How to Secure DNS?
These days, one of the signs of a reputable IT professional or IT company is that they design everything with security first and foremost at all times. DNS, however, was designed before the internet even existed. Back then, DNS security was not a consideration. It certainly is now. Here is what you need to know.
DNS security mainly boils down to three main issues
In principle, DNS security is a huge topic. In practice, it typically boils down to three main issues. These are data theft, Domain hijacking, and DDoS attacks.
- Data theft
- Domain hijacking
- DDoS attacks
1. Data theft
Technically, the issue of data theft via DNS can be resolved by implementing DNSSEC, preferably in combination with HTTPS. In the real world, however, support for DNSSEC is nowhere near as widespread as support for HTTPS.
In practical terms, therefore, this is one of those situations where it makes sense to treat the symptom rather than the cause. You should already be storing sensitive data in encrypted form, so just make a point of transmitting (and receiving) it in encrypted form and preferably over an encrypted connection such as a VPN.
2. Domain hijacking
Domain hijacking basically means rerouting traffic from the legitimate domain the person intended to visit a domain of the cyberattackers' choosing. Sometimes this diversion is very blatant, for example, sending people to a website with "questionable" content. Sometimes, however, it can be very covert. People can be diverted to a website that is designed to "look and feel" like the real one.
Domain hijacking can be challenging to identify because all the common symptoms that it is happening are also common symptoms of more common problems. It can, therefore, make a lot of sense to undertake a routine ping of an IP address you do not use. Most of the time everything will be fine and it will come back unresolved but if it does come back resolved then you know you have probably been the victim of a domain hijacking attack.
If this is the case then you will also probably find that there is malware on your router. Your resolution is not just to remove the malware but to find out how it got there and stop it from getting there again
There is, however, one other possibility. This is that you let your domain expire and somebody else legitimately bought it. This sounds like the sort of error which should never happen and technically it is - but it's happened to both Google and the UK government.
3. DDoS attacks
DNS security (or the lack thereof) is not the only factor in DDoS attacks but it's certainly a fairly common one. Dealing with DDoS attacks is partly about prevention, but mostly it's about early detection and effective remediation. Here are some tips.
There are lots of good reasons for investing in as much bandwidth as you can reasonably afford. One of them is that it is an effective insurance policy against DDoS attacks. Not only does it make cyberattackers work harder to achieve their objective but in so doing it buys more time for you to deal with them.
#2. Ping tests
If you ping your servers regularly, you'll be alerted at the first signs of trouble. If you don't, there's a distinct chance that you'll only find out there's a problem once people start complaining about it.
Firewalls and DDoS mitigation services
Firewalls both protect against DDoS attacks and help to remedy them when they do occur. They protect against them by blacklisting traffic from sources that are known to be malicious, like recognized botnets. For completeness, they can also whitelist the traffic you do want, like the search engine bots.
When DDoS attacks occur, your firewall can play a useful role in remedying them. These days, however, even the best firewalls can struggle to cope with DDoS attacks. That's why there are DDoS mitigation services. These work similarly to firewalls but are specifically optimizers for DDoS attacks and as such, they only come into operation when a DDoS attack is detected.
Robust infrastructure and applications
Just as companies are well-advised to keep security front and center at all times, so they are also well advised to keep DDoS in mind and do their best to develop robust infrastructure and applications. For example, you could look at using smart DNS lookup, load-balancers, and content delivery networks to help build resilience into your infrastructure.
You might also want to look at using Anycast routing. This allows multiple servers to use the same IP address so that if one fails another can step in.
Please click here now to have your website scanned, for free, by cWatch from Comodo.