PerezBox

Tony Perez On Security, Business, And Life

  • Security
  • Business
  • Life
  • About
  • Contact
Software Design Challengesstandard post icon

A Primer on DNS and Security

Published in Security on November 4, 2018

If you’re reading this article you’ve interacted with DNS. In fact, you’d be hard pressed to spend any time online and not interact with DNS.

Many of us spend very little time thinking about it. By design, it’s a “set-it and forget-it” tool that is often set up on our behalf (e.g., our home network, local ISP, office network). Ironically, it’s a critical piece of our security landscape.

This post will explain what DNS is and highlight some of it’s key security considerations.

What is DNS?

DNS stands for Domain Name System (DNS), you might hear it used interchangeably with Domain Name Server (DNS).

It is the mechanism that allows us to find our favorite websites (e.g., amazon.com, perezbox.com, etc…). Technically speaking, it is a redundant, hierarchical, distributed database that is used to pass information about domain names. There are four types of Domain Name Servers that make up the Domain Name System:


Server Type Description Layman’s Explanation
Recursive DNS Recursive DNS nameservers are responsible for providing the proper IP address of the intended domain name to the requesting host. This is our gateway to the web, it’s through this server that we access the rest of the internet. They don’t know anything about domains, they are great at asking questions.
Root DNS The authoritative name servers that serve the DNS root zone. These servers are the gateway to the internet. They are the first connection every recursive DNS has to make.
TLD Root DNS The authoritative name servers for the Top Level Domain (TLD) – example: .com, .net, .org. Every TLD has a TLD root DNS. These servers keep a list of all the Fully Qualified Domain Names (FQDN) on their specific TLD.
Authoritative DNS These servers are the authority on domain names. These servers contain all the information associated with a specific domain (e.g., perezbox.com is located 192.124.249.15).

DNS communicates using the User Datagram Protocol (UDP), over port 53. This won’t mean much to you now, but in future articles it’ll come together and it’s important to understand it is not TCP/IP.

The easiest way to show you the communication flow is to capture it in an illustration:

To learn more about the TCP/IP and HTTP/TLS handshakes go to my last article – How HTTPS Works

DNS Security Considerations

Few SMB’s give DNS much thought when thinking through their security. Yet, it’s the one feature that can dramatically affect your business.

An attack on your DNS has the ability to dramatically cripple your organization; it can kill entire web presence (e.g., website) and disrupt your communication medium (e-mail services). What would happen to your business if customers could not access your website? or if you did not receive any emails for a prolonged period of time?

There are aspects of the DNS that are completely out of your control (e.g., Root and TLD Root DNS servers), but they are highly redundant and secure. The issues you can focus on are a lot closer to home, specifically Recursive DNS servers and Authoritative DNS servers.

Five Security Considerations

There are a number of DNS specific security issues to be aware of, but for this post I’m going to focus on the following five:


Type Description
DNS Spoofing Also known as DNS Cache poisoning, it’s when an attacker is able to poison the DNS cache in your recursive DNS. The attacker injects bad instructions into the cache, instead of perezbox.com going to 192.124.249.15 it goes to another IP.
Social Engineering This is where the attacker tricks whomever manages the Authoritative DNS zone for your domain into making changes on your behalf.
Availability The key to DNS working is to make sure it’s available. If any part of the DNS architecture is down, you won’t be able to access the internet. This is where Distributed Denial of Service (DDoS) attacks come into play, and why it’s so important you use a good Authoritative DNS server.
Administrative Compromise This is where an attacker is able to steal your credentials and take ownership of your DNS. It’s why it’s so important that you practice good online hygiene with passwords and deploy appropriate controls like 2FA/MFA on your accounts.
Vulnerability Exploit This is out of your control as a user, and speaks to the exploitation of software on DNS servers. I throw this caution out to organizations that might run their own internal DNS and emphasis the importance of functional isolation.

Planning for DNS Security

As you plan for your security, be sure to account for DNS. Personally, I leverage CleanBrowsing as my DNS Resolver, and Sucuri as the Authoritative DNS for my domains.

There are other technical things we can look to employ to secure DNS, but that’s a subject for another post.

Category: Security Topics: End User Security, Security Tools And Technology, Web And Information Security

About Tony Perez

One of CleanBrowsing and NOC.org Founders. Formerly GoDaddy's General Manager (GM) for the Security Product Group. Responsible for the Sucuri brand, Certificate Authority (CA), Content Distribution Network (CDN), Website Application Firewall (WAF), Website Backups, Monitoring, and Incident Response products and services. The former CEO / Co-Founder of Sucuri and US Marine.

You can follow me on Twitter at @perezbox.

Tony Perez CEO Sucuri

About Tony Perez

I've spent the better part of the past 15 years dabbling in various technical industries, and these days my focus is website security and business. This blog, regardless of topic is a chronicle of my thoughts and life as I navigate those things that interest me the most.

  • Facebook
  • Twitter
  • LinkedIn
How To Block Porn

Search

Recent Posts On Security

Three Things that DNS Outages Teach Administrator

NOC Introduces a CDN. Yes, a CDN.

Feelings Have No Place in the World of Security

Unleashing the Power of Authoritative DNS

Content Filtering with CleanBrowsing

View All Security Posts

Security Posts By Topic

  • Desktop And Operating System Security
  • Drupal Security
  • End User Security
  • Intrusion Detection System (IDS)
  • Joomla Security
  • Log Management
  • OSSEC
  • Passwords And Identity Management
  • Security Tools And Technology
  • Speaking And Media
  • Vulnerabilities And Malware
  • Web Application Firewall
  • Web Hosting And Web Servers
  • Web And Information Security
  • WordPress Security
  • WordPress Plugins

Like what I have to say?

Subscribe to hear more...

I don't always have something to say, but when I do I will aim to make it insightful. Subscribe to hear my thoughts as I make them available.

PerezBox

  • Facebook
  • Twitter
  • LinkedIn

Copyright © 2022 Tony Perez, PerezBox. All Rights Reserved | Security | Privacy