Navigating the Digital Landscape: DNS Security in the Modern Age of Cyber Threats

Can you briefly explain what the Domain Name System (DNS) is and its role in the functioning of the Internet?

Christophe Gérard: The Internet Protocol (IP), also known as the Internet, is how machines communicate with each other using IP addresses such as 194.153.205.26. It works perfectly between machines, but is a nightmare for the human brain, which has difficulty identifying, memorizing, and transmitting such series of numbers. To solve this problem and help users interact with online resources, Paul Mockapetris created the Domain Name System (DNS), a giant Internet Directory Service translating human-readable Domain Names, such as “wikipedia.de”, into corresponding IP addresses.

As the world went digital, the DNS became indispensable, and today it plays a central role in the functioning of the Internet. Various online services such as websites, emails, applications, VPN, IoT, VoIP, all rely on Domain Names to be reachable.

Are there different types of Domain Names?

Gérard: Technically, Domain Names all work the same way, based on DNS resolution. They differ at the TLD (Top Level Domain) level, such as .com or .de; TLDs can be very different in terms of marketing impact, performance, or security level. Companies will register tens, hundreds, or thousands of Domain Names for communication or defensive purposes. However, most companies will use only one unique Domain Name to access all of their critical online services. Such a Domain Name becomes an absolute strategic digital asset for the company that relies on it to be reachable online. A disruption has immediate consequences in terms of data or financial loss, visibility, or brand image. In the end, I would define only two types of Domain Names, defensive and strategic.

What are the top DNS security threats and vulnerabilities?

Gérard: The DNS is exposed to a large attack surface – and surprisingly often forgotten by security services. CISOs still focus on the application layer of security and forget about the DNS, which is key to accessing communications and Internet services. There are two main categories of threats: the risk of Domain Name compromise and the risk of technical attacks targeting the DNS servers.

The first category is more complex for an attacker to set up, but has dramatic consequences in terms of recovery time. The cyber attacker will try to hijack the Domain Name management platform, at the corporate or registrar (Domain Name provider) level, using various techniques such as phishing, whaling, constraint – and will gain full control of the Domain Names, able to modify, delete, or transfer them for criminal purposes. Recovery can take days or even weeks, which is intolerable for strategic Domain Names.

The second category is at the DNS infrastructure itself. The attacker will attack with DDoS focused on DNS, DNS water torture, DNS spoofing – all kinds of barbaric words with the same consequences: a Domain Name unavailable or redirected to a fraudulent site. Recovery may be shorter, but who can afford to have their digital applications unavailable for a few hours?

Do you have any numbers and statistics about these attacks?

Gérard: The history of the Internet is full of examples of such attacks, even recently. We see daily attempts to corrupt Domain Names or target our DNS infrastructure. Since the pandemic, DNS attacks have increased by a factor of seven. The most common attack vector is DNS-based DDoS attacks, which last on average more than three hours.  What is frightening is the diversity of targets. Companies of all sizes and industries are now being targeted through the DNS. Companies should no longer ask themselves if they are a potential target, but when they will be attacked – and have they considered security measures.

What can organizations do to prevent DNS-based attacks?

Gérard: Rely on DNS experts to understand the context, train and inform those responsible, and act with confidence. This is critical in an ever-changing environment on which critical services depend. Then make sure a few effective measures are considered and put in place. Registry Lock is the first step to lock the domain at the registry level and prevent it from being compromised, transferred, or deleted. DDoS mitigation is key to face the most common attacks, as well as anycast DNS infrastructure based on different TLDs and autonomous systems. DNSSEC should definitely be considered as it prevents MITM type attacks that are very difficult to detect.

By implementing these measures, organizations can significantly strengthen their DNS security posture, protect against potential vulnerabilities, and ensure the continuity of critical online services while maintaining the integrity and privacy of user data.

What are the pitfalls in implementing these measures?

Gérard: When implementing measures to improve DNS security, organizations must overcome certain obstacles to ensure a successful and effective implementation:

Gaining the commitment of the organization’s leadership and stakeholders is paramount. Adequate resources, both in terms of budget and personnel, must be allocated to support the implementation and ongoing maintenance of DNS security measures.

Because DNS services are critical to an organization’s online operations, maintaining DNS uptime throughout the implementation process is critical. A meticulous approach is required to minimize downtime and potential impact on user experience. Working with experienced partners with a proven track record in DNS security will help ensure a smoother transition.

By addressing these stumbling blocks with a strategic and cautious approach, organizations can maximize the effectiveness of their DNS security measures while ensuring minimal disruption to their online services.

What emerging trends do you see in DNS security?

Gérard: The core mechanics of DNS are not changing significantly. The basic process of translating Domain Names into IP addresses remains consistent, providing stability in the operation of the Domain Naming System.

We do see DNS Security Extensions (DNSSEC) becoming increasingly important. Recent statistics show growing adoption rates, indicating a heightened awareness of the importance of authentication in securing DNS data integrity. While DNS over TLS and DNS over HTTPS provide encryption for enhanced privacy, they may not be widely adopted. Their complexity and potential overhead, combined with the encryption of name resolution data, present challenges that may hinder their wider adoption by DNS resolver networks.

DMARC, a DNS-based mechanism, is also proving to be an effective tool against phishing attacks. By aligning domain policy and email authentication, DMARC helps verify the authenticity of sender domains, strengthening overall email security.

As DNS security continues to evolve, these trends reflect the industry’s efforts to balance encryption, privacy, and usability while addressing the evolving threat landscape.

Christophe Gérard has been working in the domain name, DNS, and cybersecurity industry since 2001; dealing with the marketing, performance, and security aspects of organizations’ digital assets.
As Nameshield’s Chief Product Officer, he now manages the company’s various product lines to build a complete solution to manage, protect, monitor, and provide remediation services for strategic domain names.