Connect with us

Hi, what are you looking for?


Network Security

What Every CIO Should Do About DNS Security

DNS Security – What Every CIO Should Do

DNS Security – What Every CIO Should Do

Domain name system security is entering mainstream thinking. The recent signing of the DNS root zone with DNSSEC garnered media attention at every level from the specialist technology press and top-selling national newspapers all the way down to local small-town outlets. Meanwhile, governments worldwide, aware of how much of their national economies depend on a smoothly running Internet, are becoming increasingly interested in ensuring its critical infrastructure is as secure and reliable as it can possibly be; at the United Nations Internet Governance Forum earlier this month, in which I participated, one of the predominant themes was the ongoing security and stability of the Internet.DNS Security

This level of interest is not always reflected in thinking among corporate CIOs, however. The security of an organization’s critical DNS is still often overlooked, despite the obvious fact that it is arguably one of the most vital pieces of infrastructure, the piece that ties all the other pieces together. Companies may spend millions creating and promoting their brand in the offline world, forgetting that on the Internet their domain name is their brand. It’s often the case that it is only after a company’s DNS has come under attack, or after it has suffered downtime with a non-malicious cause, that CIOs start thinking about DNS strategically.

There are a number of ways an organization’s domain name and associated DNS infrastructure can be compromised. A domain can be stolen outright. It can also have its performance impaired by denial-of-service attacks, or traffic to the address can be stolen via man-in-the-middle vulnerabilities. Like all digital assets that rely upon software, it is only as secure as the platform on which it functions. These platforms are vulnerable to code exploits and poor configuration choices. Finally, it also runs the risk of being compromised by human error.

Employee education can mitigate risk. When a domain name is hijacked, it’s usually at least partly due to human error. Many times employees fall for sophisticated (or otherwise) social engineering attacks designed to uncover passwords and other confidential information. Phishing attacks, keystroke loggers and other types of malware all have the potential to compromise sensitive information that can lead to the loss of a domain name, or ensure that your employee’s computer is subsumed into a botnet. The most recent case of this is the “Here you Have” virus that is reported to have accounted for more than 42 billion individual spam messages. Even non-malicious software applications, such as peer-to-peer file-sharing clients, can represent a data leakage risk if poorly configured.

Employees in positions of authority over critical resources need to be made aware of these risks. Clicking on links to suspicious websites, downloading attachments from unknown sources, and installing unauthorized applications, should all be actively discouraged within a security-conscious enterprise. This advice may seem old, but it is surprising just how many breaches are still caused by oversights by employees who should know better. Only last year a government defense contractor reportedly inadvertently leaked the blueprints to Marine One, the President’s helicopter, to Iran, due to P2P file-sharing software installed on a laptop. Training is of course only one of several corporate policies that organizations need to establish in order to mitigate the risks, or effects, of a security breach or period of downtime.

Arguably the greatest threat today to the security of a domain name – and the associated brand – is distributed denial of service attacks. The DDoS problem is increasing in large part due to the growing “provisioning gap” between attackers and defenders. As botnet operators and their tools become more sophisticated, and the amount of bandwidth available to them increases in-step with the roll-out of high-speed residential broadband, it becomes increasingly difficult to defend against their attacks. The costs associated with quickly building out a powerful botnet are negligible compared to the costs required to adequately provision a defense.

This is a real concern. A DDoS attack of sufficient ferocity on DNS servers can not only substantially disrupt a company’s ability to do business online – hurting revenue and brand equity – it can also severely impact employee productivity. The latter concern will only grow as more and more organizations begin to rely on cloud-hosted productivity tools and business applications, which are of course accessed using DNS.

Advertisement. Scroll to continue reading.

Can You Survive a Massive Cyber-Attack?

Organizations also need to provision for how they will handle the eventuality of a DDoS attack. Policies should be created dealing with how responses are escalated, how to most effectively cooperate with providers to have the attack blocked, and how to most efficiently employ failover systems. In many cases, there will be crossover with disaster recovery plans designed for non-DDoS scenarios, such as power outages or natural disasters.

Information security policies also need to address the vulnerability profiles of Internet-facing infrastructure. Popular DNS software makes fertile hunting ground for bug-hunters, leading to the necessity for regular upgrades. Name servers should be incorporated into existing patching regimes with just as high a priority as any other critical system. Due to the fact that poorly configured DNS software also represents a vulnerability, CIOs should ensure that their name servers a are configured according to current best security practices – for example by ensuring authoritative name servers do not also act as recursive servers.

In summary, improving security is not always a purely technological problem; often, the impact of security events can be mitigated, or the risk of them occurring at least reduced, by addressing the people and policy parts of the equation. When it comes to critical infrastructure such as DNS, the first step for CIOs is recognizing the fact that a company’s domain name is not only the online ambassador for its brand, but also the glue that holds the whole Internet-based business together. From there, the appropriate strategic decisions will surely follow.

Tags: DNS Security, Domain Name Security, Securing DNS, Security Infrastructure, DDoS Attacks, CIO

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...