External DNS Security: An Overlooked IT Security Threat
When assessing threats to enterprise IT security, there’s a tendency to overlook the DNS: an increasingly vulnerable layer to every organization’s cybersecurity. Losing control of the external domain name system, or DNS, is a massive threat to an organization’s digital operations and brand value. It’s also an increasingly common occurrence. DNS security is compromised so often, in fact, that the U.S. Department of Homeland Security and other organizations have issued alerts about this vulnerability.
Your external DNS security is the gatekeeper that protects your company and your customers in all digital interactions. Losing control over a domain or its DNS routing leaves you vulnerable to a loss of digital services at best, or exploitation and compromise by malicious parties at worst.
In the less concerning scenario, online visitors can experience query (HTTP) or display errors; the result is forms, e-commerce, or mobile applications failing to respond.
In the worst cases, hackers can direct your users to lookalike sites designed to steal sensitive data such as financial information. Variations on these DNS security issues include domain hijacking, DNS hijacking, domain shadowing, DNS cache poisoning, and DNS spoofing. Whatever the specifics, the result is the same: The DNS has been compromised.
The reason DNS hijacking and its common variations pose such a threat is that the DNS is incredibly hard to manage. It’s part of a highly complex interdependent network including domains, subdomains, and redirect domains, all of which must be encrypted by TLS/SSL certificates to protect the privacy of your customers when they interact with your organization online.
Your domains are directed by zone file settings — resource records — that typically number in the thousands. To manage this massive system, most organizations outsource the DNS and its administration to third-party service providers, usually more than one. A company can easily use several — even dozens of — DNS services, each with its own access and administration portal. Integration between DNS services and domain registrars is rare.
Hackers are well aware that most organizations use multiple DNS vendors that have inconsistently managed security measures. They also know that companies and vendors alike often fail to use several basic and highly recommended DNS security measures. These include DNSSEC and DMARC: The first authenticates your digital presence to prevent DNS hijacking, while the latter improves email security to mitigate the threat from phishing.
There’s a reason that many organizations have failed to adequately deploy these basic measures, and it has a lot to do with the lack of systems-based DNS change management. Companies tend to rely on manual compliance processes, managed by people, to control the DNS. That’s inefficient and dangerous.
The biggest vulnerability in any security system — and the hardest to protect against — is user error. Your users and internal stakeholders include digital marketing, legal, IT staff, and others. The systems they use tend to be disconnected, while the users themselves tend to be siloed in their own departments. Managing change across the organization invites the kinds of internal errors that create security holes for malicious external parties to prey upon.
Few organizations exercise complete control over their DNS networks. To understand just how vulnerable your organization is to DNS hijacking, ask yourself a few simple questions:
- Are you aware of the status of every domain resource record at all times?
- Is access to your DNS change management completely locked down and secure?
- Do you know who made changes, when and why? Do you have the audit logs and digest alerts to document and confirm those changes?
- Are you ensuring DNS security compliance — such as DNSSEC and DMARC — on each and every domain?
Unless you already have a systems-based approach to DNS change management, your answers are probably “no”, “maybe” or “partially.” The enormity of managing the DNS is why DNS compromises and their resulting security breaches have increased to such an extent. It’s also why they continue to pose a threat to both commercial and public sector enterprises. After all, we can’t secure what we can’t control.
Securing the DNS and guarding it against threats is a thorny problem. Understanding how and why your organization is vulnerable is essential to defending your digital applications from compromise and attack. The best way to assess your organization’s DNS security posture is to conduct an audit of your external DNS network. An audit can pinpoint the specific vulnerabilities that expose your operation to DNS hijacking and other DNS security threats.
Learn the causes of DNS security issues, and how to resolve them in our next blog posts.