News

    Ways to Protect Your Domain Name from Cyberattacks

    01.03.2018

    Protect Your Domain Name from a Cyberattack

    It was the fall of 2016 when a cyberattack first brought major international focus to how an insecure Domain Name System (DNS) can bring down even the most powerful corporate players. That attack caused blackouts to websites for the BBC, CNN, The New York Times, Twitter, Verizon, Netflix, HBO, Visa and dozens more, whose domains were operated by a single DNS provider. The attack was most likely perpetrated by the groups Anonymous and New World Hackers, who used the malware Mirai to create a botnet consisting of hundreds of thousands of internet-connected infected devices — printers, IP cameras, residential gateways and baby monitors — to generate a distributed denial-of-service (DDoS) attack. In such an attack, incoming traffic from many devices floods the victim, making it impossible to simply block a single source.

    This provided a moment of shocking but necessary enlightenment by illustrating the vulnerability of DNS systems at the time. In a report a few years prior to the attack, Paul Twomey, former CEO of ICANN, (which, among its responsibilities, manages IP addresses and the overall domain name system and root servers for billions of network addresses across 240 countries) said, “One thing is clear — every business, every government, every organization that uses the Internet in its day-to-day operations is vulnerable. Simply put, cybersecurity is no longer ‘one for the IT department.’”

    How Do Hackers Use a DNS?

    DNS is a naming system that points to the actual location of a device, its numerical IP address managed by ICANN. Hackers can use cache stored by a company’s network or DNS resolvers (which translate a domain name into an IP address) operated by an Internet Service Provider (ISP) or even Google or OpenDNS to trick the resolver to report back the wrong IP address. This sends a user to a bogus address, an email to a wrong destination and so on.

    It’s about DNS server configurations. “DNS servers tend to be forgotten about, and their default configuration is not necessarily secure,” says Chris Brenton, a fellow of the SANS Institute and director of security for a major DNS service provider.

    DNS can also be compromised when a hacker alters its records and redirects traffic to their own site. But arguably the easiest way for hackers to use a DNS is simply to deny services, which is what happened with the October 2016 attack.

    How to Secure Your DNS

    Follow these steps to safeguard your DNS against attacks.0

    • Manage your DNS servers securely. “It’s not just a matter of expertise, but also of scale because many organizations need to have DNS servers in three or four places around the world,” Brenton says.
    • Keep your primary servers hidden, and keep resolvers private and protected using a secondary DNS to reduce the possibility of domains going offline from DDoS attack. This allows both protection of the hidden server and domain names to be served from a fast anycast DNS.
    • Ensure only information necessary for parties using the server is available publicly. Restrict all other DNS servers and data to internal access only
    • Maintain availability so any DNS server is part of a high-availability (HA) pair or cluster. That way, if one fails, others can assume the load.
    • If possible, use local name servers. So, an enterprise with multiple locations should ensure recursive and authoritative name servers are on-site at those locations to distribute query loads and ensure names are quickly resolved.
    • Restrict access of primary name servers to only those employees responsible for their maintenance and upkeep.
    • To protect data integrity, use Domain Name System Security Extensions (DNSSEC), which digitally signs DNS data so name servers can ensure its integrity when answering queries.
    • Use a scrubbing center (data cleansing station), where traffic is analyzed and malicious traffic is removed.