It may come as a surprise, but the website address on its own isn’t really enough to reach the website. Computers operate on internet protocol addresses, not URLs. To make users’ life easier, there is a built-in domain name system that functions like a phonebook, and computers consult it to find IP addresses to connect to websites.
However, this phonebook is also one of the network's biggest vulnerabilities. Hackers can exploit this system to redirect users to spoofed websites. For this reason, DNS security should be one of the priorities when securing an organization against various cyber threats. Let’s look into the DNS security and methods for how it could be applied in your organization.
DNS (Domain Name System) is a critical component of the internet, translating human-readable domain names into IP addresses for computers to access websites.
DNS security is vital as attackers can exploit vulnerabilities in the DNS system to redirect users to spoofed websites. It can protect against malware and phishing attacks by blocking malicious domains and filtering content. And protect against botnet attacks by interrupting links to known bot servers.
Secure DNS servers can offer faster lookup times and improved connection speeds, enhancing user experience and productivity.
DNSSEC (Domain Name System Security Extensions) provides cryptographic authentication of data, ensuring authenticity and data confidentiality.
What is DNS?
Domain Name System (DNS) is a method for cataloging the IP addresses of servers and their associated web page URL addresses. As for humans, names are easier to remember than IP addresses, computers must translate them into Internet Protocol (IP) addresses to know the connection’s destination.
Each website is assigned a unique IP address, which may be version 4 or 6 (IPv4 and IPv6). The difference between them is that IPv4 uses 8 digits, while IPv6 uses both digits and letters and can have up to 45 characters. Therefore, DNS queries match IP addresses to URLs providing the destination for connection requests. If the server responds, the user is returned with the loaded website. This process goes back and forth when surfing the web.
It’s also worth noting that sometimes devices store frequently used IP addresses to save time and resources. This is known as DNS caching — having a list of frequently used IP addresses on a speed dial. Browsers and operating systems frequently cache DNS data for a specific amount of time.
Why is DNS Security important?
DNS was built in the early days of the internet, and cybersecurity wasn’t a consideration. The main problem with it nowadays is that it can’t be blockedand is very difficult to monitor in a business environment. Therefore, various solutions that increase DNS security patch up one of the holes in the fence that the hackers could exploit. Usually, DNS security solutions eliminate or otherwise minimize risks associated with DNS resolver systems eliminating spoofing attempts.
DNS Security benefits
DNS Security benefits include protecting against malware and phishing attacks by blocking dangerous websites, neutralizing botnet threats, preventing typo-squatting, improving connection speeds, and implementing additional measures to enhance overall cybersecurity.
Protection against malware and phishing attacks
Dangerous websites associated with malware spreading or phishing can be blocked using the DNS. It can function as a filter to allow only reputable websites or block certain website categories. In some cases, this also allows it to protect against ads by blacklisting its known hosts.
As IoT devices become more popular, they pose a significant risk of being hacked and falling into hackers' hands. As they are controlled by known bot servers, DNS links to them could be interrupted, effectively neutralizing a threat.
If you’re rushing, it’s pretty easy to mistype website address names, so instead of netflix.com, you easily get netfix.com. It’s a serious danger as hackers often register various mistyped domains of genuine websites and use them to distribute malicious programs. It doesn’t take long to see the first visitors.
Secure DNS servers usually offer a faster lookup than ISP DNS servers. They may also have various protection mechanisms and filters that could be lacking in an ISP’s server. In the long run, users can experience better reliability and improved connection speeds. It may also improve employee productivity.
How does DNS work?
Before going into the details of how DNS security is set up, let’s first establish the fundamentals of how it works. Every device with internet connectivity has a unique IP address. It’s used for identification when participating in data exchange — for data packets to arrive at their destination, it’s important to know where they should be sent.
Web browsers default perform these exchanges by checking with Internet Service Provider DNS servers. As for the DNS servers themselves, they can be classified into authoritative servers and recursive resolvers. Authoritative servers store actual IP addresses of websites, while recursive resolvers don’t have the exact address but know where to look for it.
This system was invented to simplify the user experience. That way, DNS servers have to retrieve long IP addresses while the users can only remember the website name. Every time you visit a website, you also use a DNS server without knowing it. It’s one of the pillars that made the internet possible.
Common attacks involving DNS
As DNS is a central part of the internet with numerous vulnerabilities that could be exploited, it’s a significant target for attackers. Here is one of the most common attacks involving DNS:
It is an attack aiming to corrupt entries in the DNS resolver’s cache to misdirect the connection. New destinations can be responsible for spreading malware or spoofed websites disguised as genuine ones to collect real users’ login data.
Possible solution: implement DNSSEC (Domain Name System Security Extensions) to add cryptographic authentication to DNS data, ensuring the integrity and authenticity of DNS records, and preventing attackers from poisoning the DNS cache with malicious information.
This attack encodes various other data, programs, or protocols into DNS queries and responses. The payloads bypass the target’s defense systems and allow the attacker to distribute malware or steal information.
Possible solution: enforce strict firewall rules and security policies to block unauthorized DNS traffic and monitor DNS requests for unusual patterns. Also, deploy intrusion detection and prevention systems (IDPS) to identify and block DNS tunneling attempts.
NXDOMAIN is a type of DNS flood attack in which the attacker overwhelms the DNS server with a barrage of requests for records that don’t exist. An authoritative server wastes resources looking for nonexistent entries, which leaves little to no room to handle genuine requests that are also incoming from genuine users. The attack may also target recursive resolve by filling its cache and putting it out of order.
