Attacks related to Domain Name System infrastructure – such as DNS hijacking, DNS tunneling and DNS amplification attacks – are on the rise, and many IT organizations are questioning the security of their DNS infrastructure.
Most IT organizations maintain a variety of DNS infrastructure for public services (websites and internet-accessible services) and private services (Active Directory, file sharing, email). Securing both internal and external DNS infrastructure is critical due to a growing number of threats and vulnerabilities that malicious actors use to target them. Unfortunately, very few organizations are confident in their DNS security.
Enterprise Management Associates (EMA) recently examined the issue of DNS security in its newly published research report, “DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-Cloud Era.” Based on a survey of 333 IT professionals responsible for DNS, DHCP and IP address management (DDI), the research found that only 31% of DDI managers are fully confident in the security of their DNS infrastructure.
Top DNS security concerns
EMA asked research participants to identify the DNS security challenges that cause them the most pain. The top response (28% of all respondents) is DNS hijacking. Also known as DNS redirection, this process involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address. Hackers often achieve this buy infecting clients with malware so that queries go to a rogue DNS server, or they hack a legitimate DNS server and hijacks queries as more massive scale. The latter method can have a large blast radius, making it critical for enterprises to protect DNS infrastructure from hackers.
The second most concerning DNS security issue is DNS tunneling and exfiltration (20%). Hackers typically exploit this issue once they have already penetrated a network. DNS tunneling is used to evade detection while extracting data from a compromised. Hackers hide extracted data in outgoing DNS queries. Thus, it’s important for security monitoring tools to closely watch DNS traffic for anomalies, like abnormally large packet sizes.
The third most pressing security concern is a DNS amplification attack (20%). This is a kind of distributed denial of service (DDoS) attack, whereby a hacker tricks third-party, publicly addressable DNS servers into flooding a target DNS server with unwanted, spoofed query responses, overwhelming that server’s ability to respond to legitimate queries. This attack can make websites unreachable because end user’s DNS queries to the site cannot be resolved.
How to improve DNS security
IT organizations can reduce DNS security risk by installing a DNS firewall. Nearly 47% of DDI experts told EMA that they have deployed a DNS firewall to protect their infrastructure, and these organizations revealed to us that they were much more confident in their overall DNS security. DNS firewalls are specialized network security devices that focus entirely on inspecting DNS queries and blocking connections based on threat intelligence and security policies. They have much more granular visibility into and intelligence about DNS traffic than a standard firewall.
Another important measure is the use of DNS Security Extensions (DNSSEC), a suite of specifications created by the Internet Engineering Task Force (ETF). DNSSEC involves configuring DNS servers to digitally sign DNS records using public-key cryptography. This allows other DNS servers to verify the authenticity of a DNS record and it protects against forged and manipulated data. More than 47% of the organizations in EMA’s research use DNSSEC extensively. Those who do so told us that they are much more confident in their overall DNS security posture.
However, DNSSEC does pose some challenges. DDI managers told EMA that it can lead to increased infrastructure overhead and increased management complexity. Some also perceived flaws in the overall security model of DNSSEC.
Priority security policies for DNS
Nearly 38% of organizations are setting automatic security policies that prioritize DNS security threats. For instance, they configure an intrusion prevention system to block DNS queries associated with known malicious IP addresses. Organizations that use this technique told EM that they were more confident in DNS security.
Any DNS security strategy must also include the public cloud. Many DDI managers have traditionally owned DDI services for on-premises networks. Cloud teams often adopt their own solutions for DNS, DHCP and IP address management in public cloud infrastructure. In recent years, DDI teams have asserted themselves in the cloud to ensure cloud networks are secure and stable.
“We try to work together with the cloud team,” said a DDI engineer with a Fortune 500 consulting company. “Five years ago, that wasn’t happening. There was a lot of risk. It’s easy to do things int the cloud without collaborating with network engineering and security. It can create problems.
EMA’s research found that nearly 59% of DDI teams now have sufficient influence over their company’s cloud strategies. DDI professionals who had such cloud influence were much more confident in their overfall DNS security posture.
Finally, DDI teams need to see what’s happening with DNS infrastructure. Many enterprises typically export DNS logs to security information and event management (SIEM) platforms, where cybersecurity teams can look for anomalous activity. Moreover, centralized monitoring of all DNS infrastructure is very important. Nearly 47% of DDI managers can monitor all DNS servers from a central console. These individuals were much more confident in their DNS security.
To learn more about EMA’s DDI market research, check out the firm’s free research highlights webinar.
Copyright © 2023 IDG Communications, Inc.