DNS Security 101 – Availability Availability Availability

Brian HammBlog, Information Security Solutions, Security

what is infrastructure management services

DNS Security 101 – Availability Availability Availability


Application or Service Availability is one of the main tenants of Information Security. DNS Security 101 – Availability Availability Availability

In light of the recent DNS outages and attacks lets have a quick DNS Security discussion. There are two components involved to getting your website or company into the Internet’s version of the phone book. (1) Domain Registration & (2) Domain Name Service

Domain Registrar – This is the authority that secures the ownership of your domain “company.com” These companies track who the technical and administrative contacts are for each domain. In addition to contact information they also advertise what servers on the internet are responsible for resolving the addresses for your domain. These would be your company.com’s Authoritative Domain Name Servers.

Domain Name Services – These are the servers that actually house your DNS records for your “company.com” domain. Records such as www.mail, ftp, portal, etc.

Although it is common to use the same Domain Registrar company for Domain Name Services it is not required.

There are several DNS Security factors to consider in regard to both your Domain Registrar and Domain Name Service.
1. Make sure your username and password for managing your Domain Registration stays secure. Domain hijacking is a very lucrative business!

2. Don’t use actual people as Administrative and Technical contacts when registering your domain. Real names will be needed when you register your domain but make the contacts aliases such as Company IT Director or Company IT Admin. Besides the possibility that the person may leave the company publishing the actual person’s name to ‘name drop’ is the first step of Social Engineering.

3. Don’t let your Registration expire! Registering your Domain Name for 3 years may seem like a long time but as your IT staff changes and business gets busy the person that originally signed up for the domain may have moved on. This would be a reason to have the administrative and technical contact email addresses that are registered actually be distribution lists within the company so more than one person will receive important emails relating to your domain registration.

4. When defining what Authoritative domain servers will host your domain entries you can use more than one Domain Name Service which will reduce the chance that your website will indirectly sustain a DoS hit when your Domain Name Service provider is under attack. The downside to this is that you have to maintain your DNS Security records in both services. But the odds two different DNS providers go down simultaneously is much less.

A few recent DNS Security victims….You may recognize the names….
https://isc.sans.edu/forums/diary/NY+Times+DNS+Compromised/16451
https://isc.sans.edu/forums/diary/Linkedin+DNS+Hijack/16037
https://isc.sans.edu/forums/diary/googlecommy+DNS+hijack/16775

Want more? DNSSEC is the next step in securing DNS which is probably the weakest link in the Internet chain today.
http://www.icann.org/en/about/learning/factsheets/dnssec-qaa-09oct08-en.htm


About the Author

Brian Hamm

Join The Other Subscribers

Enter email below, to subscribe to extensys email list.
  • This field is for validation purposes and should be left unchanged.

Recent Posts