Few organizations deny the importance of protecting the DNS, yet the challenges of managing and securing domain name systems leave organizations at risk of attack. In this blog post, we discuss how to protect the DNS using security best practices. Follow these guidelines to keep your digital enterprise and customers safe:
Consolidate Domains to a Single Corporate Registrar
Most organizations do their best to register the majority of their domains with a single registrar. Having even a few domains managed with more than one registrar can create security vulnerabilities. Recently, major companies including Mastercard, Hilton International, and ING Bank had each chosen a preferred registrar but also had a few orphaned domains hosted with GoDaddy. Hackers targeted them among 600 other companies, successfully hijacking 4,000 domains for fraudulent and criminal use.
Relying on multiple registrars makes DNS security difficult because each one has different login credentials, access controls, and notification procedures. It’s taking what should be a unified, integrated process and turning it into dozens of redundant and contradictory processes.
Transitioning to a single corporate registrar unites all domains under a consistent set of security standards. To begin consolidating domains and DNS, perform an audit to discover all domains, both active and inactive. All domains should be migrated to a single registrar. Once all domains are consolidated, conduct a detailed zone file audit to discover — and clean up — superfluous or insecure domains and associated DNS settings.
Consolidate DNS Providers
Most large organizations use dozens of DNS providers. Using multiple services creates confusion and inconsistency because each one handles security differently. For example, some employ two-factor password authentication and support DNS security settings (DNSSEC), while others don’t.
Organizations need to consolidate DNS services to two: a primary and a secondary backup. The security and operational benefits are huge. First, DNS service consolidation standardizes access, change management, and security controls on a single system. It’s more secure and way easier to manage. Second, consolidation assures uniform security compliance such as DNSSEC, which requires tight DNS service integration, not possible when managing dozens of services. Finally, having a backup DNS provider ensures that your digital presence remains accessible and secure even if your primary service fails or suffers temporary performance lags.
Implement Automated DNS Security
HTTPS encryption is universally recommended for all domains to keep your digital “conversations” private. DNS security extensions (DNSSEC) are also a DNS security best practice, ensuring your digital communications are authenticated.
Together, these measures assure privacy and data protection for internet sessions and that traffic redirected to a specific destination arrives as intended. Audits confirm that most organizations neglect to deploy HTTPS encryption across all domains and redirect domains. DNSSEC and other security measures like DMARC and SPF barely cover a small fraction of domains, leaving organizations and customers exposed.
The primary obstacle to better deployment is the cost of managing DNS security. Placing full SSL certificates on redirect domains is cost-prohibitive. Managing DNSSEC with DS key rollovers across numerous DNS providers is administratively cumbersome. Adequate security is sacrificed to the reality of limited budget and staff resources.
Moving to an integrated platform to manage domain and DNS security can significantly reduce the workload. SSL certificates and DNSSEC should require no more effort than a single mouse click for each domain — including the annual recurring effort of certificate renewals and DS key rollovers. Systems can easily monitor, remediate, and audit hundreds of security conditions across thousands of domains so that your people don’t have to.
Most DNS compromises depend on going unnoticed. System-based DNS security maintains real-time vigilance, eliminating people-based errors, omissions, and malicious actions. DNS best practices call for systems over individuals.
Integrate Change Management Processes
Large corporate domain portfolios and their underlying DNS networks are subject to constant changes, typically undertaken with manual processes. The common standard for most organizations’ DNS change management is an ad hoc sequence of email tickets; request and approval forms; and spreadsheet lists of domains, SSL certificates, and renewal dates. This approach comes straight from the 1990s and has two big problems: It’s operationally inefficient, and it’s full of IT security risks.
A system-based change management process can integrate and simplify the administration of domains, DNS, SSL certificates, and DNS security settings, eliminating the errors and omissions that create security risks. Unifying change management standardizes workflows so that every change follows the same security compliance rules. As a result, DNS security is protected from human error factors.
Secure change management processes further protect organizations with tamper-proof audit reports and change alert digests. Without these tools, how do you know whether a change was made? Who made it and when? Was it approved? Most DNS compromise is invisible to the victim. Integrated change management with audit controls improves DNS security by making changes visible within the secure network infrastructure.
Some experts have insisted that the use of domain “registry lock” combined with periodic DNS and SSL certificate audits can stop DNS hijacking. This ignores the recent scenarios in which hackers gained unauthorized access to DNS change controls easily bypassing registry lock, and even installing fake SSL certificates in the victim’s name. Change management with audit records and change alerts protects against these tactics.