Secure Your Network with DNS – Episode 1: Best Practices Overview

This blog is the first of four episodes which help describe best practices for utilizing DNS to protect your overall network.

 

DNS security best practicesWhen it comes to network security, everyone thinks about firewalls, proxies, IPS and endpoint protection. But very few think about DNS. This neglected component of any network is, without doubt, a foundation of the internet, making it both a target of cyber attacks and a powerful tool to detect and mitigate all kind of threats. The DNS allows anyone to reach any application through any network. Consequently, its security is essential – to guarantee its availability and integrity. The key role of DNS provides it with unique visibility over all network activity, allowing it to quickly detect both suspicious clients and domains, thus making it a vital security component of the overall ecosystem. Missing the opportunity of using DNS to help secure your network would therefore be a terrible mistake.

Maximizing application availability and user experience

Users trying to reach an application have to pass via DNS to access its nearest endpoint. This means that any failure occurring in the DNS resolution process will cause at least part of the internet to go dark or lead to inaccessibility to enterprise applications. Real-life examples of this are numerous. The most famous one probably being the Dyn outage – an attack on authoritative DNS which caused inaccessibility to the websites of several major companies. There are also many examples of outages caused by attacks on internal recursive DNS services, including those which hit telcos Orange and Free Mobile earlier this year. By applying suitable security measures to DNS servers, such as smart distribution of services across various providers and removing reliance on single technologies, you are able to help guarantee DNS availability to have always-up services.

Performance and productivity of users can also become other areas of concern if you don’t take proper care of your DNS implementation. Accessing websites or apps often leads to massive amounts of related background activity, including DNS, for retrieving information hosted on remote 3rd-party sites. This obviously impacts latency for the user. DNS performance needs to be maximized by implementing more intelligent DNS architecture, as is the case for CDNs, in order to optimize this latency and as a result vastly improve user experience.

Enhancing security through DNS data integrity and confidentiality

The DNS protocol is connectionless, and has been minimally secured since its inception. Continuous efforts are being made to enhance and secure it – DNSSEC, for instance, brings integrity mechanism for authoritative transactions. Yet, communications between the client and the resolver remain poorly secured. Responses of the resolver can easily be forged, or may have come from a poisoned cache. The packets themselves may even be intercepted without the resolver’s or client’s knowledge. The results can lead to denial of service, or worse still, users being redirected to malicious resources.

Solutions are being constantly studied, but until a standard is adopted, it is important to minimize the risk as much as possible. Local network and DNS need to be properly deployed and configured to thwart these attack types. Best practices provide means to mitigate risk of communication corruption between the client and the resolver. This ensures that only authorized clients use company’s permissible applications and prevents users from being tricked into using non-legitimate resources.

Detecting active threats across your network for fast risk mitigation

DNS has the privilege of unique visibility over network activity, so is a natural and vital first line of defense for overall network security. Advanced threat intelligence enhances its ability to detect infected devices and malicious behaviors, thus making it an essential tool for timely attack prevention across your network, as well as for protecting data confidentiality.

Coming soon: Episode 2 of this series – a more detailed description on best practices to maximize application availability and user experience.

Want to learn more about best practices for DNS security?
Download the white paper and take the first steps to better network protection.