Cyber warfare is the new norm of the 21st century. Attacks on DNS (Domain Name System) servers represent one of the most significant threats to Internet security today. Often organizations shore up on internal security and online servers to protect and secure their data. But DNS servers remain increasingly vulnerable. When the New York Times website crashed in 2013, server administrators could not comprehend how their system was hacked. Turns out, it wasn’t. Members of the SEA (Syrian Electronic Army) found it easier to compromise the DNS.
Because DNS is used by nearly all networked platforms, the damage from these attacks can be devastating. Fortunately, we now recognize the obvious problems and there are a few easy techniques to weed out potential security risks and engage in overall DNS protection.
Keep your resolver private
If you control your own resolver, only users on your own network should be privy to its use. This helps prevent its cache from being poisoned by hackers outside your organization. If it is not open to external users, the DNS cannot be spoofed by malicious parties.
Configure DNS to withstand cache poisoning
To make it harder for hackers to get the DNS to accept a fake response accepted, protections are built in to software. Adding variability to outgoing requests helps in caches from getting poisoned. Possible ways of doing this include randomizing the query ID, using random source port, randomizing the case of the letters of domain names etc.
Be careful about who hosts your servers
When it comes to authoritative servers, you can either host them yourself or have a service provider or domain registrar do the honors. Third party firms will never be as invested in your security as you will be. Thus it is always safer to host servers yourself. However, in the event of global outreach, that solution becomes unlikely and thus you must be careful in choosing hosts.
Always protect yourself from known vulnerabilities
Any system you use will have potential risks. That is why system administrators routinely release updates and patches to fix gaps in their coding. It is vital to keep servers and OS patched and up-to-date to prevent them from being exploited. This greatly reduces the possibility of domains going offline from a DoS (denial of service) attack.
Use a hardened operating system
Close all unneeded ports and stop extraneous services. This minimizes the risk of attack on your DNS servers. Typically, DNS appliances offer hardened OS automatic updates to protect against DoS attacks
Monitor your servers
By carefully keeping track of your server status and requests, any changes or unexpected behavior can be quickly spotted. The faster you can detect malicious activity on your serves, the easier it will be to keep your domain from being subverted. Using digital certificates to authenticate your session can also be done.
As technological innovations increase, so do the risk of cyber attacks and DNS hacks. Unfortunately, no system can be completely secure because while the best minds are working to prevent attempts by malicious agents, to sneak in steal or corrupt date, similarly gifted minds are engaged in trying to circumvent these efforts. For now, we can only build up walls and combat attacks if and when they come.