intelligent NETWORK SECURITY |
attacks can ’ t be as simple as adding a firewall rule .
10 KEYS TO IMPROVING DNS SECURITY
1 . Use dedicated DNS appliances : If you host your own DNS servers , make sure you use the right hardware . You should employ a dedicated DNS hardware appliance or non-open-source DNS software .
2 . Keep DNS server software upto-date : As with any other computer application , service , or protocol , new DNS vulnerabilities continuously crop up . Attackers dedicate a lot of time to discovering these weaknesses and figuring out how to exploit them . That ’ s why keeping your DNS server software updated with the current software versions and security updates is a job that you can never permanently cross off your to-do list . Whether you find a dedicated appliance that applies updates for you or have to apply updates manually , you simply must stay on top of it .
3 . Have an onsite DNS backup : Even if you outsource your DNS to a managed DSN service provider , you should host your own dedicated backup DNS server . Neither Internet service providers nor managed DNS service providers are impervious to attack . In 2016 , DNS service provider DYN and Internet service provider Deutsche Telekom were both victims of massive DDoS attacks that caused widespread outages . A co-ordinated attack on your vendor isn ’ t the only reason to have a backup . More commonly , hardware or network failures can cause slow DNS performance or an outage .
4 . Avoid single points of failure : A single point of failure is a part of your network that , if it stops working , shuts down the entire process . Eliminating single points of failure throughout any system or network is a basic principle of secure , resilient design . One important
|
Eliminating single points of failure throughout any system or network is a basic principle of secure , resilient design . One important way to avoid single points of failure is to have multiple Internet links from different ISPs pointing to your websites . way to avoid single points of failure is to have multiple Internet links from different ISPs pointing to your websites . By introducing different ISPs , you increase the authoritative DNS servers that cache your links and reduce the risk of cache poisoning diverting your visitors .
5 . Run authoritative DNS servers inside DMZs : If attackers manage to compromise an authoritative DNS server , they can change the DNS data of any domain for which that server is authoritative . The effect can be devastating . These changes quickly replicate across the Internet and , in some cases , take days to fix . Stop these problems before they start by setting up your authoritative DNS servers inside a secure network demilitarised zone ( DMZ ). The DMZ allows the importing of DNS records only from a secure primary server that is also located inside your DMZ .
|
6 . Turn off recursion : As much as possible , you want to control who can ask your authoritative DNS server for information . You can restrict zone transfers to the specific IP addresses of your secondary DNS servers , for example , to prevent attackers from getting hostnames and IP addresses for your network . For another example , you can digitally sign your zone transfer records to prove their authenticity .
7 . Use threat intelligence : Threat intelligence is information about your network ’ s weakest points and the most likely attacks you are likely to receive . You can use this information to make decisions and set priorities about how to protect your company .
8 . Use response policy zones : A Response Policy Zone ( RPZ ) allows you to set policies for specific domains .
9 . Use IPAM : As your network grows , even keeping visibility into everything becomes a challenge . With an enterprise-grade IP Address Management ( IPAM ) solution , you can consolidate information about your core network infrastructure into one comprehensive and authoritative database . This solution lets you see your entire network topology .
10 . Automate security tasks whenever possible : Tasks that you can automate with DNS security software include many common scenarios : i . When your DNS security solution detects DNS-based data exfiltration or malware from an infected host , it should notify an endpoint security solution to clean the infected endpoint . ii . When a new device joins the network , your DNS security solution should trigger a vulnerability scan . iii . Until the completion of the vulnerability scan and mediation of any problems , your DNS security solution should trigger a network access control ( NAC ) solution to prevent the endpoint from getting on the network until it is compliant . u
|