Possible solution: configure authoritative DNS servers to rate-limit or drop excessive requests for non-existent domain names to prevent NXDOMAIN flood attacks. Alternatively, use DNS firewall technologies to detect and block these attacks in real-time.
Phantom domain attack
Another denial of service attack that targets authoritative nameservers. It has to be prepared in advance by setting up a bunch of DNS servers that either doesn’t respond to DNS requests or do it very slowly. The resolver is then sent a flood of requests, turning to an authoritative server for IP addresses. However, the authoritative nameservers delay response, which means that the requests pile up and deny all subsequent requests from genuine users.
Possible solution: deployment of rate-limiting and response rate control mechanisms on authoritative DNS servers to prevent the flooding of DNS requests, thus mitigating the effects of phantom domain attacks.
Random subdomain attack
Similar to NXDOMAIN, but nonexistent subdomains are targeted instead of nonexistent domains. Requests are generated by randomly generating nonexistent subdomains of a specific website, flooding recursive servers. This means it becomes impossible to look up data from the authoritative nameserver.
Possible solution: implement DNS response policy zones (RPZ) or domain sinkholes to block or redirect DNS queries for randomly generated subdomains, effectively blocking random subdomain attacks.
It’s a malicious attack in which a hacker gains unauthorized control over a DNS server or modifies a user's DNS settings to redirect legitimate traffic to fake or malicious websites, leading to potential data theft, phishing, or other cyber threats.
Possible solution: secure DNS infrastructure by using strong passwords, multi-factor authentication (MFA), and regular security audits to prevent unauthorized access to DNS management interfaces to reduce the risk of DNS hijacking.
DDoS (Distributed Denial of Service) attack
DDoS attack is a disruptive assault on a DNS server or network, orchestrated by multiple compromised devices (botnet). Its aim is to overwhelm the target's resources with an excessive volume of fake requests, causing service unavailability and disrupting legitimate user access to websites or online services.
Possible solution: employ traffic filtering solutions or cloud-based DDoS protection services to identify and block malicious traffic before it reaches the DNS infrastructure to mitigate the impact of DDoS attacks on DNS servers.
The attack is a technique used by attackers to magnify the volume of data sent to a targeted DNS server. It exploits the behavior of open DNS resolvers that respond to requests from spoofed IP addresses, resulting in increased traffic towards the victim's system and potentially causing service interruptions or outages.
Possible solution: disable open DNS resolvers or restrict recursive queries to known clients, preventing DNS amplification attacks by reducing the misuse of these resolvers for reflection and amplification of traffic. Additionally, network filtering and blacklisting can help block spoofed DNS traffic from reaching vulnerable resolvers.
How does DNS Layer Security help to stop cyber attacks?
As the internet is held together by DNS, minor adjustments can make a significant difference when considering cybersecurity. Monitoring DNS requests coming from your organization and returned IP addresses can make a huge difference when securing a company’s network. Flagging suspicious DNS activity is one of the first steps to halt the attack that is happening underway.
It’s also an option to find a DNS provider that would allow using a privately managed DNS server. They can be configured to identify suspicious activity and have specific security protocols to block harmful DNS connections. It’s a very useful feature as the connection is blocked on the DNS layer, and the attack can be fully stopped.
There are numerous publically available lists of various malicious websites and their IP addresses. Setting up a DNS in such a way that it filters out reported addresses can protect against dangerous requests.
Best practices on how to secure DNS Layer & what is DNSSEC?
One of the most recent developments to achieve DNS security is Domain Name System Security Extensions (DNSSEC). They are supplementary specifications to help secure the DNS. It’s also aimed to protect online data confidentiality, which wasn’t addressed previously.
DNSSEC provides cryptographic authentication of data, guaranteeing its authenticity. This helps to ensure that when retrieving IP addresses, domains are verified. Domain owners can generate their keys and upload them to their domain registrar. This helps to ensure a degree of trustworthiness.
In addition, IT administrators can increase the security even more by buying additional server space that could help to manage traffic spikes in cases of denial of service attacks. It’s also an option to allow multiple servers to share the same IP to even their load.
An additional improvement that is quickly gaining traction is the DNS firewall. Your visitors’ requests to the recursive resolver server are passed to an intermediary, where they are analyzed and returned to reach the authoritative nameserver. This allows for a smooth operation even when having DNS attacks.
How can NordLayer help?
NordLayer provides Security Service Edge (SSE) as part of the Secure Access Service Edge framework. Operating fully on a cloud-based infrastructure, NordLayer provides comprehensive cybersecurity countermeasures to enterprises.
One of the main use cases of NordLayer is enabling remote access to off-site employees, ensuring the availability of work resources. Its deployment doesn’t rely on additional hardware deployment.
Among NordLayer’s features is DNS Filtering by category, which blocks malicious websites and filters out harmful or inappropriate content. This ensures that company data remains secure and allows companies tiger control over what their employees can access on company-managed networks.
DNS filtering by category functionality allows organizations to restrict access to select web content categories, like social networks, gambling, and gaming, to minimize exposure to malicious content. For more enhanced security, organizations can implement a custom DNS server. It means that the traffic is routed through configured DNS server instead of via default or a public one.
Get in touch with our team and discover more about our approach that could improve your organization’s cybersecurity status.