DNS Security Management
DNS Security Management offers an overall role-based security approach and discusses the various threats to the Domain Name Systems (DNS). This vital resource is filled with proven strategies for detecting and mitigating these all too frequent threats. The authors-noted experts on the topic-offer an introduction to the role of DNS and explore the operation of DNS. They cover a myriad of DNS vulnerabilities and include preventative strategies that can be implemented.
Comprehensive in scope, the text shows how to secure DNS resolution with the Domain Name System Security Extensions (DNSSEC). In addition, the text includes discussions on security applications facility by DNS, such as anti-spam, SPF, DANE and related CERT/SSHFP records. This important resource:
Presents security approaches for the various types of DNS deployments by role (e.g., recursive vs. authoritative)
Discusses DNS resolvers including host access protections, DHCP configurations and DNS recursive server IPs
Examines DNS data collection, data analytics, and detection strategies
With cyber attacks ever on the rise worldwide, DNS Security Management offers network engineers a much-needed resource that provides a clear understanding of the threats to networks in order to mitigate the risks and assess the strategies to defend against threats.
Michael Dooley is responsible for overall operations of the BT Diamond IP division. Mr. Dooley has more than 20 years of experience managing and developing large scale software products and has contributed significantly to the evolution of Internet technologies, particularly related to IP addressing, DHCP and DNS. In 2013 he co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.
Timothy Rooney manages BT Diamond IP product development and has led the market introduction of four next-generation IP management systems: NetControl, IPControl, Sapphire appliances and ImageControl. In 2010, he authored the Wiley-IEEE Press title Introduction to IP Address Management and in 2011, IP Address Management Principles and Practice. In 2013 Mr. Rooney co-authored the Wiley-IEEE Press title IPv6 Deployment and Management.
DNS Security Management
WHY ATTACK DNS?
The Domain Name System (DNS) is fundamental to the proper operation of virtually all Internet Protocol (IP) network applications, from web browsing to email, multimedia applications, and more. Every time you type a web address, send an email or access an IP application, you use DNS. DNS provides the lookup service to translate the website name you entered, for example, to its corresponding IP address that your computer needs to communicate via the Internet.
This lookup service is more commonly referred to as a name resolution process, whereby a worldwide web "www" address is resolved to its IP address. And a given web page may require several DNS lookups. If you view the source of a random web page, for example, count the number of link, hypertext reference (href), and source (src) tags that contain a unique domain name. Each of these stimulate your browser to perform a DNS lookup to fetch the referenced image, file or script, and perhaps pre-fetch links. And each time you click a link to navigate to a new page, the process repeats with successive DNS lookups required to fully render the destination page.
Email too relies on DNS for email delivery, enabling you to send email using the familiar user@destination syntax, where DNS identifies the destination's IP address for transmission of the email. And DNS goes well beyond web or email address resolution. Virtually every application on your computer, tablet, smartphone, security cameras, thermostats, and other "things" that access the Internet require DNS for proper operation. Without DNS, navigating and accessing Internet applications would be all but impossible.
An outage or an attack that renders the DNS service unavailable or which manipulates the integrity of the data contained within DNS can effectively bring a network down from an end user perspective. Even if network connectivity exists, unless you already know the IP address of the site to which you'd like to connect and enter it into the browser address field, you'll be unable to connect, and you won't see any linked images or content.
Such an event of the unavailability of DNS will likely spur a flurry of old fashioned phone calls to your support desk or call center to politely report the problem. IP network administrators generally desire to minimize such calls to the support center, polite or otherwise, given that it forces those supporting the network to drop what they're doing and resolve the issue with the added pressure of visibility across the wider IT or Operations organization.
DNS as a Backdoor
Just as DNS is the first step in allowing users to connect to websites, it is likewise usable by bad actors to connect to internal targets within your enterprise and external command and control centers for updates and directives to perform nefarious tasks. Given the necessity of DNS, DNS traffic is generally permitted to flow freely through networks, exposing networks to attacks that leverage this freedom of communications for lookups or for tunneling of data out of the organization.
Thus, attacking DNS could not only effectively bring down a network from users' perspectives, leveraging DNS could enable attackers to communicate to malware-infected devices within the network to initiate internal attacks, to exfiltrate sensitive information, or to perform other malicious activity. Malware-infected devices may be enlisted to serve as remote robots or bots under the control of an attacker. A collection of such bots is referred to as a botnet . A botnet enables an attacker to enlist an army of devices potentially installed around the world to perform software programmable actions.
By its very nature, the global Internet DNS system serves as a distributed data repository containing domain names (e.g., for websites)