The Domain Name System (DNS) is the Rodney Dangerfield of Internet protocols. By that, we mean that DNS has trouble getting respect for all the important things that it does. Over the years, the DNS has been abused by spammers, its weaknesses exploited by distributed denial of service (DDoS) attackers and domain hijackers. Given that the spate of attacks is increasing (according to one 2019 IDG report), along with their effectiveness (according to this report), it is time to get more serious about how you manage your DNS infrastructure and how you can harden it to prevent future threats. This survey shows that an average DNS attack will cost an organization nearly $1,000,000.
Typically, when a business obtains a domain, they make use of the default DNS settings that come from the Internet provider. As long as these default DNS servers work, that is the first and last time that many of us think about our DNS. While that is the path of least effort, it is also the path of least functionality and protection.
Paul Vixie, one of the key developers of DNS and the founder and CEO of Farsight Security, recently spoke about the evolution of DNS. “DNS is at the beginning and middle of all Internet activities. It has become the great enabler. An IT manager could build better defenses against all kinds of attacks if they learn how to monitor what is happening across their DNS infrastructure. This is because the bad guys are going to have to create DNS content if they want to reach their victims.”
One way the good guys can fight these abuses is by leveraging DNS and observing when a domain is created and when it is first used. Spammers like to create many domains and use them infrequently, which is at odds with how legitimate businesses use their DNS. Bad actors also like to target specific regions or domains to communicate with, which is also a telltale sign behind a potentially criminal activity. Or they originate from known IP addresses that have been tagged with dubious activities in the past.
Over the past few years there have been several enhancements to DNS that block access to known bad IP address ranges and filter content. Other enhancements can encrypt DNS traffic, accomplished in several ways:
The efforts behind these enhancements have resulted in a number of alternative DNS providers, mostly for free by major Internet vendors, including:
Many of these vendors use easy-to-remember DNS servers, like Cloudflare’s 220.127.116.11 or Google’s 18.104.22.168. There are various reviews of these providers, such as this one from TechRadar. There are also DNS specialty providers that offer paid DNS services, including Akamai’s Enterprise Threat Protector, NS1 Domain Security Suite, OpenDNS/Cisco Umbrella and Cloudflare. And the major cloud vendors such as Google, Amazon and Microsoft Azure all have their own specialty DNS offerings if you deploy significant infrastructure across their cloud systems.
Vixie was one of the early developers of DNSSEC and now considers it “a necessary mediocrity. I had high hopes that it would help simplify DNS certificate use and provide a more trusted mechanism for domains. However, we underestimated the effort to pull this off and the working group gave up on it.” One disappointment: back in 2016, attackers figured out how to use DNSSEC for DDoS amplification attacks. Still, having DNSSEC is better than not having it. Vixie says you should use DNSSEC if “you have a clear path to the center of the Internet.”
Vixie is also somewhat down on the free alternative DNS providers, claiming that many vendors are using their services to mine your own Internet traffic and then using this data to upsell you on other paid products. This should temper your enthusiasm.
So here are some tips on what to do if you are interested in deploying one of these tools. First, you should understand your own network DNS problems, bottlenecks and infrastructure before you make any changes. Geekflare has a set of performance comparison services, most of them free, that can show you if switching to another DNS provider will help improve your network response time and reduce latency.
Second, understand the originating networks used by your typical customers. If you operate a worldwide business, you will have to make some tradeoffs because some DNS security providers do a better job in certain regions than others.
Third, understand that network outages happen daily and are largely out of your control. There are several reporting services that can notify you of changes, including Oracle/Dyn’s Internet Intelligence, Netblocks and Thousand Eyes. These should be the first places to search when your users complain of Internet slowdowns.
Finally, review what the paid vendors offer and what their fees will be. Some don’t offer near-real-time traffic analysis, some have more sophisticated geofencing rules that can be used to prevent some phishing attacks and some have load balancing and proxies to make your network operate more efficiently. Some vendors will tell you where their DNS servers are physically located, and some won’t, so keep that in mind as well.
By following these tips, you’ll put your organization in a position to find a DNS security provider that works for your needs. That will make things a lot easier for you over time.