6 Tips for a Fail-safe DNS
Klaus Darilion, DNS expert at nic.at, provides valuable tips and tricks on how to upgrade the security of your DNS infrastructure.
The DNS (Domain Name System) is the basis for all domain-based services to find the IP address of the relevant server. This includes, for example, the website of your company, a web shop, email communication, or hostnames for internal services (e.g. SAP, databases, etc.). Therefore, it is essential that the DNS infrastructure is stable and fail-safe. Klaus Darilion, DNS expert at nic.at, gives helpful tips and tricks on how to set up your DNS infrastructure to make it even more secure.
1. Separate infrastructure from public services
“Authoritative name servers” are the authoritative source for mapping domain names to IP addresses. Those authoritative name servers must be public; otherwise, Internet users cannot resolve the respective domain names. If these name servers are not available, domains cannot be resolved. If the domain is used for a web shop and you thus miss customers, this is of course detrimental. Or if the domain is also used for the company email and internal resources, the whole company is thus affected, and employees cannot work anymore. This can lead not only to financial damage but also to a bad reputation of the company.
To give you an example: If your company is called “Example Ltd.,” you may use www.example.com for your website, and @example.com for your email communication. For your internal resources you should consider using a dedicated zone like “example-infra.com” to address your routers, servers, and internal services. If this is not possible due to legacy issues, make sure that, even if your public authoritative name servers are not available, the domain still resolves inside your company network. For this, you could use a “split-DNS” or dedicated internal authoritative name servers, and thereby instruct your internal DNS resolvers to “forward” queries for your own domains to these internal authoritative DNS servers.
2. Location of authoritative DNS
When talking about DDoS targets, many people immediately think about a company’s website. This is probably the reason why many enterprises have dedicated DDoS protection for their websites and web shops. Nevertheless, attackers are smart and try to attack everything that may hurt the victim. These targets include email servers, authoritative name servers, the Internet connection of the company, and routers of the company’s network. As such, all of these targets must be addressed when considering DDoS protection.
In the early days of IT, a company had a commonly used Internet connectivity and a commonly used network for public and internal services. Hence, DDoS attacks against the company website could overload the Internet connection and network of the company. While most enterprises host their websites now outside of the company networks, using ISPs or cloud services, many companies still self-host their DNS and email in their own network. Thus, a dedicated attack against the authoritative name servers will traverse the company’s Internet connection, their internal networks, and their possible several firewalls.
Even if the name server is capable of handling the attack, the Internet connection may suffer, firewalls may get overloaded, and the whole company network breaks, although only the name servers were attacked. Conversely, an attack against some other parts of the company’s network may overload the Internet connection, meaning that the name servers are no longer available. Although, in that scenario, the company’s web shop is still working on a satisfactory level, Internet users fail to resolve the e-shops domain name because of an unrelated attack.
Our recommendation: Put your public authoritative name servers into the public network, and not into your internal company network. Locate them at some Internet service provider or in the cloud, or use DNS services of specialized DNS service providers like RcodeZero DNS.
Note: If your internal services also rely on domains hosted outside your network, as discussed in the previous section, make sure to also have a copy of the zone on internal authoritative name servers.
3. Avoid firewalls and load balancers in front of name services
The purpose of a firewall is to control access to certain resources. The public authoritative DNS is public, so there is no usage of operating dedicated firewalls protecting DNS Port 53. Of course, a firewall should protect the server hosting the name service (e.g. protecting SSH access to the server), but there is no need to protect and track Port 53.
DNS mostly uses UDP as transport protocol, where every single request uses a different source IP and source port. With stateful firewalls, every single DNS request will create a “connection” in the firewall, stored in state tables. These state tables are a limited resource. Recent attacks against DNS servers showed that outages were often caused by overloaded firewall state tables. Hence, a simple iptables/nftables firewall, which only allows UDP+TCP Port 53 without state tracking (“NOTRACK”), usually outperforms a dedicated firewall and saves resources on the expensive enterprise firewalls.
4. DNSSEC for end2end validation
Nowadays, end2end protection for services mostly uses application layer security, e.g. TLS for https-protected websites. However, there are still services with end2end security, like emails that are vulnerable to man-in-the-middle attacks, which may try to use DNS spoofing. The only available technology preventing DNS spoofing is DNSSEC. Although a solution does exist, the bad news is that DNSSEC is still complicated and error prone.
Our tip: Before using DNSSEC, you should understand the technology and test DNSSEC procedures extensively. Alternatively, if you do not want to perform that activity, use a DNS provider which offers DNSSEC signing of customer zones like RcodeZero DNS, which offers free DNS DNSSEC support.
5. Use a Unix-based operating system
We recommend the use of a Unix-based operating system and well-known trusted name servers like Bind, NSD, Knot, or PowerDNS. Also, remember to continuously update your name server software. Alternatively, if you do not want to have that work, use a DNS provider like RcodeZero DNS who supports you.
6. Use a multi-provider strategy
Although every DNS provider guarantees 100 percent availability, history shows that nobody is safe and anyone can fail due to human error, technical failures, or just a new DDoS traffic record. Using a second DNS provider of course increases your costs; however, these costs are usually negligible in your IT security budget. Alternatively, use an external DNS provider and operate one DNS yourself. There are services like RcodeZero DNS that can be used as primary and secondary DNS.
If you are interested, RcodeZero DNS offers a 30 days' test free of charge at www.rcodezero.at.
Klaus Darilion is Head of Operations at nic.at, the Austrian registry for .at domains. Additionally, he is credited as the technical mastermind behind RcodeZero DNS, a trustworthy DNS service for companies, Internet service providers, and TLDs. Ensure the accessibility of your domains with the same technology developed and used by nic.at, and rely on more than 30 years of industry expertise and DNS know-how.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not necessarily reflect the view of the publisher, eco – Association of the Internet Industry.