“When you say ‘DNS security’, you just mean DNSSEC, right?” We get this question a lot.
The answer is both simple and complex. In a nutshell, DNSSEC is a technical best-practice in which the validity of a DNS query is ensured through cryptographic signing. DNS security, on the other hand, is the concept that the pervasive nature of the Domain Name System (DNS) can be leveraged to secure your entire network.
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions, and it’s actually quite simple. At a basic level, DNSSEC is a way to secure and validate a DNS record without needing to understand what the query is for.
Here's a deeper dive into how DNSSEC works: By using a form of digital signatures on DNS data, DNSSEC validates responses to DNS queries before they are returned to the client. The client sends a DNS lookup asking for a particular IP address through public key cryptography.
The validating resolver acts as a decoder. When DNSSEC is implemented, all DNS zones have a public key and a private key. The public key, as the name suggests, is available to everyone and provides the means to decrypt messages signed by the corresponding private key (this is why they are known as a “key pair”). The client’s DNS resolver then retrieves the answer and validates it using another cryptographic DNSkey record. Once the answer is validated it is returned to the client, but not before the two keys link up at the original server – it is only then that the query will fully resolve.
DNSSEC is considered a basic security move which all network administrators should take on their internet service. A specific compliance control in NIST 800-53 requires network administrators to adjust their DNS settings from “resolve anything” to “trust but verify”. This is done because DNS was built as a naive system – the queries are resolved against internal and external servers automatically, and it isn’t questioned whether a server is actually authorized to perform a resolution. This makes DNS vulnerable to man in the middle attacks and cache poisoning.
So, with these security considerations in mind, how can one implement DNSSEC? While you might have heard that it’s work-intensive with BIND and Windows, it is actually quite simple to establish with a unified enterprise DNS system in place (like our DNS Integrity system). This system structure allows DNSSEC to be implemented with the touch of a button – and with no worries about whether it’s working or not, as the DNSSEC scheme is automatically implemented throughout the entire zone.
What is DNS Security?
This is where things begin to get complicated – “DNS security” is a concept, not a single practice or protocol. A good way to think of it is how BlueCat’s Expert Team’s Senior Director, Jason Davis, puts it: “DNS Security Extensions are intended to validate the query. DNS Security says ‘What are you doing with that query?’” At a basic level, “DNS security” means leveraging DNS data and DNS query traffic for security purposes. There are several methodologies and pieces of software which can put this idea into practice.
In other words, secure DNS is really strategic DNS - incorporating DNS into the network security plan. This means using DNS to secure vital assets in conjunction with other tools. While filters, firewalls, on-device agents, and other security software scour different parts of the network, DNS tools can be used for context, providing deep and granular visibility into internal, or east/west, traffic in addition to external traffic.
Leveraging DNS in this way allows administrators to do more than simply see query logs - it allows them to gauge the intent of queries. With complete information about every query on the network, administrators can root out malicious patterns of behavior, identify patient zero or other infected devices.
Using DNS for security also provides the opportunity to apply security policies to DNS queries. Whether it’s done at the network boundary or at the client level, DNS-based security policies can be very targeted, allowing as much or as little leeway for queries to resolve as appropriate. For an IoT device, a security policy might limit DNS queries to the single server where they need to deliver information. For a computer in the engineering department, a security policy might limit access to sensitive HR records. Regardless of how DNS security policies are applied, their specific use can dramatically reduce the attack surface.
While there have been many ways to consider DNS security over the years, BlueCat has a new and innovative approach – through DNS Edge, which leverages the existing DNS infrastructure to give a user visibility, control and detection capabilities. All of these allow for the detection, blocking, and quick remediation of cyber attacks, which take place at the DNS layer.
You need both DNSSEC and DNS security
DNSSEC and DNS security, while different aspects of a network security plan, are both critical to keeping information safe. Centralized, purpose-built DNS architectures generally support DNSSEC with simple implementation - it becomes a no-brainer. While implementing more comprehensive DNS security tools is a more significant lift, it’s important to consider the bigger picture when looking at how we protect our data. According to Tom Hollingsworth of The Networking Nerd, when it comes to DNSSEC as a part of DNS Security:
“[DNSSEC] won’t keep people from kicking in your door and taking things if that’s what they want. But it does raise the costs of trying to impersonate your identity. Properly implemented DNSSEC is a piece of great DNS security and, just like deadbolt locks and alarm system stickers, serves to make your enterprise an unattractive target for the bad guys.”
Want more detail on how DNSSEC is implemented on DNS services? Here's something a bit more technical on how DNSSEC works.
Looking to implement DNS security on your network? Check out our intelligent security page.