How to stay ahead of threats to DNS servers

It’s virtually impossible to stop DNS attacks, but these best practices can significantly minimize the impact

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Gartner predicts more than 30 billion devices will be connected by the Internet of Things (IoT) by 2020, and Domain Name System (DNS) servers are critical to keeping it all running. However, the number, frequency and variety of attacks on DNS servers is rising, putting businesses and initiatives like IoT at enormous risk. The good news is, there are steps you can take to mitigate these attacks.

The DNS system translates easily memorized domain names into the numerical IP addresses needed for locating computer services and devices worldwide. According to the Internet Corporation for Assigned Names and Numbers (ICANN), there are 30 to 50 million DNS servers on the planet. These servers are being hit by four main types of attacks: zero-day, cache poisoning, denial of service (DoS) and distributed denial of service (DDoS).

With a zero-day attack, a previously undiscovered vulnerability that resides within the DNS server software or the DNS protocol stack is exploited to compromise, confuse or even crash a DNS server.

Cache poisoning is one of the more notable types of attack. To speed up the process of connecting the points on the Internet, the DNS system holds many local copies of itself in regional caches. By exploiting bugs, local malware or poor DNS server configuration, external agents can inject fraudulent addressing information into DNS caches in order to launch an attack. Users accessing the cache with the aim of visiting a targeted site are, instead, redirected to a different server, under the control of the attacker. For example, this could be a fake e-tail site that offers a close replica of the target’s official site, tricking users into divulging financial information.

DoS, like its name implies, blocks users from accessing a given Internet service or web site. This is typically achieved by flooding a victimized web site with simultaneous queries, creating such high volumes of traffic that legitimate users can’t enter the site.

DDoS is a more elaborate form of DoS. It involves a network of zombie computers, often in the thousands, which the attacker commandeers from the victim by spreading malware from one machine to another. Even a single infected desktop on a local network can generate more than 200,000 DNS queries per second and almost kill a DNS server by stopping most of its internal services. 

Best practices for mitigating DNS attacks

Given the changing nature and growing scale of threats, it’s virtually impossible to stop DNS attacks outright. But, by adopting the following best practices, you can significantly minimize them:

* Use the latest DNS software and ensure patches are applied. The Internet Systems Consortium (ISC) also regularly issues updates and patches for Berkley Internet Name Domain (BIND), the most widely used DNS server. BIND is thought to deliver an excellent balance between speed and security, ease of administration and robustness, and RFC standards integration and universal applicability. But BIND is also the most attacked DNS server, so businesses need to run the latest version to protect against security flaws.

* Segregate Authoritative and Caching/Recursive functions within the DNS server, as recommended by ICANN. Authoritative servers should only accept queries they can answer authoritatively and have recursive disabled. This helps to prevent the Recursive Name Server Reflection Attacks common in DDoS attacks.

This is particularly critical with BIND, where key authoritative and recursive functions are contained within the same code in a single DNS engine. By incorporating a second DNS engine in the same appliance with separate authoritative and recursive functions, you can significantly increase the security and reliability of critical DNS services. For instance, use an alternative DNS engine such as Unbound and NSD. Unbound is a validating, recursive and caching DNS resolver that is designed for high performance, while NSD is an authoritative-only, high-performance name server.

* Eliminate Single Points of Failure. To mitigate the effects of zero-day attacks and ensure that you won’t be vulnerable to a full-on DoS attack, best practices suggest using a hybrid DNS strategy. A hybrid strategy helpsmake DNS security footprints baffling to hackers by running a different type of algorithm for each DNS engine. When a new security alert is issued, a network owner can quickly and temporarily switch to another engine. The alternative engine can remain in place while DNS programmers patch, test and validate a security upgrade for the first engine. Plus, with multiple DNS engines in place, hackers will never be sure which name server software is running—making the task of analyzing DNS network packet footprints to discover its vulnerabilities quite complex and virtually impossible.

* Architect for Redundancy and Security. As part of best practice deployment, selecting the appropriate DNS architecture for your company’s environment is very important. Deployment strategies should always include high availability and built-in mechanisms for easy recovery in the event of a disaster.

* Implement a DNS Firewall. Protect against DNS-based malware by using DNS Firewalls to block workstations from reaching malicious sites. At the same time, the DNS Firewall can protect against initial infection by placing the infected user in a Walled Garden so the system administrator can be notified that a user may be infected.

* Implement a high-performing DNS to absorb DDoS attacks. During a DDoS attack, the hacker tries to kill the DNS server or corrupt the DNS Cache so some queries will not be answered. Using DNS Queries filtering to combat this isn’t recommended because doing so opens security holes. Instead, make sure your DNS infrastructure has the capability to always answer all DNS queries.

With the rise in mobile, cloud solutions and Internet-connected devices, not only will DNS attacks become ever-more prevalent and complex, they will directly impact companies’ core business. Bearing in mind that the best defense is a great offense, now is the time to deploy best practices and technologies that can keep you several steps ahead of the attackers, mitigate the impacts of DNS attacks, and ensure your network is up for the challenge.

EfficientIP, a fastest-growing DDI vendor, helps organizations drive business efficiency and continuity through enhanced network services availability, security and performance. Its unified management framework for DNS, DHCP & IPAM devices and network configurations are used by customers around the world to reduce operating costs and increase management efficiency of network and security teams.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022