“When you say ‘DNS security’, you just mean DNSSEC, right?” We get this question a lot.
The answer is both simple and complex. In a nutshell, DNSSEC is a technical best-practice in which the validity of a DNS query is ensured through cryptographic signing. DNS security, on the other hand, is the concept that the pervasive nature of DNS can be leveraged to secure your entire network.
What is DNSSEC?
DNSSEC stands for Domain Name System Security Extensions, and it’s actually quite simple. At a basic level, DNSSEC is a way to secure and validate a DNS query without needing to understand what the query is for.
By digitally signing the data, DNSSEC validates responses to DNS queries before they are returned to the client. The client sends a DNS lookup asking for a particular IP address with a cryptographic key, and the client’s DNS resolver retrieves the answer and validates it using another cryptographic key. Once the answer is validated it is returned to the client, but not before the two keys link up at the original server – it is only then that the query will fully resolve.
DNSSEC is considered a basic security move which all network administrators should take. A specific compliance control in NIST 800-53 requires network administrators to adjust their DNS settings from “resolve anything” to “trust but verify”. This is done because DNS was built as a naive system – the queries are resolved against internal and external servers automatically, and it isn’t questioned whether a server is actually authorized to perform a resolution. This makes DNS vulnerable to man in the middle attacks and cache poisoning.
So, with these security considerations in mind, how can one implement DNSSEC? While you might have heard that it’s work-intensive with BIND and Windows, it is actually quite simple to establish with a unified enterprise DNS system in place (like our DNS Integrity system). This system structure allows DNSSEC to be implemented with the touch of a button – and with no worries about whether it’s working or not, as the DNSSEC scheme is automatically implemented throughout the entire zone.
What is DNS Security?
This is where things begin to get complicated – “DNS security” is a concept, not a single practice or protocol. A good way to think of it is how BlueCat’s Expert Team’s Senior Director, Jason Davis, puts it: “DNS Security Extensions are intended to validate the query. DNS Security says ‘What are you doing with that query?’” At a basic level, “DNS security” means leveraging DNS data and DNS query traffic for security purposes. There are several methodologies and pieces of software which can put this idea into practice.
In other words, DNS security is really DNS strategy - incorporating DNS into the network security plan. This means using DNS to secure vital assets in conjunction with other tools. While filters, firewalls, on-device agents, and other security software scour different parts of the network, DNS tools can be used for context, providing deep and granular visibility into internal, or east/west, traffic in addition to external traffic.
Leveraging DNS in this way allows administrators to do more than simply see query logs - it allows them to gauge the intent of queries. With complete information about every query on the network, administrators can root out malicious patterns of behavior, identify patient zero or other infected devices.
Using DNS for security also provides the opportunity to apply security policies to DNS queries. Whether it’s done at the network boundary or at the client level, DNS-based security policies can be very targeted, allowing as much or as little leeway for queries to resolve as appropriate. For an IoT device, a security policy might limit DNS queries to the single server where they need to deliver information. For a computer in the engineering department, a security policy might limit access to sensitive HR records. Regardless of how DNS security policies are applied, their specific use can dramatically reduce the attack surface.
While there have been many ways to consider DNS security over the years, BlueCat has a new and innovative approach – through DNS Edge, which leverages the existing DNS infrastructure to give a user visibility, control and detection capabilities. All of these allow for the detection, blocking, and quick remediation of cyber attacks, which take place at the DNS layer.
You need both DNSSEC and DNS security
DNSSEC and DNS security, while different aspects of a network security plan, are both critical to keeping information safe. With a centralized, purpose-built DNS architecture, DNSSEC is easy to implement - it’s a no-brainer. While implementing more comprehensive DNS security tools is a more significant lift, it’s important to consider the bigger picture when looking at how we protect our data. According to Tom Hollingsworth of The Networking Nerd, when it comes to DNSSEC as a part of DNS Security:
“[DNSSEC] won’t keep people from kicking in your door and taking things if that’s what they want. But it does raise the costs of trying to impersonate your identity. Properly implemented DNSSEC is a piece of great DNS security and, just like deadbolt locks and alarm system stickers, serves to make your enterprise an unattractive target for the bad guys.”
Want to learn more about how DNS can be leveraged for your organization’s security needs? This page is a great place to start.