How to strengthen DNS security

How to strengthen DNS security

Every device connected to the internet has a unique internet protocol (IP) address that identifies it on the global network. In fact, every website you’ve ever visited has the IP address of the web server it’s hosted on.

However, IP addresses are not useful for landing on a website. Firstly, it’s not easy to remember IP addresses, the latest of which are alphanumeric codes consisting of up to 32 jumbled-up numbers and letters. Secondly, a website can have multiple IP addresses if it is served from more than one data center. Lastly, a server hosts many websites, which means that those sites share the same IP address.

Instead of IP addresses, we use uniform resource locators (URLs) or web addresses to arrive at webpages. Web addresses still contain IP addresses, but the latter comes in the form of distinct domain names — text-based labels that are much easier to remember than strings of code.

For instance, digitel.net is a domain name, while its IP address is 52.221.47.76. All domain names are compiled in an internet-style phonebook called the domain name system or DNS. DNS servers translate domain names to IP addresses for us so that web traffic gets to where it needs to go.

DNS vulnerabilities

Unfortunately, much like any other protocol, DNS is vulnerable to exploitation. Since DNS is basically a lookup table that matches domain names to their respective IP addresses, it was designed with no way of verifying if an IP address came from the true domain owner or has been switched with another one by a hacker. Called DNS cache poisoning, the switch makes web users go to a website they didn’t intend to go to.

Usually, that site masquerades as the legitimate business website but is really designed to capture data for nefarious intentions. At other times, the malicious site makes users download malware such as:

  • Worms – self-replicating software that eats up computing resources
  • Spyware – tracking software that logs browsing histories, records audio and video via microphones and cameras, and captures sensitive data such as banking information
  • Ransomware – software that locks users out of their files and systems until a ransom is paid

DNS security extensions to the rescue

The goal of DNS security is to ensure that users reach their intended websites. To achieve this, a technology called DNS security extensions (DNSSEC) was developed.

DNSSEC adds cryptographic signatures to DNS records, which are then stored in DNS servers. When a user enters a domain that’s protected by the security extension, it will be verified by referring to the signature stored in the authoritative name server. This will ensure it hasn’t been altered en route through a man-in-the-middle attack or spoofed using a fake record. If, after verification, the system fails to resolve the legitimate web address, it will return a 404 error stating that the website can’t be found.

DNSSEC works similarly to HTTPS in that it provides an additional layer of security on top of an otherwise unsecure protocol. This makes any attempted forgeries instantly detectable, without the need to incorporate an additional encryption layer.

Is DNSSEC easy to implement?

Implementing DNSSEC is generally a simple process for managed IT services providers (MSPs). In fact, some MSPs allow you to enable DNSSEC yourself with a few mouse clicks.

However, if you’re managing your domains yourself, implementing DNSSEC can be complicated and time-consuming. You’ll need to create and manage additional records for every domain your business uses. Things can get exponentially more complex if you also want to upgrade or add coverage for your email servers and other online assets.

It’s important to understand the purpose and limitations of DNSSEC. Most importantly, its effectiveness relies heavily on the integrity of the configuration process. For example, it won’t provide any protection if there are misspellings in the records. DNS security also doesn’t protect against DDoS attacks.

Still confused? Digitel provides the full range of IT and cybersecurity services that businesses in Atlanta need to protect themselves against threats both old and new. Call us today to schedule your free consultation.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts