A Complete Guide to Defending the DNS

No business can safely function without a secure, dedicated domain name space where it can interact with customers. Everything the digital organization does depends on the domain name system. The DNS enables commercial businesses, not-for-profits, and government agencies to serve, inform, and engage with customers, prospects, members, subscribers, taxpayers — anyone — on the internet.

Cyberattacks are increasingly targeting the internet’s directory: the DNS. Unprecedented DNS attacks in 2019, both in number and severity, prompted the U.S. Department of Homeland Security to issue public warnings to government and commercial organizations.

Why are organizations so vulnerable to DNS threats? The simple answer is that the DNS is hard to manage. Successful DNS compromises repeatedly exploit organizations’ failures to manage their DNS to a best-practices standard of security compliance.

Organizations need a different approach to external DNS security, one that is comprehensive and efficient. In this guide, we’ll cover the importance of the DNS to network security, what causes DNS problems, and how organizations can fortify their DNS defences.

Without adequate DNS security, your organization’s internet presence can put you and your customers at risk. Online communications and applications depend upon a digital chain of trust. We trust that the links we click are what they claim to be and that our online activity is safe from eavesdropping. Hackers know this and target the chain of trust to breach the authentication and privacy we count on.

When hackers gained access to the domain registrar GoDaddy in early 2019, they stole 4,000 domains belonging to 600 companies including Mastercard, Facebook, ING Bank, and McDonalds. With control of the domains and DNS, the hackers impersonated legitimate domain owners and misdirected customer traffic for malicious purposes — including fraud and spam.

Post-event analysis reveals that the victim organizations had “orphaned domains” — domains registered under a vulnerable DNS service, missing basic security measures. Orphaned domains are one of many DNS security vulnerabilities that expose organizations to risk.

The internet only works if people trust that email, websites, and links are safe. Hackers undermine this trust whenever they impersonate someone else (in the guise of a website or email) to launch an attack.

All major browsers standardized on “encryption everywhere” in May 2018. In response, over 90% of all organizations have complied with the imperative of deploying valid TLS certificates to encrypt online sessions.

There is, however, a significant encryption vulnerability often overlooked by DNS administrators: redirect domains. Companies typically have hundreds of domains that point (or redirect) to intended online content. A common example could be an old, legacy landing page from a discontinued marketing promotion that now redirects users to a new, updated content destination. To successfully encrypt this chain, both the destination domain and the redirect domain require valid TLS certificates. When only the destination domain has a TLS certificate, encryption is broken such that user sessions are no longer private. The solution: Ensure that all redirect domains are encrypted with a valid TLS certificate.

While encryption is meant to ensure privacy, it does not address authentication. As renowned web developer and internet blogger Scott Hanselman said,

HTTPS & SSL doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan.

— Scott Hanselman (@shanselman) April 4, 2012

Hackers who manage to compromise the DNS can make your users’ private “conversations with Satan” look like private conversations with your organization. Compromised authentication is all about impersonation.

DNS hijacking, domain shadowing, and cache poisoning are variations of DNS authentication compromise. The exploit directs unsuspecting visitors away from their intended destinations to potentially malicious websites. Bad actors can create look-alike content to impersonate the victim’s brand and defraud users in any number of ways, including stealing personal or financial information. And because domains are also used for email, impersonating a corporate email address is a common phishing tactic that can deceive both customers and company employees.

Authentication solutions have been available to organizations for many years. Domain Name System Security Extensions (DNSSEC) are an effective — even essential — DNS security measure to ensure authentication. Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) are also highly recommended DNS security measures. In fact, DMARC was mandated for all U.S. federal departments and agencies by legislation in 2018, resulting in significantly reduced instances of email phishing. In contrast, almost 50% of private-sector organizations operate without a DMARC policy in place, and 87% are vulnerable due to incomplete DMARC settings.

DNSSEC, SPF, and DMARC are readily available to help organizations better secure their DNS operations. The problem: They are not being adopted or deployed. The reason? The DNS is hard to manage.

Experts agree that DNS security is vital yet under deployed in most organizations. Why is this? The reality is, effective DNS security is complex and costly to manage. Cost and complexity form barriers to effective DNS security adoption.

Managing the DNS is so complex and difficult in large part because organizations use multiple DNS service vendors, each with its own proprietary administrative platform and password access regime. Managing hundreds or thousands of domains across dozens of DNS services is inefficient and very difficult to monitor, update, and secure.

Then there are the dozens of resource records (aka zone files) to set up and monitor for each domain. HTTPS encryption is required on each domain, with annually expiring TLS certificates. DNSSEC requires compatibility between each domain registrar, DNS service, and domain registry. Many DNS services don’t support DNSSEC. Domains, DNS, TLS certificates, and DNSSEC with annually expiring DNS digital keys make for a very messy environment — and an easily exploited chain of trust.

