Maksim Kabakou - Fotolia

Security Think Tank: Look to security best practices to secure DNS

What are the main security risks associated with DNS and how are these best mitigated?

Within the internet, as with local area networks (LAN), endpoints have discrete IP addresses (, for example). But when one endpoint, say your home PC, wants to communicate with another endpoint such as the BCS home web page, a uniform resource locator (URL) is used – for example, This is where the domain name system (DNS) comes into play. It translates the URL into the actual IP address of the required endpoint.

Defined in DNS is a range of record types for different services. For example, the uniform resource identifier (URI) record – a URL is a specific form of URI – and the mail exchange record (MX) identifies mail transfer agents (MTA) for email. Voice over internet protocol (VoIP) generally uses the session initiation protocol (SIP) and the DNS service locator or service (SRV) record is used to hold the VoIP systems details.

DNS is therefore crucial to the operation of the internet, but it is not free of vulnerabilities.

Dyn, which run authoritative DNS servers for a range of companies, suffered a huge distributed denial of service (DDoS) attack on the US east coast that severely affected its service, meaning many internet users were unable to access their desired web pages.

Before we look at other vulnerabilities, it is worth pointing out that there are two types of DNS serverauthoritative and recursive. The difference being how the DNS server responds to DNS requests.

In recursion, the DNS server will, if it doesn’t have the information in its cache, interrogate other DNS servers before replying to a DNS request. An authoritative DNS will, if it doesn’t have the information in its local cache, reply to a DNS request with an ‘I don’t know but try this (DNS) server’. Recursive DNS servers are typically found in internet service providers’ networks and medium/large local area networks.

Other than DDoS, poisoning of the local DNS cache is a potential vulnerability where an attacker is successful in injecting malicious DNS data. There are a few mitigations that can be applied which include implementing DNSSEC (a good practice) or where that is not possible, limiting the scope of recursion to only those servers needing protection (typically only those servers internal to a company).

Another vulnerability is where an email account of someone authorised to maintain a company’s DNS records becomes compromised. Once this has been done the attacker can contact the Domain Registry and authorise changes to the DNS records. Mitigations include strong passwords and IP address-based acceptable client lists (ACL) on the DNS servers. Training and education of IT personnel, and particularly administrators that deal with social engineering, is another good and recommended mitigation.

Finally, If you are going to run your own authoritative servers, the SANS institute and the Center for Internet Security have identified a set of best security practices.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Hackers and cybercrime prevention