypto assets to those sites, had their money stolen. If a business is in a position of trust vis-a-vis its customers (financial, health or personal data), it is the company’s duty to protect them from this form of attack. The best way to do that is to use DNSSEC–the Domain Name Security Extensions. DNSSEC protects the integrity of DNS information by having it digitally signed and verified by the top-level domain. Many, but not all, managed DNS providers support DNSSEC and make it easier to set up than a company can on standard, open-source DNS platforms.
Data Point No. 6: Deploy a second DNS network for redundancy and resiliency.
Whether a company uses a DNS managed-services provider or hosts and operates its own DNS, having a second DNS network is a best practice for 100 percent DNS uptime. This can be achieved in several ways. One is to subscribe to a managed DNS service to complement a self-hosted DNS–or vice versa. The other is to contract with two different managed DNS providers. Note that having a secondary or redundant DNS does not mean having one active and a backup DNS in idle, stand-by mode. Both need to be active, otherwise there will be downtime in the event the primary goes down.
With two active DNS networks, administrators need to ensure the DNS records on both systems are synchronized with each other in a timely fashion when there are updates.
If you have a suggestion for an eWEEK Data Point article, email [email protected].