DNS: Securing the Map
In our last post, we discussed how critical DNS, or "Domain Name System" is and how a hierarchy of servers provide this service. This article will be focused on security elements of DNS and the risks that exist to the DNS infrastructure.
Protect the Brand!
Your organization’s DNS records are an inventory of how-to communicate with you on the Internet. Where your website(s) live, which servers receive and send emails, and other information of your domain. Your domain is your presence or brand on the Internet. What are ways to secure this information?
DNSSEC – is a DNS security protocol that protects users from receiving a fraudulent DNS query and be rerouted to a compromised website. DNSSEC is like getting all your DNS records notarized, such as in legal documents. This way, DNS queries are “signed” or verified as being legitimate. This combats some network attacks such as DNS spoofing, hijacking, or cache poisoning, where incorrect IP addresses are returned for a domain and routing users to this site. This is a common attack to harvest usernames/passwords and to distribute malware or other malicious code.
SPF – Sender Policy Framework is a manner of authenticating who can send emails on behalf of your organization. These senders aren’t users; they are the servers authorized for email delivery. Without a properly configured SPF record, your domain is susceptible to spoofing. Spoofing is the act of impersonating a user of your domain or another domain to elicit sensitive information or to distribute malicious software. SPF records assist in validating who can speak for an organization. This would be equivalent of post office flagging an email with no valid return address.
DKIM – Is a manner of “signing” emails to ensure they’re delivered from the legitimate servers. This uses a combination of TXT DNS records and email server configuration to digitally “sign” emails to ensure they’re not spoofed and authentic. Wondering if you could certify your emails like you can normal mail? You can, DKIM in conjunction with other security concepts discussed in this article does exactly that.
DMARC – Leverages SPF records and the DKIM signing process to classify email and then establish a policy to follow if classification fails. This is the action phase as SPF and DKIM are more classifications. The DMARC record can dictate policy to log (monitor email), quarantine, or reject the email explicitly. Also has information of communicating abuse or illegitimate communications.
While most organizations have deployed SPF records, DKIM/DMARC/DNSSEC are rarely deployed in organizations. These three provide the greatest protection from email spoofing and DNS hijacking that exist and should be used in concert.
Hold the Line!
Who are your DNS resolvers? Does it matter? Yes, it does! These are the servers providing access to the internet and keeping a record of where, when, and for how long. If these servers are compromised, your queries could return inaccurate results. These DNS resolvers are also a gold mine of data; every click on the Internet has left a breadcrumb on the DNS servers. Depending on your stance on data privacy, you might want to reconsider using your ISP’s DNS resolvers. We recommend using a private or internal resolver instead.
Many organizations use different tools and services to engage with customers via email campaigns. This presents some “roadblocks” to achieving email security. We know that navigating these 3rd party tools and services, and designing effective SPF, DKIM, and DMARC configuration is difficult and presents a huge barrier between your business and secure DNS. Regardless, the benefits of successfully navigating DNS security far outweigh its implied hardships. If email spoofing is a threat to your organization, beefing up your DNS security records is a worthwhile expedition.
Many of these DNS security settings have been in use for over a decade but are often misunderstood or underutilized. Do you know how your organization stacks up? Are you curious about your organization’s current DNS presence, its exposure, strengths, and weaknesses? If this information raises questions, or if you just want to improve your organization’s security posture, you should consider reaching out to OBC for a Domain assessment. We have experience in helping organizations of all sizes with their security-related needs, and we strive to make our analysis “digestible” for all readers.