Maksim Kabakou - Fotolia

Security Think Tank: DNS, the underdog in cyber security strategy

What are the main security risks associated with DNS and how are these best mitigated?

Imagine the following scenarios. First, your website visitors’ count has just dropped to zero, yet there are no angry customers tweeting about your website not being available (hint: they all go to a copycat malware site). Second, your employees’ browsing is routed via a criminal network spy net stealing all sensitive data. Third, your key business application is not reachable by millions of users.

These are just a fraction of the possible outcomes of domain name system (DNS) insecurities. The DNS protocol is one of the oldest in the internet. Last year’s Dyn DNS hack showed that DNS is an underdog – everyone relies on it, but it does not receive much love.

Let’s look at how to secure DNS, but first let me analyse some of its weaknesses. The DNS has three main attack points: DNS servers (infrastructure), DNS traffic (transport) and DNS service to end-points.

I want to cover the last point about the “last mile” DNS security in an enterprise. There are too many attack types in this area to cover in this article, but the most noteworthy is redirecting DNS queries to a hostile DNS server under the attacker’s control. This would lead users or applications to visit malicious sites, opening doors to malware infection on the enterprise network.

From my experience, the best protection against such an attack is tight control over which DNS servers are used by computers in an internal enterprise network. Both border firewall and end-point configurations should be tightened to limit any changes of DNS servers and prevent any non-legitimate DNS traffic.

For example, if a company has a host of DNS relay servers, then the border firewall should allow only DNS queries from these servers to the internet. Also, host configurations should be locked and monitored so that all end-points are using these relay DNS servers.

This represents just one of many DNS security controls we can recommend.

Vladimir Jirasek is managing director of Jirasek Security. ....................................................................................................................................

This was last published in January 2017



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.