DNS Security: Defending the Domain Name System


Posted on by Ben Rothke

That you are reading this review, and my ability to post it are due in large part due to the Domain Name System (DNS). DNS is Wikipedia describes it is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for the purpose of locating and identifying computer services and devices with the underlying network protocols. Quite simply, DNS enable you to use google.com and other intuitive and easy to remember sites, as opposed to an inconsistent set of numbers like 172.217.5.14.

In DNS Security: Defending the Domain Name System (Syngress ISBN-13: 978-0128033067), authors Allan Liska and Geoffrey Stowe write that since DNS works so seamlessly, people often forget how critical it is. And more dangerously, those responsible for its operation often ignore the many DNS security risks in that they never thought to fully secure it when initially deployed. The underlying simplicity of DNS actually makes it a prime target for attackers.

DNS

The authors note that while DNS is a core Internet component, it’s something that most administrators set and forget. In fact, when the time comes for security configuration changes, there may not even be anyone in the organization who knows how to implement those changes.

For anyone tasked with anything related to DNS, this is an important book. It covers DNS for both Windows and Linux; including how to correctly implement DNS security.

Often forgotten topics such as DNS firewalls, response policy zones and more are discussed. The authors also have a section detailing DNS outsourcing. For organizations that lack an internal DNS expert (and that is pretty much most organizations) outsourcing some or all DNS tasks and services can make both good business and security sense.

Outsourcing may be especially valuable for those firms who’ve found their domain names have expired due to non-renewal in the past. This is a trivial, but often overlooked administrative task. If a domain expires, a firm may find themselves having to quickly reconfigure DNS, and often pay significantly to get their original domain names back.

The authors do a great job detailing how to log and monitor DNS traffic. An interesting and powerful method they show on how to identify bad domains, particularly those used for spamming and malware, is to flag newly registered domains. The authors quote research that shows that new domains are often used for malicious purposes. When the identification of new domains is combined with data about the generic top-level domains (gTLD) and country code top-level domain (ccTLD), all of this data can be used as a powerful security mechanism.  By entering that data into a SIEM,  a firm can use that and other information to better protect themselves from DNS-based attacks.

The book closes with an overview of Domain Name System Security Extensions (DNSSEC), which is a set of tools and protocols meant to secure DNS.  DNSSEC can fix many of the insecurities the book describes in the previous 140 pages, as it attempts to fix the Achilles' heel of DNS in that it was designed to be a scalable distributed system, without much of a notion to strong security.

With all the benefits DNSSEC affords, it’s underlying complexity and lack of global deployment means that DNS is currently, and for the not too distant future, will remain an incomplete and insecure set of protocols and services.

For any organization that takes network security seriously, DNS Security: Defending the Domain Name System is an important reference that should be required reading for any DNS administrator. The authors do a great job of showing how a little time and effort into DNS security can provide immediate and significant security benefits.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

data security security operations

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs