Five DNS Security Tips

Highlights from the McAfee FOCUS Event

DNS protocol at FOCUS

FOCUS is a large security event hosted by McAfee and is a platform for security professionals to exchange ideas, real world scenarios, and gain valuable information about today’s security landscape. I had the opportunity to attend this event and wanted to share some key messages that were discussed around DNS protocol at FOCUS.

DNS protection is crucial

DNS protocol was created in 1982 as a method to implement a more scalable system, capable of automatically disseminating the growing number of host numerical addresses. Technically speaking, DNS was created to replace the hosts.txt file. At the time DNS was created, security was not a priority. In fact, DNS protocol has remained almost the same since its inception – void of security.

DNS is core to the fabric of the Internet. Without DNS service, there is no Skype, no Facebook, no Twitter, no Instagram, no CNN, and no Google. Without DNS, there is no Internet as we know it.

As critical as DNS is to the Internet, it lacks embedded security. This needs to change.

There is no silver bullet for DNS protection

Every security professional in the market is familiar with the three main pillars of information/network security:

  • Availability: The information must be available at all times
  • Integrity: The information shall not be tampered by non-authorized persons
  • Authenticity: The information must come from authentic sources

DNS should be no different and must follow these same pillars. DNS service must be available and filled with integrity and authenticity. So, how can we achieve this?

One thing we must accept up-front; there is no silver bullet for DNS protection. It is a layered approach including people, process, and technology. Security professionals need to understand the type of infrastructure they are trying to protect, their business needs, and the threats targeted against their systems. They must design the infrastructure accordingly and have skilled people to monitor and manage it.

Five DNS security tips to consider

In future posts, I will dig deeper into DNS protection, but we can easily identify some issues that can be addressed immediately:

  1. Know who must have access to the DNS service. Restrict it to that set of people.
  2. Security administrators must have a way to rate limit the DNS traffic under heavy load conditions to keep the DNS infrastructure working under its designed conditions.
  3. Application layer attacks must be addressed (for the DNS Server application and the DNS protocol itself).
  4. DNS security architectures must address performance issues. Due to Denial of Service attacks (DoS or DDoS), new applications and new ways to access the Internet come up every day.
  5. DNS Servers must be patched, and if possible, upgraded to their latest version in order to avoid attacks that target old vulnerabilities.

Next steps

It is important for you to understand your DNS technology environment (i.e., DNS server firewalls, intrusion prevention systems, application firewalls, caching, anti DDOS, etc.). From there, you can identify your existing infrastructure holes (i.e., no redundancy, no rate limit, no trimming capability, no DNS application firewall, etc.) and determine ways to reduce or mitigate your DNS security risk.

With this information in hand, you can search for solutions to improve your DNS infrastructure and resilience.

Alexandre Cezar
About Alexandre Cezar
Alexandre S. Cezar, CISSP, is an information security professional with more than 16 years of experience in the information security and network fields; most of them working for the telecom and financial markets on projects worldwide. Alexandre is a specialist on technologies like firewalls, DPI, IPS, anti-spam, DDOS protection, SIEM tools, operational systems, and routing/switching equipment.