DNS security is a key area of online security because, in addition to resolving domain names with IP addresses, the Domain Name System is used by many web applications and network services. Therefore, any lapse in DNS security could have significant consequences if an attacker accesses a vulnerable DNS server.
With the growth in remote working and the introduction of 5G technology, much of the security world´s focus has been on endpoint security and preventing attacks against IoT networks. Indeed, it has been reported that 45% of corporate data now resides on endpoint devices, that almost
80% of workers use more than one device to access this data, and that cybercriminals have been able to hack IoT devices and infiltrate corporate networks in order to search for vulnerable high-privilege accounts.
However, while securing endpoints and IoT networks is undoubtedly necessary, it is equally important not to overlook DNS security. The Internet runs on DNS; and while most people understand the relationship between web browsers, the Domain Name System, and IP addresses; few realize DNS also plays an important role in how applications and network services communicate with each other. Consequently, if a DNS server is not hardened, several types of security issues can manifest.
DNS Security Issues and Why They Exist
While there are many different names for DNS security issues, they generally fall into two categories – those that redirect users, apps, and services to a different destination (DNS spoofing, DNS hijacking, etc.), and those that overwhelm websites with DNS response traffic (DNS amplification attacks, DNS DDoS attacks, etc.). In addition, attackers can exploit unsecured DNS servers to bypass network security controls (DNS tunneling) or launch Phantom Domain Attacks that result in poor network performance.
The reason for there being DNS security issues is that the system for looking up IP addresses was designed in the 1980s before many of today´s online security challenges existed. Having not been designed with security in mind, the Domain Name System resolves requests without authentication or encryption – thus making DNS servers vulnerable to exploitation, which can then result in misdirected users, apps, and services, overwhelmed websites, and unauthorized network access.
The Consequences of Failing to Address DNS Security Risks
In 2020, IDC conducted a survey of nine hundred companies in order to assess the scale of DNS attacks and their impact, and to establish what measures companies were implementing to mitigate DNS security risks. 79% of respondents reported having experienced one or more DNS-based attacks in the previous twelve months, with the top DNS security issues being:
- DNS spoofing (39%)
- DNS-based malware (34%)
- DDoS attack (27%)
- DNS amplification (21%)
- Legitimate requests being identified as a threat/false positives (19%)
- DNS tunneling (17%)
Although it may be the case respondents had already implemented measures to mitigate DNS security risks, the consequences of the attacks included application downtime, compromised websites, brand damage, loss of business, and the theft of sensitive information. Once the costs of resolving the problem, business damage, and implementing further mitigating measures were added together, IDC calculated the average cost of each successful DNS attack to be $924,000.
Recommended DNS Security Best Practices
Although 98% of respondents to the IDC survey claimed they had some measures for DNS hardening in place, many had measures that alerted them retrospectively to a compromised DNS server, rather than proactive measures to prevent DNS attacks being successful in the first place. To proactively prevent DNS attacks, security experts recommend three DNS security best practices:
DNS Security Extensions (DNSSEC)
DNS security extensions uses digital signature key pairs to validate whether the answer to a DNS query is coming from the proper source.
DNS over TLS
DNS over TLS encrypts plain text queries to prevent man-in-the-middle attacks and attackers tracking what sites a particular user or application visits.
DNS over HTTPS
DNS over HTTPS is an alternative to DNS over TLS – the difference being that encrypted DNS queries and responses are camouflaged within other HTTPS traffic.
These DNS security best practices resolve the issues of Domain Name Servers lacking authentication or encryption, and contribute to a multilayered, zero-trust approach to DNS security. While it is still advisable for organizations to feed DNS data into SIEMs for monitoring, analysis, and alerting, by applying two of the three DNS security best practices (there is no need to implement both encryption protocols), the number of DNS security issue alerts should decrease dramatically.
Further Enhancing DNS Security with a DNS Filtering Solution
Implementing the recommended DNS security best practices closes one door for attackers, but not every door. DNS security services do not prevent networks being infiltrated if users visit comprised websites with genuine IP addresses and either inadvertently download malware or reveal log-in credentials. In order to prevent these security issues manifesting, it is recommended to implement a DNS filtering solution that scans traffic passing through the DNS server and blocks unsafe activity.
What a DNS filter can do, but DNS security services can´t do, is inspect each request to visit a web page and block user access if the web page is known to be malicious or if its URL has appeared in spam emails - indicating a high probability it either contains malware or has been published to obtain log-in credentials. Consequently, whatever DNS security services are implemented, a DNS filtering solution only enhances DNS security in order to better protect the network, its users, and your business.
Further Advantages of a DNS Filtering Solution
A DNS filtering solution does much more than block access to compromised and unsafe websites. User access to non-productive and harmful web content can be blocked using granular category and keyword filters, specific websites can be whitelisted or blacklisted, and attempts to circumnavigate the DNS filter by using anonymizer sites and VPNs can also be prevented. Furthermore, cloud-based DNS filtering solutions can help protect the network however users connect with the network.
Cloud-based DNS filters also have the advantages of being easy to install and configure with no hardware costs nor software management. Acceptable Use Policies can be applied with the click of a mouse due to the solutions integrating with existing directories, there are no limitations on bandwidth nor the number of users, and any latency attributable to the filtering process is imperceptible to the end user. Most won´t even realize their online activities are being filtered.
Find Out More about DNS Filters to Enhance DNS Security
If you would like to know more about enhancing DNS security with a DNS filter, do not hesitate to get in touch. Our team of technical advisors will be happy to expand on the points raised in this article about DNS security and organize a free demo of WebTitan Cloud in action - after which the opportunity exists to take advantage of a free trial of our DNS filtering solution in order for you to evaluate the filter´s capabilities in your own environment.