It may come as a surprise, but the website address on its own isn’t really enough to reach the website. Computers operate on internet protocol addresses, not URLs. To make users’ life easier, there is a built-in domain name system that functions like a phonebook, and computers consult it to find IP addresses to connect to websites.
However, this phonebook is also one of the network's biggest vulnerabilities. Hackers can exploit this system to redirect users to spoofed websites. For this reason, DNS security should be one of the priorities when securing an organization against various cyber threats. Let’s look into the DNS security and methods for how it could be applied in your organization.
What is DNS?
Domain Name System (DNS) is a method for cataloging the IP addresses of servers and their associated web page URL addresses. As for humans, names are easier to remember than IP addresses, computers must translate them into Internet Protocol (IP) addresses to know the connection’s destination.
Each website is assigned a unique IP address, which may be version 4 or 6 (IPv4 and IPv6). The difference between them is that IPv4 uses 8 digits, while IPv6 uses both digits and letters and can have up to 45 characters. Therefore, DNS queries match IP addresses to URLs providing the destination for connection requests. If the server responds, the user is returned with the loaded website. This process goes back and forth when surfing the web.
It’s also worth noting that sometimes devices store frequently used IP addresses to save time and resources. This is known as DNS caching — having a list of frequently used IP addresses on a speed dial. Browsers and operating systems frequently cache DNS data for a specific amount of time.
Why is DNS Security important?
DNS was built in the early days of the internet, and cybersecurity wasn’t a consideration. The main problem with it nowadays is that it can’t be blockedand is very difficult to monitor in a business environment. Therefore, various solutions that increase DNS security patch up one of the holes in the fence that the hackers could exploit. Usually, DNS security solutions eliminate or otherwise minimize risks associated with DNS resolver systems eliminating spoofing attempts.
Protection against malware and phishing attacks
Dangerous websites associated with malware spreading or phishing can be blocked using the DNS. It can function as a filter to allow only reputable websites or block certain website categories. In some cases, this also allows it to protect against ads by blacklisting its known hosts.
As IoT devices become more popular, they pose a significant risk of being hacked and falling into hackers' hands. As they are controlled by known bot servers, DNS links to them could be interrupted, effectively neutralizing a threat.
If you’re rushing, it’s pretty easy to mistype website address names, so instead of netflix.com, you easily get netfix.com. It’s a serious danger as hackers often register various mistyped domains of genuine websites and use them to distribute malicious programs. It doesn’t take long to see the first visitors.
Secure DNS servers usually offer a faster lookup than ISP DNS servers. They may also have various protection mechanisms and filters that could be lacking in an ISP’s server. In the long run, users can experience better reliability and improved connection speeds. It may also improve employee productivity.
How does DNS work?
Before going into the details of how DNS security is set up, let’s first establish the fundamentals of how it works. Every device with internet connectivity has a unique IP address. It’s used for identification when participating in data exchange — for data packets to arrive at their destination, it’s important to know where they should be sent.
Web browsers default perform these exchanges by checking with Internet Service Provider DNS servers. As for the DNS servers themselves, they can be classified into authoritative servers and recursive resolvers. Authoritative servers store actual IP addresses of websites, while recursive resolvers don’t have the exact address but know where to look for it.
This system was invented to simplify the user experience. That way, DNS servers have to retrieve long IP addresses while the users can only remember the website name. Every time you visit a website, you also use a DNS server without knowing it. It’s one of the pillars that made the internet possible.
Common attacks involving DNS
As DNS is a central part of the internet with numerous vulnerabilities that could be exploited, it’s a significant target for attackers. Here is one of the most common attacks involving DNS:
DNS poisoning — is an attack aiming to corrupt entries in the DNS resolver’s cache to misdirect the connection. New destinations can be responsible for spreading malware or spoofed websites disguised as genuine ones to collect real users’ login data.
DNS tunneling — this attack encodes various other data, programs, or protocols into DNS queries and responses. The payloads bypass the target’s defense systems and allow the attacker to distribute malware or steal information.
NXDOMAIN —is a type of DNS flood attack in which the attacker overwhelms the DNS server with a barrage of requests for records that don’t exist. Authoritative server wastes resources looking for nonexistent entries, which leaves little to no room to handle genuine requests that are also incoming from genuine users. The attack may also target recursive resolve by filling its cache and putting it out of order.
Phantom domain attack — another denial of service attack that targets authoritative nameservers. It has to be prepared in advance by setting up a bunch of DNS servers that either doesn’t respond to DNS requests or do it very slowly. The resolver is then sent a flood of requests, turning to an authoritative server for IP addresses. However, the authoritative nameservers delay response, which means that the requests pile up and deny all subsequent requests from genuine users.
Random subdomain attack — is similar to NXDOMAIN, but nonexistent subdomains are targeted instead of nonexistent domains. Requests are generated by randomly generating nonexistent subdomains of a specific website, flooding recursive servers. This means it becomes impossible to look up data from the authoritative nameserver.
How does DNS Layer Security help to stop cyber attacks?
As the internet is held together by DNS, minor adjustments can make a significant difference when considering cybersecurity. Monitoring DNS requests coming from your organization and returned IP addresses can make a huge difference when securing a company’s network. Flagging suspicious DNS activity is one of the first steps to halt the attack that is happening underway.
It’s also an option to find a DNS provider that would allow using a privately managed DNS server. They can be configured to identify suspicious activity and have specific security protocols to block harmful DNS connections. It’s a very useful feature as the connection is blocked on the DNS layer, and the attack can be fully stopped.
There are numerous publically available lists of various malicious websites and their IP addresses. Setting up a DNS in such a way that it filters out reported addresses can protect against dangerous requests.
How to Secure DNS Layer?
One of the most recent developments to achieve DNS security is Domain Name System Security Extensions (DNSSEC). They are supplementary specifications to help secure the DNS. It’s also aimed to protect online data confidentiality, which wasn’t addressed previously.
DNSSEC provides cryptographic authentication of data, guaranteeing its authenticity. This helps to ensure that when retrieving IP addresses, domains are verified. Domain owners can generate their keys and upload them to their domain registrar. This helps to ensure a degree of trustworthiness.
In addition, IT administrators can increase the security even more by buying additional server space that could help to manage traffic spikes in cases of denial of service attacks. It’s also an option to allow multiple servers to share the same IP to even their load.
An additional improvement that is quickly gaining traction is the DNS firewall. Your visitors’ requests to the recursive resolver server are passed to an intermediary, where they are analyzed and returned to reach the authoritative nameserver. This allows for a smooth operation even when having DNS attacks.
How can NordLayer help?
NordLayer provides s Security Service Edge as part of the Secure Access Service Edge framework. Operating fully on a cloud-based infrastructure, NordLayer provides comprehensive cybersecurity countermeasures to enterprises.
One of the main use cases of NordLayer is enabling remote access to off-site employees, ensuring the availability of work resources. Its deployment doesn’t rely on additional hardware deployment.
Among NordLayer’s features is a ThreatBlock, a malicious URL filter for your accessed DNS addresses. When enabled, ThreatBlock will automatically block malicious websites that are being accessed. It will also minimize the number of auto-play ads and other advertising materials.
Get in touch with our team and discover more about our approach that could improve your organization’s cybersecurity status.