11:12 PM
Dark Reading
Dark Reading
Quick Hits
Connect Directly

Keeping DNS Services Safe And Operational

Domain Name System technology is critical to your Internet communications. Here are some tips for keeping your DNS services -- and your data -- secure

[Excerpted from "Keeping DNS Services Safe and Operational," a new report published this week on Dark Reading's Security Services Tech Center.]

It's really easy to take a critical network service like Domain Name System, better known as DNS, for granted. After all, in most organizations, DNS usually works without a hitch and requires little day-to-day maintenance. Unfortunately, when DNS problems do surface, an entire business can be brought to a screeching halt.

Before Microsoft Active Directory forced DNS into a more prominent role in our data centers, the fallout from DNS issues often was confined to an inability to browse the Internet or use externally hosted Web applications. Back then, losing Internet access for a few hours wouldn't have been a huge deal for most enterprises. Today, when DNS goes down or is compromised, a whole host of other services and internal applications can be brought down with it--and that is a huge deal for any enterprise.

DNS isn't one of those network services that you can simply lock down and call it a day--for the Internet to function, DNS needs to be broadly available and it needs to be fast. While the inventors of DNS did not specifically cite packet overhead and speed as a concern in their original design, the selection of UDP as a transport to send and receive DNS queries was a great one because it helps ensure that the millions of queries per second being sent to certain DNS resolvers can be handled efficiently. However, the connectionless nature of DNS makes it easier for attackers to affect the reliability and availability of DNS itself.

What makes DNS defense complicated is that every organization must rely on upstream DNS resolvers and authoritative name servers to provide name services. The distributed, hierarchical nature of DNS means that we all need to rely on resolvers and name servers that are not under our control. In addition, while it seems simple on the surface or when only a fraction of its services are used, DNS is very complex. Indeed, there's a reason very large organizations have very smart people dedicated to managing DNS.

With all that said, the DNS attacks you're likely to see can be broadly categorized in two buckets: attacks on the integrity of your DNS database in the form of various DNS record hacks, and attacks on the availability of your DNS server in the form of a denial-of-service (DoS) attack.

To get a list of the types of DNS attacks your organization may encounter -- and some recommendations on what you can do about them -- download the free report on managing DNS services.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.