In many ways, 2015 could be defined as the year of the hack. Cybercrime has made headlines on an almost daily basis. From dating websites and international terror organizations, to wannabe kid coders messing around with their school calendars and identity theft, no one is immune.
Too often, the Domain Name System (DNS) server is a forgotten element of cybersecurity. It is set up once by IT administrators and then left alone or outsourced to the best efforts of a hosting company. When it’s working, responding to queries and directing users appropriately, everything is great. But the DNS server is as vulnerable to malicious users as anything else. Without back-up, the DNS is also vulnerable to power and network outages. And if the name server doesn’t respond, everything appears to come crashing down with it.
Despite this, many authoritative DNS servers are not operating at maximum resiliency and efficiency.
Resolve to improve your DNS resolution
Recently, my team at the Canadian Internet Registration Authority (CIRA) conducted a series of tests which prove this point. Over six months, we sent about 10-12 DNS queries per day to 125,218 DNS servers from one of our 10 monitoring servers placed throughout the world. We’ve run and logged 842,557,787 DNS query results. During this period, 93 per cent of the authoritative DNS servers queried failed to respond appropriately at least once in that six-month period.
There can be many reasons for this, but a 93 per cent “failure” rate for something as important as critical infrastructure strikes us as rather high.
So this year, resolve to make your DNS server part of your enterprise risk management and cyber-security response plans.
We’ve got six ways to help you make that happen:
- Diversify your DNS server’s network resources. Besides malicious activity, DNS servers are vulnerable to physical power outages or equipment malfunction. Having geographically diverse sites for your equipment makes the DNS resilient to a single point of failure. Many times DNS resources are located on the same networks as application servers, the latter of which are often DDoS attacked. You don’t want your entire web presence to go down when the network resources are swamped for some rarely used and poorly maintained web application you keep up for the marketing department.
- Restrict zone transfers. Unfortunately, many DNS zones allow wide open zone transfers so anyone can get the full contents of the DNS zone. We have seen many instances that specifically identify IPs within the zone, such as “accounting-pc” or “CEO” that may allow attackers to target otherwise unpublished DNS entries. You want to first, limit the allowed transfer access list to include only IP addresses of your secondary DNS servers. Second, in a non-Windows setup, implement TSIG (Transaction Signatures) to authenticate zone transfer requests between the master and the secondary server. Don’t have a secondary? See the 6th
- Perform a full audit of the DNS infrastructure. In addition to ensuring that your software is up-to-date you would also review your zone(s) configuration and ACL’s (access lists) related to the allowing of zone transfers. Make sure everything you are doing is still what you want.
- Get a logging system in place. The first salvo in an attack on your network assets is likely a reconnaissance mission that frequently starts with the hard-to-detect DNS hack. Logging errors and zone transfer access attempts is your first line of defence against these types of attacks.
- Monitor your server. Track bandwidth, CPU and RAM, and map it in a visual way. Regularly probe any attempts at restricted zone transfers and be aware of your typical DNS traffic volume so you recognize when you exceed that threshold. By knowing what’s normal and what’s not, you can be better prepared for even a hint of malicious activity. Any kind of spike in a graph is an immediate red flag.
- Get a secondary service. If you use a professionally managed secondary service to properly manage the zone file transfers then you effectively solve almost every step on this list. You are also getting the benefits of a global footprint, resulting in improvements in latency and DDoS resilience for your visitors. Full disclosure, CIRA has a secondary service called D-Zone Anycast DNS, but there are others.
Most of these DNS resolutions are easier to keep than your annual commitments on exercise, weight loss or healthy eating. It’s a good time to help make the Internet better by making your DNS better.
Have a safe and secure New Year!