To put this problem into perspective, consider the life cycle of a typical domain. Someone in marketing requests the domain, an administrator orders it, someone else sets up the DNS zone files — the resource records — and ideally, a governance group takes responsibility for later updates and monitoring. IT security teams manage the security measures, but when it comes to domains and the DNS, that task often falls on separate network admin teams. That’s a lot of parties making inputs and updates, often without clear coordination or communication.

Take a tour of the corporate domain management journey to learn the compliance risks and strategic opportunities for your enterprise.

In such an environment, errors and oversights can weaken DNS security. Things become even more complicated after you scale this effort to the enterprise level. When thousands of DNS resource records are fragmented across dozens of vendor platforms, it’s almost impossible to manage them effectively.

Unfortunately, complexity causes more than just confusion. It puts your entire online presence at risk. For example, best practices dictate using DNSSEC, yet 87% of private sector companies lack DNSSEC protection — often simply because it hasn’t been configured properly. Finding and fixing DNS security issues like these across the DNS network requires significant effort; that’s why so many companies get by with inadequate DNS security compliance.

Most DNS security vulnerabilities today can be traced back to a few core causes. The first is relying on multiple domain registrars and DNS systems. Managing something as complex as the DNS across multiple disconnected platforms creates openings for DNS compromise.

The DNS is always changing. Who made the changes? When were they made, and why? Were they logged and alerted to a central monitoring group? The reality is, most DNS compromises are executed without the knowledge of the network administrators because change management isn’t monitored, audited, or subject to change notification alerts.

DNS security demands a single source of truth for the many interconnected elements in the chain of trust. Without a centralized, transparent view of the entire system — domains, DNS resource records, TLS certificates, DNSSEC settings — DNS security is vulnerable, whether from malicious parties or staff errors and omissions.

Typically, DNS change management processes are done manually. Email requests, service tickets, Sharepoint forms, and Excel spreadsheets are standard tools used by organizations to manage their DNS networks. Such methods lack audits and alerts, which need to be automated and tamper-proof.

Manual DNS management processes are inherently inefficient, making comprehensive DNS security both costly and impractical. If DNS security is weakened by inefficiencies, then streamlining and integrating the process will strengthen defenses by making compliance easier. It doesn’t take more security to protect your online presence: It takes better organization.

To improve DNS security, take these steps to streamline your DNS management:

Consolidate Domains and DNS Under a Single Enterprise-Grade Vendor

Relying on more than one domain registrar or DNS provider creates unnecessary complexity. Consolidating to a single point of control is a DNS security best practice. The first step is to conduct an audit to discover all domains, followed by migrating them to a single registrar and two DNS services (primary and backup). Post-consolidation, domains and DNS should be audited and cleaned up to remove orphaned domains, incorrect or redundant zone files, and address missing HTTPS coverage.

Automate DNS Change Management Processes

The human factor is the easiest part of DNS security to compromise. Hackers are always on the hunt for errors and oversights they can exploit, beginning with compromised DNS access permitting unauthorized changes. Manual change management processes operating in silos are error-prone and inefficient. Therefore, automating change management with tamper-proof audits and change alerts dramatically reduces exposure.

Implement Essential DNS Security Measures

DNS security measures including DNSSEC, DMARC, and SPF are proven measures to ensure authentication and defend against threats such as DNS hijacking and phishing. Lacking efficient means to manage these compliance standards, most organizations elect to simply do without. Nothing could be more dangerous, except perhaps the common scenario in which IT security believes it has DNSSEC, DMARC, and HTTPS in place only to learn that flawed configuration and deployment have invalidated the security. With the consolidation and change management automation steps described above, DNS security is simplified. At the same time, it becomes easier and more economically managed. There is no excuse not to maintain 100% compliance in an efficiently managed environment with a single source of truth over the entire DNS chain of trust.

The difficulty of managing the DNS leads to inadequate DNS security in most organizations. But it doesn’t have to be that way. By taking a new approach to administering domains and the DNS, companies can simplify the onerous task of managing complex settings across multiple, non-connected vendors. New efficiencies will enable easier implementation of essential DNS security measures that can close significant cybersecurity gaps. The consequences for companies that do not make these changes can be catastrophic, as the Department of Homeland Security and others have pointed out.

Authentic Web has been at the forefront of this issue, studying the biggest DNS issues today and devising practical solutions. We have developed a suite of technologies for consolidating management onto a single platform with unified controls and devised DNS security best practices for improved oversight. Our approach reveals the problems currently hiding inside domains and prevents those problems from recurring. In the process, we empower companies to fully capitalize on their online presence.

When you’re ready to explore these issues in-depth, reach out to our team. We can help you discover the security and management issues within your own organization and then help you customize a solution. Contact us to arrange your domain/DNS audit.