• United States

Addressing IoT security with DNS and DNSSEC

Apr 04, 20185 mins
Internet of Things

Incorporating DNSSEC and ensuring the DNS setup for connected devices is secure and resilient is fundamental to IoT security and will only become more imperative in this rapidly advancing, connected world.

domain name systems dns
Credit: Thinkstock

We are witnessing a huge explosion in the number of Internet of Things (IoT) devices as a growing number of new “smart” consumer items, appliances, and vehicles are brought to market. While these devices introduce conveniences and enable new exciting applications and experiences, they introduce a high level of security risk to business and consumer networks. This is because manufacturers are frequently lax when it comes to the security implications of deploying smart connected devices in the wild.

So why does IoT pose a potential risk to consumers? These devices fall under the “set it and forget it” bucket. They are typically easy to set up – you connect them to whatever network or networks you use regularly and then you don’t have to think about the devices again. Consumers are focused on functionality instead of the way the devices are communicating with the outside world, about updates to the devices, or about the network security characteristics of the devices.  

From a manufacturer standpoint, security is typically an afterthought that is addressed post-design. Manufacturers are thinking about what the device can and should do from a product feature standpoint – not what it shouldn’t be able to do or how malicious actors might take advantage. For this reason, the security posture of a new IoT device is often lacking and may leave many potential vulnerabilities unaddressed. Further, once on the market, these devices are hard to update because they have their own operating system or firmware. After new iterations of that firmware, it can be difficult if not impossible to update the firmware itself, never mind applying security patches.

As the number of connected devices explodes into the tens of billions over the next several years, the implications of insecure IoT devices take on new urgency and significance. An office printer that is not properly protected may easily be taken over by malware and used in a DDoS attack to take down a business application or website. Likewise, a company’s connected camera system may become part of a botnet that drops ransomware on a home or corporate network. These attacks all have the potential to be business killers for those affected – imagine how users would react if their favorite music or TV streaming service went down for a day? Or how much revenue would be lost if an insecure device was the attack vector enabling a massive data breach against a major retailer?

Security experts have pointed to many solutions to the IoT security challenge, including superior baked-in security protections, separate networks for connected devices, and frequent monitoring of network activity. However, these recommendations have overlooked one solution every network already uses – DNS, or the Domain Name System. As the entry point to every application on the internet, DNS plays a critical role in the deployment of IoT technologies. It is the mechanism by which IoT devices discover and connect to internet or cloud services to transmit data and receive updates and commands.

Connected devices are often hard-coded to connect to corporate domains (think “”) for updates. They inherently trust that domain to be secure and reliable, which makes them vulnerable to DNS cache poisoning attacks. This common man-in-the-middle attack corrupts DNS data, causing the name server to return a fraudulent IP address. Malicious actors can use cache poisoning attacks to direct IoT devices to rogue update services, giving the actor an opportunity to ship a bad update to the devices, potentially compromising them, taking them offline, or hijacking the devices to leverage for botnet attacks on other organizations.

Because of this potential, DNS can and should play a vital role in IoT security efforts. Deploying security protocols for DNS security, called DNSSEC, ensures that IoT devices only receive authentic software and firmware updates. For example, when that connected fridge in the breakroom accesses the corporate network for its next software update, you can be assured that DNS will route the appliance to the correct website.

IoT devices also need to discover and connect to cloud-based systems for shipping or receiving data and commands. It is critical that these services be reliable and perform effectively, otherwise the organization is at risk for loss of data, compromised device functionality, and other similar threats. So in addition to DNSSEC, organizations should leverage redundant DNS networks and manage access to DNS configurations effectively with minimal permissions and two-factor authentication, ensuring maximum reliability of the DNS for cloud systems upon which connected devices depend, and maximizing operational security for the domains of those systems.

With the number of IoT devices expected to grow exponentially over the next several years, it is critically important for manufacturers to think about the security of these devices early – before they are deployed in the wild – as well as to consider the role DNS plays in IoT. Incorporating DNSSEC and ensuring the DNS setup for connected devices is secure and resilient is fundamental to IoT security and will only become more imperative in this rapidly advancing, connected world.


Kris Beevers leads NS1’s team of industry experts as they create products to enable companies to use DNS to build and deliver dynamic, distributed, and automated applications that delight users. He is a recognized authority on DNS and global application delivery, and often speaks and writes about building and deploying high performance, at scale, globally distributed internet infrastructure.

Kris holds a PhD in Computer Science from RPI, and prior to founding and leading NS1, he built CDN, cloud, bare metal, and other infrastructure products at Voxel, which sold to Internap (NASDAQ:INAP) in 2011.

The opinions expressed in this blog are those of Kris Beevers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.