Understanding the importance of DNS

Carlos Morales at Vercara asks whether DNS is fully understood by IT professionals and suggests that there are many ways of ensuring that it is secure

The Domain Name System (DNS), often labelled as the phonebook of the Internet, gives users access to readable domain names. It is crucial for companies who possess a digital presence as it provides a means for customers to connect to its applications.

With the pandemic triggering the shift to hybrid working environments, the criticality of having reliable DNS has increased even more and its role in a company’s security posture has become more prominent. 

DNS is both a critical part of a company’s internet presence and is a gateway to the integrity of that company’s applications and infrastructure. DNS is often a direct victim of DDoS attacks threatening the availability of applications and is also an unwilling accomplice in carrying out attacks focused on data theft such as data exfiltration, ransomware, and watering hole attacks.

According to the 2022 National Cyber Security Centre review, 39 per cent of businesses were victims of a cyber-attack over the last 12 months, 20 per cent of which faced a material outcome, such as loss of money or data. IDC’s 2022 Global DNS Threat Report states that 88 per cent of the over 1000 organisations it interviewed, suffered a DNS attack during the year, with an average of 7 attacks per company. 

DNS: fundamentally flawed or just misunderstood?

Business leaders have rightfully expressed concern over the weaknesses of DNS and the vulnerabilities it presents to cyber criminals. David Holtzman, the designer of the global DNS registration system used by the Internet Corporation for Assigned Names and Numbers (ICANN), recently argued that DNS is ‘fundamentally’ flawed.

The trust-based architecture on which it was initially built lends it to misuse and abuse and has paved the way for hackers, criminal organisations, and nation-state actors, to take advantage of the abundance of vulnerabilities that exist. 

It is true that DNS is often a victim of attacks or a mechanism for carrying out additional cyber-attacks like ransomware and supply chain attacks and not all companies are doing what they should to prevent these attacks from succeeding.

According to a report by CSC released at the end of 2022, three out of four Forbes Global 2000 companies have not implemented key domain security measures. The 2022 IDC Global DNS Threat Report also revealed that 99 percent of organisations in its survey do not have a form of security built in its DNS server. When seeing sobering statistics like these, it’s easy to understand why Mr. Holtzman would point out the deficiencies of the DNS system overall.

However, many capabilities exist in DNS today that provide robust security and privacy and simply need to be adopted. The real question here is whether organisations fully understand DNS and are they fully aware of its security capabilities. 

The security features in DNS 

Organisations with more mature security operations recognise that DNS is a crucial part of the attack surface and have taken steps to protect it. In fact, according to the 2022 IDC Global DNS Threat Report, 73 per cent of businesses said DNS was crucial for their organisations and 57 per cent or organisations labelled DNS security as the top method for protection.

There are various ways DNS can provide protection. First, DNSSEC (Domain Systems Security Extensions) is a PKI based set of protections that ensure that authoritative domain responses are coming from the legitimate source. Some providers include DNSSEC in all services and allow users to set up DNSSEC on the fly which makes adoption smooth and easy.

DNSSEC is a proven way to avoid having authoritative domains hijacked and pointed at servers operated by malicious users.

Second, DDoS protection of authoritative, TLD, and recursive servers is built into a number of DNS services and protects from external attacks on DNS availability and has proven very effective in warding off these attacks.

This is important because DDoS attacks are prominent in the threat landscape with a barrage of threat actors, such as the Killnet group which is active today, using it as a blunt weapon to take down organisations’ internet presence. In fact, the UK was the fifth most attacked country for DDoS attacks in 2022 according to eport by StormWall.

The recursive layer of DNS has some strong options for protection. To protect user privacy, DNS over HTTPS (DoH) and DNS over TLS (DoT) are supported for recursive DNS services and provide encryption of DNS requests. Protective DNS solutions can filter queries at the recursive layer of DNS to block outbound requests associated with malware or ransomware therefore preventing these attacks from affecting users. Moreover, these solutions can also be used to detect and block data exfiltration over DNS.

These capabilities are readily available in DNS technology stacks as well as in select DNS services that companies can contract. Additionally, many of these features are built into base prices meaning the barrier to adoption has shrunk significantly.

Making the adoption of DNS security easier

Organisations with more mature security operations already recognise that DNS is a critical part of the attack surface and have taken steps to protect it. While approaches such as regulation would certainly force the issue, other options can be used to promote use of these capabilities further.

Understanding DNS is fundamental in organisations implementing security protocols in its security stack. Market education on the importance of DNS hygiene, financial incentives from insurance carriers when companies have DNS protections in place, and the explicit inclusion of DNS in security frameworks are all factors in helping to drive further market adoption. This is already taking place with many proactive organisations having put in place strong DNS security and privacy features and processes.  

Ultimately, understanding the capabilities of DNS is crucial as it helps in its increased implementation within organisations. By adopting these DNS features that provide strong privacy and security, an organisation’s digital presence is protected in a time where the threat landscape continues to evolve considerably. 

Carlos Morales is Senior Vice President of Solutions at Vercara

Main image courtesy of iStockPhoto.com