Security Protection Through Hybrid DNS

7 March 2016

The more we use the internet, the more important DNS becomes. For such an important service it’s odd that DNS is virtually invisible. We rely on it for everything, but we don’t treat it like an essential service; instead we set it up and ignore it.

DNS is far too important to be left alone.
You need to manage it carefully, building a DNS architecture that scales and is secure. That last part is the hardest, and the most important. If you think of DNS as the GPS of the internet, it’s not surprising that it’s a target for criminals. Taking down a DNS server can block a company from accessing online resources, while poisoning and spoofing the results can mean a criminal redirecting your users to a site designed to steal credentials – opening the doors of your business to IP theft, as well as allowing unfettered access to bank accounts and other financial services.

You only have to look at regularly published vulnerability lists to see just how risky an unmanaged DNS server is. ISC, the open source body that manages BIND development, regularly publishes its vulnerability matrix, with four major issues reported in the last three months. If you’re not monitoring these lists and updating your servers, then you’re leaving your business wide open to a wide range of different threats. NIST’s National Vulnerability Database details 14 vulnerabilities in several different DNS server products over the same time period.

Many of those vulnerabilities were critical: in one case a specifically formatted DNS request could crash a server, blocking a company, its users (and in some cases, its customers) from accessing the internet. There’s a significant risk from zero-day vulnerabilities like this, as DNS might seem to be a service that “just works”…but an unmanaged, unsecured DNS server is an open door that’s just waiting for the internet’s burglars to enter. Except it’s not just your door- it’s also your employees’ doors, your customers’ homes, your bank vault, and basically anything that’s online.

So how can you secure your DNS?
A well-designed DDI solution is one option, and one that includes Hybrid DNS service like EfficientIP. Unlike most DNS solutions, Hybrid DNS uses three different DNS engines in order to reduce risk to users. As soon as an alert is published, you can switch from BIND to NSD to Unbound, with just one click. As all changes to your local DNS are managed by EfficientIP’s software in this case, there’s no need to reconfigure the rest of your network.

Keeping infrastructure secure is an important part of an IT department’s work. Hybrid DNS helps simplify the process, making it easier to manage and control your DNS, while keeping risk to a minimum. It’s one of the most significant factors to security, minimizing the risk of zero-day vulnerabilities in key internet technologies. Hybrid DNS is also an extension of IT best practices, using a mix of technologies to manage risk. When an hybrid infrastructure is set up, you’re able to switch from one technology to another in one click (and once a patch has been released, test it, before moving it into production after the validation process is finished).

The goal here, as always, is keeping things simple. DDI tools make it easy to manage DNS settings, and combining them with Hybrid DNS means you’re able to switch from an insecure DNS to a secure server as soon as you’re notified, switching back when you’ve updated. Secure and simple, it’s a way to keep your DNS from being hijacked, making sure your valuable data goes where it’s meant to– and keeping your business safe from destructive zero-day attacks.