
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Best practices for managing DNS, knowing it's anything but trustworthy

Ask The Security Expert: Questions & Answers

EMAIL THIS

Best practices for managing DNS, knowing it's anything but trustworthy

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 15 July 2008
What would you say are some best practices for managing DNS now that we know that it's anything but trustworthy? More specifically, where should DNS security live within the average enterprise's risk matrix?

If there is anything that Dan Kaminsky's research on how to break the DNS has shown, it's that organizations are pretty exposed. But security pros need to understand there are a few things that can be done to mitigate the risk. The first practice is to make sure the company's DNS server practices source-port randomization. This doesn't totally solve the Kaminsky DNS attack, but it makes it hard enough (and costly enough) to largely mitigate the risk.

That means the DNS server must be patched, or the company should upgrade to a more robust server infrastructure. One possibility is DNSSEC, which the U.S. federal government just deployed, but that is pretty complicated.

Another important thing is to make sure that all upstream ISPs have their act together. Even if the company's system is fine, dealing with any compromised name servers is disastrous.

In terms of where the responsibility of DNS security should reside, that depends on what kind of operational responsibilities the security team has. Many security teams these days are more influencers than implementers, which means they need to work with the organization's network team, which would actually deploy any remediation.

More information:

Learn how to patch Kaminsky's DNS vulnerability.
Read more about the importance of DNS rebinding defenses.

BROWSE BY TAG

Expert Archive: Security Management, Information Security Threats, Emerging Information Security Threats, Enterprise Risk Management: Metrics and Assessments, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

Emerging Information Security Threats

RSA security conference 2010: news, interviews and updates

Hackers to sharpen malware, malicious software in 2010

Modern malware, stealthy botnets, adapt quickly, expert says

New ransomware Trojan pushes victims to buy software

Bruce Schneier on outsourcing, awareness training

US-CERT warns of BlackBerry snooping software

Marcus Ranum on cyberwarfare, infosec careers

Researchers find thousands of flawed embedded devices

Enterprise botnets contain thousands of malware variants

Nuke and pave to eradicate botnets

Enterprise Risk Management: Metrics and Assessments

How to justify information security spending on cloud computing

Layoffs prompt insider threat fears, cybersecurity survey finds

How to avoid Internet liability lawsuits

Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way

Bernie Rominski: Communicate Effectively with Management about Risk

Best Policy and Risk Management Products

Monitoring program data and internal controls for risk management

Risk management strategy for an information technology solution provider

Align your data protection efforts with GRC

The basics of enterprise GRC project management

Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

DNS rebinding attack (SearchSecurity.com)

drive-by pharming (SearchSecurity.com)

JavaScript hijacking (SearchSecurity.com)

man in the browser (SearchSecurity.com)

phlashing (SearchSecurity.com)

polymorphic malware (SearchSecurity.com)

pulsing zombie (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy