Don’t forget to lock the door

By Anthony Chadd, Director of Sales, EMEA, Neustar

Using a piecemeal "set and forget" approach to maintaining your DNS security puts thousands of businesses at risk of cyber-attacks every year. It is akin to closing the vault door, but not checking that it has actually been locked!

An alarming number of organisations are still leaving themselves wide open to cyber-crime and Distributed Denial of Service (DDoS) attacks, by not prioritising domain name system (DNS) security.

DNS is used by every single business on the internet, so seems perplexing that so few have full visibility or control over their DNS performance, security and stability. It's why attacks are so frequently felt and recognised around the world. It’s also being commonly playing out in the public domain as big businesses keep falling victim to DDoS attacks.

Control your digital identity by controlling your DNS

Gaining full visibility across all areas of DNS is vital for a company willing to ensure their users and customers’ security. When a website's DNS is compromised the whole system collapses, bringing email, apps and other services down with it.

To put it simply, a business's DNS is its digital identity. And having a safe and secure DNS is critical. Any organisation that relies on any form of online assets for day-to-day activities cannot afford to have their DNS compromised, and consequently, the businesses financials and reputation damaged.

In light of this, if you are responsible for IT security in your organisation, a regular and thorough DNS audit is mandatory to minimise the effects of issues such as server overloads from negative caching or low set time-to-lives (TTLs), before they become a major problem.

Don’t half-arse it

A DNS environment can change rapidly, which is why it must be checked and audited regularly. Otherwise, you are presenting pretty low-hanging fruit to cyber-criminals who are constantly innovating and finding new ways to attack potentially vulnerable organisations.

Here are some key considerations when auditing and maintaining the day-to-day health of the DNS.

  • Prevent email spoofing: Your sender policy framework (SPF) helps to prevent email spoofing within the organisation, if configured properly you are protecting yourself from cyber criminals sending emails from your business domain.
  • Let go of negative caching, fast: When a DNS servers hold on to negative responses as well as positive, the bandwidth of the server can be drastically reduced, thus causing downtime and overloads.
  • Configure TTL correctly: Time-to-live (TTL),the mechanism that sets time limits for recursive servers to refresh their DNS cache can overload the server with excessive queries if set too low, but if set too high you risk inflexibility in the event of any needed configuration change. It’s about finding the middle ground and analysing what works for your business.
  • Zone delegation set up: Incorrect zone delegation is one of the most common problems that are found during a DNS audit. Zones have to be set up correctly in order to properly redirect DNS queries.
  • Manage internal IP addresses correctly: All audits must include checking internal and external DNS are kept fully separate in order to avoid exposing information about your business through internal IP addresses in external DNS zones.
  • Clean up inactive domains: During an audit, check which of your domains are active and inactive, including domains you may have registered but never fully set up and be sure to delete or properly utilise the ones you have available.
  • Test your pointer records: Pointer (PTR) records, also known as reverse lookup, format an IP address in reverse order and let you use an IP address to find the host name. Any audit should test PTR record lookups to ensure they reverse the order of the octets in the IP address appropriately.

Along with a DNS audit the risk of downtime can be greatly reduced, through the deployment of a secondary (or failover) DNS service. This guarantees redundancy, particularly for mission-critical systems where any outage could cause a major disruption.