Why You Need a Premium DNS Provider

account_circle Network Solutions Team
A man researching Premium DNS

Online attacks are a serious risk for organizations in all fields. Protecting your connections from hacking attempts is essential. It's also important to ensure that your website stays online in the event of an attack and to make sure that you maintain fast load times and offer guaranteed website uptime. With that in mind, it's easy to see why so many decision-makers are searching for premium domain name servers (DNS). But before you examine DNS options, it's important to fully understand the risks you are facing.

Identifying DNS Threats

The rate of DNS-based attacks is both increasing and becoming more difficult to prevent as new mechanisms of compromise are created by hackers. For example, consider the latest NAME:WRECK series of attacks discovered by Forescout earlier this year (Forescout, 2021). Researchers at this security company found a series of nine vulnerabilities affecting four different TCP/IP protocol stacks, including flaws uncovered in two critical remote code execution issues in Nucleus NET and FreeBSD and a denial-of-service (DoS) flaw in NetX. These flaws would enable attackers to take control of millions of different devices running these operating systems.

This is sadly just the tip of the iceberg and a big reason why IT managers need to have a well-managed DNS. This is key to keeping your business web, email and other online applications and infrastructure up and running and running well. Part of the problem is that DNS has held a trusted place in the minds of many IT professionals, even though this is not really borne out in practice.

Let’s look at some of the common DNS-based attack methods:

  • Distributed Denial of Service (DDoS) attacks, where hackers aim network traffic to clog up web servers and bring them down. There are several different types of DDoS attacks, including traffic amplification, subdomain attacks and DNS floods. All of them are clever ways to fill up your servers with junk traffic and tie their processing up to prevent legitimate users from obtaining content.
  • Domain Hijacking or DNS reflection, when attackers can re-route queries from your particular servers to destinations that they control, often to then insert malware into your endpoints.
  • Cache poisoning or DNS spoofing, where malware is injected into your DNS caches (or directly via DNS Tunneling) so they can redirect your DNS query traffic.
  • NXDomain attack or DNS recursion attacks, another form of DDoS attack that floods your DNS infrastructure and can cause downtime.

Ways to Secure DNS

Given the number and nature of these attacks, there have been a variety of methods proposed to try to do a better job of securing this protocol. All of them have their implementation issues and have not met with anything near universal acceptance.

DNS Security Extensions (DNSSEC), which was first proposed in 2010, added cryptographic signatures to help verify DNS responses were coming from the intended servers. While the authentication was useful, it didn’t protect the privacy of the DNS conversation.

DNS over HTTPS (DoH) and DNS over TLS sends these requests over the UDP transport layer, again using encryption. This prevents man-in-the-middle tampering that could be done with unprotected DNS conversations. The TLS version skips the application-layer protocols, which helps hide this traffic even further and offers a slight performance boost as a result.

DNSCrypt was designed to prevent DNS spoofing attacks and has several open-source implementations.

Geoff Huston, an Internet pioneer based in Australia, recently wrote, “Can you believe what the DNS tells you? The answer is that you probably can’t! But using these DNS security technologies isn’t much of an advantage because all you really gain is being better informed as to who is lying to you.” 

Free Alternative DNS Providers*

As these NS compromises have become more of an issue, a number of free and public DNS providers have become available and offer some protection against these attacks. Before you get too excited, realize that you definitely get what you don’t pay for with these free providers (some of whom also have paid plans):

  • AdGuard DNS (Filtering, DNSCrypt, DNS over HTTPS and TLS)
  • Alternate DNS (Filtering and ad blocking)
  • CleanBrowsing (Filtering, DNSCrypt, DNS over HTTPS and TLS)
  • Cloudflare (DNS over HTTP)
  • Google Public DNS (DNS over HTTPS and TLS)
  • Cisco OpenDNS (Filtering)
  • Quad9 (Filtering, DNSCrypt, DNS over HTTPS and TLS)

Before you go shopping around for DNS providers, here are some of the things you should look for:

Ways to prevent common DNS attack methods. As mentioned above, the world of specialized DNS-based attacks continues to grow, and having better ways to prevent these attacks — such as identifying common attack signatures — can eliminate downtime and improve overall network security. This includes better attack monitoring. Because these providers can watch over a higher traffic volume, they tend to see exploits sooner and can stop them faster.

Better network response times. The distance between the location of your website and the location of your online visitors can cause slow page load times, dropped queries (404 or “page not available” errors) and increased latency. Having an alternative DNS provider can optimize these response times to maximize performance and availability.

Better network routing and filtering. Having your DNS automatically detect and route your network traffic to the “nearest” server not only improves response times but can also help to balance demands on DNS query loads and act as a built-in failover mechanism in case of issues with any of your DNS servers. Some DNS providers, such as Network Solutions, also provide DNS filters to help manipulate DNS queries to limit access by geopolitical regions or prioritize traffic.

Native cloud DNS advantages. The major cloud vendors such as Google (Cloud DNS), Amazon (Route 53) and Microsoft Azure all have their own specialty DNS offerings. If you deploy significant infrastructure across any of these cloud systems, you should definitely make use of their DNS services. The one downside is that because they are cloud services, each has a fairly complex usage-based pricing structure that will be hard to parse. And if you use multiple clouds, you can’t have a single DNS provider across your entire network.

To understand exactly what benefits are being offered by a potential DNS provider, here are some questions to ask during your evaluation:

  • How close to near-real-time traffic analysis can be performed?
  • How granular are the geofencing rules?
  • How are load balancing and other content proxies implemented?
  • Where are their DNS servers physically located?
A visual representation of DNS security

It's Time to Try Network Solutions’ Premium DNS

At Network Solutions, we offer our Premium DNS service for any customer who has purchased a domain with us. This service provides a powerful defense against common DNS threats, including hackers and DDOS attacks. However, Premium DNS also offers so much more. For example, the service automatically detects and directs visitors seamlessly to the nearest of 21 global servers. Premium DNS also delivers peak performance levels with maximized website availability — providing a richer end-user experience with 100% uptime.

Premium DNS makes it easy to:

  • Reduce error codes and dropped queries.
  • Improve website resolution speed and load times.
  • Safeguard sensitive information from hacker activity.
  • Secure your site from hackers trying to reroute your website to steal customer-sensitive information.

For improved site traffic and enhanced security, Premium DNS is an excellent choice. By turning to Network Solutions for your Premium DNS needs, you'll stay online and safe from hacking threats. With global servers, 100% uptime and advanced protection features to defend your connections, our Premium DNS option is a great option for any organization. It's just one more way we help keep you and your business safe and running smoothly online.

*As of May 2021

Sources:

Forescout. “NAME:WRECK FAQ.” 2021

https://www.forescout.com/company/resources/namewreck-faq/

 

Geoff Houston. “DNS evolution: Trust, privacy and everything else.” APNIC Blog. October 2020

https://blog.apnic.net/2020/10/27/dns-evolution-trust-privacy-and-everything-else/

 

Images: Shutterstock