As vital to the internet as the domain name system (DNS) is, security was more of an afterthought during its development. Instead, the focus was on functionality and implementation. If Paul Mockapetris had a crystal ball when he first invented it in 1983, securing DNS would have been more of a priority.
Still, after nearly 40 years, DNS is fundamental to our increasingly digitized world. As technology evolves, cybercriminals continually find new ways of exploiting the domain name system. By the same token, the tech industry continues to develop security measures to thwart such attacks. In this blog, we’ll be analyzing the strengths and weaknesses of DNS security, as well as solutions that can be used to safeguard your domain on the DNS level.
Weaknesses and Vulnerabilities in the Domain Name System (DNS)
Before you can fill in security gaps related to DNS, you must first understand its weaknesses. As mentioned above, DNS wasn’t created with security in mind. Therefore, it is inherently vulnerable in certain areas.
- DNS Servers are Blabber Mouths
The truth is, DNS servers aren’t good at keeping secrets. They function as a digital phonebook of sorts and their purpose is to convert domain names into IP addresses. They’ll “talk” to any device and freely exchange information. You can think of DNS servers as gossips—they love to spill the beans. But that’s what they were designed to do. In fact, it’s their “gossipy” nature that allows the internet to work in the way we’ve grown accustomed to today.
- Recursive DNS Servers Can’t Resist a Poisoned Apple
Just like Snow White, DNS servers aren’t able to resist beautiful red apples. They’re going to take a bite. Without special security precautions, they aren’t able to distinguish between a legitimate request and a fraudulent one. A server that eats a “poisoned apple” won’t fall into a coma, though. Instead, it will be flooded with fraudulent DNS records, which will trick it into sending innocent users to very bad places. In case it’s not clear, the server doesn’t really eat an apple… but servers can be poisoned by a hacker (more on this below).
- DNS Isn’t a Natural Defensive Tackle
In its basic state, the domain name system isn’t equipped to “hold the line.” In other words, it wasn’t created to block or recognize potential threats, it was only designed to answer queries. In fact, DNS is commonly exploited by hackers to circumvent firewalls, hijack websites, and tunnel malicious traffic in a variety of ways. DNS is also vulnerable to DoS and DDoS attacks, which are notorious for causing widespread outages for domains.
Although the domain name system wasn’t designed for security, how you are using it can make it more or less secure. For instance, while often used in combination, authoritative and recursive nameservers were designed to be used separately. Using them together can cause unforeseen issues and make your server(s) or network more vulnerable to threats. Furthermore, systems without proper BIND patches and regular security updates are more easily exploited. Appropriate DNS practices and configurations go a long way in protecting your server(s) or network from attacks.
Common DNS Attacks that Exploit DNS Security
- Distributed Denial-of-Service (DDoS) Attacks
As the name suggests, this type of threat is designed to deny access to a server or network. DDoS attacks are carried out by cybercriminals who have either assembled a botnet (typically a large group of hacked “zombie” devices) to attack a specific target or through an amplification attack, which uses publicly accessible DNS servers to flood a target with lookup requests. When faced with such a large barrage of unexpected traffic, systems can easily and quickly be overwhelmed and the domains relying on them go dark.
- NXDOMAIN Attack
This DNS threat is a close relative of the DDoS attack. Its goal is also to deny service to legitimate traffic, but instead of instructing hacked devices to hit a specified target, it bombards nameservers with requests for subdomains or DNS records that don’t exist or are invalid. An NXDOMAIN attack is usually accomplished by (but not limited to) programs that allow bad actors to auto-generate subdomains randomly. This causes the authoritative nameserver to essentially chase its tail because it’s too busy answering a flood of bad requests. Like DDoS attacks, these threats can exhaust a server or network to the point of failure.
- DNS Hijacking
You can think of DNS hijacking as sleight of hand. These types of attacks redirect traffic to a fake, malicious version of a website. This can be achieved via Trojan malware unknowingly installed on end-user devices, hacked routers, or intercepted DNS communication. The purpose of DNS hijacking is typically to collect sensitive details, such as passwords and payment information (phishing), or for ad revenue from spam ads (pharming).
- DNS Tunneling
This type of attack exploits DNS by using the protocol to sneak malicious traffic past a network’s firewalls and defenses. When DNS tunneling is successful, the attacker can infect internal devices on the network and exfiltrate data without the end user’s knowledge. Tunneling takes advantage of the domain name system’s “trusting” nature and can-do attitude and are notoriously hard to detect
- DNS Poisoning/DNS spoofing
DNS poisoning or DNS spoofing is when an attacker impersonates an authoritative nameserver. Think of it like how the witch disguised herself as an old woman to fool Snow White into eating the poisoned apple. Once established, the “imposter” will attempt to forge replies when the recursive server makes a request. Oblivious to the threat, the recursive server accepts the wrong answer without question and runs with it. In its defense, this isn’t an easy task. A hacker only has milliseconds to pull this off before the real authoritative nameserver answers the request. Unfortunately, if the bad actor is successful, this can lead to threat #6, which can be an even bigger problem.
