Maksim Kabakou - Fotolia

Security Think Tank: Use DNS proxy services to bolster security

What are the main security risks associated with DNS, and how are these best mitigated?

Domain Name System (DNS) security is a critical yet often overlooked component of an organisation’s defence in depth strategy. Today’s security teams have a responsibility to protect staff, customers, internal resources and, most importantly, corporate data.

DNS is at the root of all requests for resources, both internally and externally, and security teams should provide secure methods for customers to reach them. The DNS layer plays a pivotal role in both of these instances.

Focusing on customers and the public first, businesses have an obligation to reduce vulnerabilities associated with public access to their websites and externally facing resources.

DNS Security (DNSSEC) is a common method of providing a chain of trust among DNS providers. DNSSEC can help mitigate the risk of certain cyber attack techniques, such as cache poisoning and preventing man-in-the-middle style attacks by compromised DNS servers.

Additionally, by implementing DNSSEC against your external web properties, you will increase the level of trust between your site and your customer base. Essentially, this Icann standard prevents website users from being fooled by attackers that are redirecting traffic under the guise of your IPs or domain names, potentially damaging the reputation of your business.

Although there are a few barriers to implementing DNSSEC, such as complexity and selecting a participating registrar and supported top-level domain, it is gaining momentum in the industry, is easy to maintain once set up correctly, and allows for more secure data transactions.

Internally, security teams should view DNS as less of a liability and more of a tool that can be used to improve internal security for staff. DNS proxy services, which intercept and filter DNS requests based on policy or reputation, have become popular for good reason. These proxy services add visibility and preventive controls into DNS. In the most routine scenario, employees attempting to visit potentially malicious sites can be intercepted before the threat ever appears.

Similarly, previously infected systems that are attempting to call-back – almost exclusively by DNS – to malicious command and control servers can be stopped. A well-implemented internal DNS strategy can go a long way to protecting internal assets and preventing malicious communication from happening in the first place.

Lastly, it is good practice to not publish DNS records for assets that do not need to be publicly accessed. Remote access to internal assets should be handled by VPNs, not opened up to the public. DNS reconnaissance is a starting point for any attacker looking for an opening into your network; do not provide any extra information about your environment with unnecessary DNS entries.

Michael McIntyre is a security engineer at (ISC)².

Read more on IT risk management