In a recent post, we explored the ways DNS security is easily compromised. In this post, we’ll show you how to fix DNS security issues. Defend your external DNS network and protect your customers and users with these smart strategies:
1. Prioritize End-to-End Transparency
You can only manage what you can see. A DNS network is large and complex by nature: Thousands of resource records (also called zone files), SSL cert renewals, and domain expiry dates make constant monitoring virtually impossible. That’s why it’s critical to have full visibility into your DNS change management. Start mapping the journey of every new domain through each stage of its life cycle: origination, transfer to IT, and post-setup. A systems-based approach can help you monitor your DNS network to ensure transparency, error reduction, and DNS security compliance.
2. Consolidate Your Domain Registrars and DNS Services
In most organizations, multiple stakeholders have frequent touchpoints with DNS-related elements on many vendor systems. End-to-end transparency and control are virtually impossible using only a handful of domain registrars and DNS services — yet most organizations have as many as 30 or more! Each of these services must be managed separately via disconnected admin portals. This reduces visibility into the DNS network. Domains should be consolidated to a single corporate registrar. DNS services should operate on one service with a redundant secondary service. Consolidation makes oversight significantly easier, giving decision makers a single source of truth: a unified point of control ensuring DNS security.
3. System-Based Change Management
Enterprise stakeholders, including IT security staff, rarely know who changed what or when they changed it in the DNS network. Change management is typically a manual process. A systems-based change management approach can help. Systems can ensure that access to the DNS requires two-factor authentication, with role-based permissions coordinated under an integrated workflow. All DNS-related management changes should be recorded in a tamper-proof audit record, sending automatic change digest alerts to designated management. Automated change management systems eliminate manual processes, which are cumbersome, error-prone, and costly.
4. Implement DNS Security Measures
DNS security threats are on the rise, including DNS hijacking, cache poisoning, domain hijacking, and other threats. It’s imperative that organizations implement best-practice DNS security measures. These include:
- Domain Name System Security Extensions, or DNSSEC, to digitally sign and authenticate DNS queries;
- HTTPS encryption on all domains (including redirect domains) to protect the privacy of your digital users; and
- Domain Message Authentication Reporting & Conformance, or DMARC, and Sender Policy Framework, or SPF, to protect the integrity of your email communications and protect your company and customers rom phishing.
DNS security measures effectively defend against hackers, hijackers, and phishing scammers who can compromise your DNS and harm your users.
Managing DNS security can be costly and labor-intensive. Learn how a systems-based approach to DNS management and security can help.
5. Minimize Human Decision-Making
Even a portfolio of a few hundred domains requires a combination of thousands of DNS resource records (also known as zone files), domains, SSL certificates with varying renewal dates, and myriad security settings. Without the help of an automated DNS management system, it’s easy for busy professionals to overlook a simple detail such as a domain renewal, an SSL certificate expiry, or a small zone file edit error. People are fallible, which means your employees are often the unwitting source of DNS security issues. The solution is to minimize the human factor by centralizing and automating DNS management. The dual benefit is improved security with error prevention and reduced staff effort.
6. Address Redirect Domains
Ever since Google and other browsers standardized its use in mid-2018, HTTPS encryption has been universally embraced. Enterprises have largely adopted HTTPS encryption across their domain portfolios, with one exception: domain redirects. Redirect domains are widely used to point website visitors to intended endpoints (URLs). Failing to place TLS certificates on redirect domains invalidates the encryption on the destination or target domain, even if that domain is encrypted. Organizations are obligated to map their entire DNS network, including domain redirects. The objectives: encrypt everything!
7. Reclaim Orphaned Domains
Many companies have hundreds — even thousands — of domains under their control. Often they are used temporarily, as a short-term landing page or marketing campaign. Frequently, these domains are forgotten as they fall out of use. They can become “orphaned domains,” targeted by malicious parties for hijacking and misuse. In the worst instances, hijacked domains can be used to direct unsuspecting traffic to fraudulent websites. A unified, systems-based approach to DNS management can ensure that unused domains are correctly expired or redirected with proper start-of-authority records, including DNSSEC and DMARC to protect against misuse.
Before you can implement these solutions, you need to diagnose the problems.
Read our rundown of threats to DNS security to find out whether you’re putting your system at risk.