Three ways IT can mitigate DNS security threats: A guide

You may think your domain name system is secure. But have you peeked under the hood recently? If you have, you may have seen the metaphorical tangle of wires and junk clogging up the system and quickly backed away, hoping that nothing will catch fire.

The DNS is the complex, interdependent addressing system that directs users to every aspect of your organisation’s digital experience. Executives tend to avoid dealing with the DNS, thinking that it’s all under control or fearing that they’ll break something if they touch it. But it’s dangerous to leave the DNS to sort itself out, as Mastercard, ING Bank, Facebook, and Hilton found when their DNS systems were hacked.

If you own it, you need to manage it. If not, you’re putting your customers and your enterprise at risk.

Why the DNS is vulnerable

The DNS is complex and far-reaching, and that’s just what makes it so difficult to manage. Companies create domains for everything, and they have for a long time. In addition to main websites and internal webpages, enterprises create landing pages, temporary sites for marketing campaigns, and domains to deliver digital services. 

In addition, constant updates of web content typically drive creation of new domains along with subdomains and redirect domains, which point visitors to updated online content. Large organisations have hundreds — even thousands — of domains, and all domains fully depend on the DNS.

With so much going on in the DNS, it’s a struggle to implement high-level security measures on every single domain an enterprise owns. This creates multiple threat vulnerabilities for bad actors to exploit. As Infosecurity Magazine reports, 90% of critical network infrastructure providers were hit by damaging cyberattacks in the past two years, with DNS attacks the most common.

It’s tempting to think that the near-total adoption of HTTPS encryption (with SSL/TLS certificates) has secured website users’ privacy. But many enterprises are unaware that all of their domains, including redirect domains that point to SSL certificate-protected domains, also have to be encrypted to ensure end-to-end secure connections — something an inefficiently managed DNS simply can’t promise.

Enterprises that fall victim to DNS compromise can lose their customers’ trust, brand equity, and enterprise value. With the European Union’s General Data Protection Regulation and other regulations yielding fines and penalties for companies that allow breaches, there’s also an increasingly steep financial cost. In a survey spanning Asia, Europe, and North America, financial firms reported that recovering from a single DNS attack cost an average of $924,390. Unless your domain name system is properly managed, it’s a perpetual risk.

Why hackers attack the DNS

The objective of most DNS attacks is the same: gaining unauthorised access to a client’s banking or financial information, credit card details, and other personal data by impersonating a legitimate online brand destination. This can be achieved by DNS spoofing, cache poisoning, or DNS hijacking: corrupting stored sets of website directory information to misdirect clients to malicious websites without their knowledge. Clients are lured into bogus shopping sites that bear another brand’s name, steal data, and leave the companies they impersonate to deal with the consequences.

An unsecured DNS is also vulnerable to DDoS attacks, which can overwhelm an enterprise’s entire DNS network and shut down all affected internet services. For high-traffic e-commerce or mission-critical information sites, these attacks can be catastrophic. 

Three ways to improve DNS security

There is — or should be — one simple rule: If you own it, you need to manage it. The days of leaving owned domains untended are over.

The good news is that protecting against DNS attacks isn’t impossible. In fact, the right tools can resolve the risks quite easily. These three steps can help enterprises mitigate or fully prevent multiple DNS risks.

#1: Consolidate to an enterprise-class provider

The first and most important step to protecting against DNS-related cyberattacks is to consolidate all CNI vendors and services to a single enterprise-class provider with advanced control-system software. Many organisations use multiple DNS services, largely a result of legacy activities such as mergers and acquisitions. Managing them all via disparate administrative interfaces with varying quality of service and security access protocols is a recipe for disaster. Hackers prey on the multi-DNS environment, searching for weaknesses such as orphaned domains parked at infrequently used domain registrars, or DNS providers and domains left without DNS security policies in place.

A consolidated DNS network is much less appealing to hackers, especially if it’s centralised into a reputable enterprise DNS service. Enterprise-grade providers employ built-in DDoS defenses. They offer robust, secure access management such as single-sign-on and multifactor authentication, and role-based permissions to manage access levels. 

A single DNS service will standardise support for security tools such as Domain Name System Security Extensions, Sender Policy Framework, or Domain-based Message Authentication, Reporting & Conformance, or Secondary DNS — automation that many DNS services don’t offer holistically by default. By consolidating all domains under a single control-system service, organisations can more easily manage and enforce DNS security policies. In addition, they can address the ongoing challenge of identifying and addressing legacy issues such as eliminating orphaned domains and DNS.

#2: Establish a unified, integrated change management system

Managing changes within the DNS network is the second-most important factor to enforce necessary DNS security policies. DNS security and related SSL certificates are complicated, detail-oriented operations. Every domain can have dozens, even hundreds, of zone file resource records. A single error on a zone file can expose the business to DNS hijacking.

Managing domains, DNS security, and SSL certificates are usually shared processes between groups. Changes may occur with no one knowing who did it, when and why it was done, or who (if anyone) authorised it. An integrated and unified change management system can eliminate the many risks created by multiple stakeholders operating with manual processes. User authorisation to access domains and the DNS should be restricted by permission-based roles.

Changes should be automated and tracked with tamper-proof audit histories and change alerts. This prevents unauthorised changes and ensures every change that occurs is recorded in the audit history.

#3: Implement, track, and maintain DNS security measures

Once DNS services and change management are unified, the final step is to implement appropriate DNS security measures across the DNS network. DNSSEC is proven to help mitigate security risks by authenticating the origin of DNS data. It directly addresses the risks of cache poisoning and DNS hijacking. DMARC and SPF are email security measures that protect your email network to reduce the risks of malicious actors using your own domains for phishing attacks. And redirect domains, which frequently lack HTTPS encryption, can be automated to ensure they are protected with a valid TLS certificate.

DNS attacks frequently succeed because organisations fail to employ the most effective means of securing their domains and DNS network. With best practices, DNS consolidation, unified change management, and deployment of DNS security measures, organisations can close security gaps and eliminate the risk of becoming another corporate DNS attack victim.

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data ExpoCyber Security & Cloud Expo and 5G Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.