In early 2020, IDC conducted one of the largest surveys of organizational understanding of DNS security, exploring attitudes to risk and examining the effectiveness of current DNS security models. Responses varied around the world, and in this post we’ll be looking at the United States.
Getting DNS security right is increasingly important. Over the last decade there has been a shift in how threat actors work. That’s because improved security in firewalls, operating systems, and other elements of our network architectures have been widely deployed. These changes mean attackers now have to find new routes into a business’ system, with the DNS as a key avenue for both disruption and intrusion.
It’s not surprising DNS is under threat- organizations often ignore this critical infrastructure and use default security solution rather than investing in newer DNS security technologies. Despite the DNS’s role in providing the glue that holds the Internet together, 17% of US survey respondents felt DNS security was only moderately important to their businesses.
The message from the report is that the risk is real, and quantifiable. Of the US businesses surveyed, 59% had in-house application downtime as a result of attacks on DNS, 56% experienced cloud services downtime, with 49% having their websites and ecommerce systems compromised. Those attacks took time to resolve – nearly 17% needed more than 6 hours to get back online, with an overall survey average of 4 hours of outage time. That downtime costs money, with roughly 22% of US respondents losing more than $1M on an attack.
So what can you do to improve your DNS to make your organization more secure than your competitors?
First, you should look at moving away from the default UNIX and Windows DNS servers, and look at technologies like hybrid DNS that allow you to quickly switch between different DNS technologies. It’s important to note DNS security alone isn’t enough: 62% of survey respondents have a dedicated DNS security solution in place. That’s a start…but when 25% are not doing log collection and using analytics to monitor and analyze their DNS traffic, it means they’re letting things run blind and not making decisions based on their findings.
Next, you should be taking advantage of analytics to help you take the right actions and decisions in the event of an attack. By knowing what to do and when to do it, you’re going to have an advantage over some other US businesses, as you won’t need to shut down live servers and services (like 46% of companies did when they experienced an attack on their DNS).
Protecting DNS using modern adaptive techniques doesn’t just save your business from loss, it also reduces your IT costs.
Another advantage in moving away from traditional security solutions is that a dedicated DNS system can handle a lot of traffic at surprisingly low cost. If you’re unable to block an attack by other means, merely being able to absorb everything an attacker can bring to bear can have a significant impact. 10% of DNS DDoS attacks on US DNS servers were over 50GBps (and we all know that attacks like on Google, GitHub, Dyn, and Krebs were even higher). Having the DNS be able to handle these larger amounts of queries means US businesses may be able to stay online longer- or throughout- an attack.
Building a DNS system to handle that level of traffic can be complex, requiring larger amounts of servers (along with the associated demands of power, cooling, licensing, training, management, and maintenance). That means you need to choose wisely, and take advantage of the consolidation options that are available.
While the US clearly has some issues with regards to some aspects of DNS security, it’s ahead of the world in others. One such aspect is just how quickly its businesses respond to vulnerability notifications and apply patches: the US outperformed Europe (38% of businesses vs. 32% took less than a day, and 5.7% vs. 6.4% took more than a week) meaning they have more chances to prevent the negative effects of DNS attacks.
What does it all mean?
While a majority of respondents said they had implemented some form of DNS security, there were still attacks being carried out and IT departments struggling to mitigate them quickly to avoid damage. This fact makes it clear that the DNS security tools and techniques currently being used are ineffective and/or inefficient.
Now is the time to start rethinking the security, structure and logistics of your network – before an attack takes down your services, applications and above all, costs you millions of dollars.
IDC 2021 Global DNS Threat Report
Learn more about the costs and damages of DNS attacks, more business impacts by industry, and recommendations for holistic network security.DOWNLOAD NOW