- DNS Cache Poisoning
Cache poisoning is often a byproduct of DNS poisoning. The reason being is that once a recursive server is tricked into thinking a malicious actor’s device is an authoritative nameserver, it doesn’t just answer the original query with the information it receives. It also stores the fraudulent details in its cache. Anytime a user queries the resolver for the same website, the recursive resolver will send the end user to the “bad place” until the record(s) in its cache has expired.
Okay, so DNS has weaknesses. But so does everything else. Luckily, there are several weapons you can add to your domain’s arsenal that can fortify your DNS’s defenses.
How DNS Made Easy Can Protect Your Domain
DNS Made Easy knows how important security is for your domain. That’s why we don’t piggyback off of other provider networks. Instead, all of our DNS runs on our own bare-metal servers located within major data centers across the globe. Not only does this give us full control of our network, but it’s also why we’re able to deliver top speeds and live up to our 100% uptime guarantee.
Did you know:? DNS Made Easy has the longest-running uptime history in the industry—11+ years of continuous, uninterrupted DNS service—even when faced with large-scale attacks!
It’s our goal to eliminate as many pain points for our customers as possible. This includes DNS-related threats that domain owners face in the online marketplace. Security is always a top priority. That’s why we support DNSSEC and provide advanced DNS monitoring and analytics tools. Our solutions are developed from the ground up—by IT for IT—to ensure domains have the best and safest DNS experience. Below, we’ll explore solutions in DNS Made Easy that will help keep your domain secure.
DNSSEC: Validate and Secure Your DNS
One of the top methods for protecting your domain on the DNS level is with DNS Security Extensions (DNSSEC). In a nutshell, DNSSEC is a protocol designed to protect websites against attacks by securing DNS lookups. This is done via a hierarchical digital signing policy or chain of trust across all DNS layers. With DNSSEC enabled, each layer of the lookup process must be verified and signed before a query can be resolved.
DNSSEC is especially helpful for preventing common DNS-related attacks like DNS hijacking, poisoning, and tunneling, as it requires validation for each part of the lookup process.
Enable DNSSEC in DNS Made Easy
DNS Made Easy supports DNSSEC for added protection for domains hosted on our already secure Anycast+ network. Corporate and enterprise-level members using DNS Made Easy as their primary provider will receive full support on DNSSEC implementation. DNSSEC is also supported for all clients who use DNS Made Easy as secondary DNS.
Full DNS Audit Log History: Query Logging and Advanced Analytics
There are two types of domain owners. Those who make reactive decisions and those who make proactive decisions. Having to scramble to the defense in the midst of an attack always puts your domain at a disadvantage. With DNS Made Easy’s advanced Query logging and Analytics platform, you can view your web traffic’s real-time and historical patterns. With this unique data at their fingertips, your IT team will be able to spot unusual behavior and take appropriate measures before things spiral out of control.
Advanced DNS Monitoring and Protection: Real-time Anomaly Detection (RTTAD)
Real-time Traffic Anomaly Detection uses machine learning to detect and predict suspicious or unusual activity for your domain. By continuously analyzing your unique traffic, RTTAD learns what is and isn’t normal for your domain and sends instant notifications to IT teams if it notices anything out of the ordinary. The longer RTTAD has been enabled, the more accurate it becomes. With real-time alerts and clear visualizations of activity, teams can quickly determine if detected anomalies are legitimate or a threat, and take action accordingly.
DNS Made Easy Counter Measures for DNS Threats
Industries Most Vulnerable to Security Holes in the Domain Name System
While all industries should be concerned about DNS security, some are bigger targets for attacks than others and have increased liability due to the nature of their business. Below is a breakdown of some of the highest-risk industries:
- Investment groups
- Payment processing
Tip: Visit our How Banks Can Avoid DDoS Attacks with DNS blog for a detailed analysis of how DNS can help financial institutions.
- Retail sites
- Subscription-based platforms
- Hotels and online booking services
Tip: For an in-depth look at how DNS can help the lodging industry, check out our white paper.
- SaaS, Internet Service Providers, etc
- Mission-critical systems
Tip: For an in-depth look at how DNS can help the gaming industry, check out our Gaming white paper.
- Primary schools
- Secondary schools
- Colleges and universities
- Online medical charts
- Critical online systems
Due to the large volume of users and sensitive information held by companies within these sectors, they are at high risk for DNS-related attacks and other cyber threats. If your company falls under one of these categories, it’s imperative that you do whatever you can to protect your domain and your customers.
DNS Made Easy: A Step Above the Rest in Fast, Reliable, and Secure DNS
It is essential that organizations secure each aspect of their online-facing operations—starting with DNS. While the domain name system wasn’t designed with stringent security in mind, there are ways to protect your domain from common DNS exploitations. At DNS Made Easy, we go to great lengths to ensure your domain is safe. This includes running our DNS on our own infrastructure and providing enhanced security-based solutions such as DNSSEC, Real-time Anomaly Detection, and the most advanced DNS analytics in the industry. We also offer superior products for redundancy and Geo-accuracy, such as DNS Failover, Secondary DNS, and our Global Traffic Director. On top of that, our customers enjoy consistently fast speeds and true 100% uptime.
What are you waiting for? Talk to one of our DNS experts today and see the DNS Made Easy difference for yourself.
If you found this useful, why not share it? If there’s a topic you’d like to know more about, reach out and let me know. I’d love to hear your thoughts!