There are many ways organizations can reduce DNS security issues and improve the safety of this vital service. DNSSEC is a great way to help ensure that tampering with DNS responses is detected before clients are sent to the wrong destinations.
Additional security practices are needed to adequately secure DNS, and these are outlined and explained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81-2, "Secure Domain Name System (DNS) Deployment Guide." SP 800-81-2 identifies three groups of security concerns: the DNS hosting environment, the DNS transactions themselves and the security administration of the DNS and DNS Security Extensions (DNSSEC) implementations. Let's take a closer look at each of these groups and what you can do to address the concerns.
DNS security issues in the hosting environment
The DNS hosting environment encompasses all the components of the servers, from their operating systems and applications to the DNS data they store, access and manipulate. Securing hosting environments is generally straightforward. It includes hardening the operating systems and applications, configuring access controls so only the necessary activities are permitted for authorized users and properly maintaining the environment through patching, reconfiguring, monitoring, auditing and more.
DNS data is stored on DNS servers in a zone file. Protecting the integrity of the zone file is incredibly important. NIST SP 800-81-2 recommends using a tool called a zone-file integrity checker. This tool should be run frequently on the zone file to make sure it doesn't contain any records with unusual values. The tool must be configured with what the acceptable and unacceptable values are for various record fields, which may vary from one organization to another.
DNS security issues with transactions
DNS transactions include DNS queries and responses as well as several types of record management actions. DNSSEC is the primary mechanism for protecting DNS query and response integrity. However, DNSSEC does not protect other types of DNS transactions.
One of the transaction types needing protection is zone transfers. A zone transfer is when the contents of a DNS zone file are duplicated on another server. Zone transfers should be restricted so that only authorized parties can initiate them. NIST SP 800-81-2 details several methods for doing this, including using transaction signatures, public key cryptography and network layer security (e.g., a VPN).
Another transaction type of concern is dynamic updates. In a dynamic update, a DNS client informs a DNS server of changes it should make to its zone file. As with zone transfers, dynamic updates should only be allowed from authorized parties, and risk can be mitigated through transaction signatures, public key cryptography and VPNs.
Security administration can be used to reduce DNS security issues. It includes which cryptographic algorithms are used and how cryptographic keys used for DNS are managed throughout their lifecycles. The vast majority of the security administration recommendations found in NIST SP 800-81-2 involve key management for DNSSEC. Organizations should have robust key management policies and processes in place before deploying DNSSEC so that they are prepared for any key management needs.
For example, if an incident involving DNS security issues related to a server occurs, an organization may need to perform key rollovers immediately. If these rollovers are not performed correctly and quickly, attackers might be able to take advantage of the situation, or DNS operations might be disrupted, causing organizational IT resources to be temporarily unavailable. Organizations should plan for the worst possible DNS security issues so that they're ready to respond if a problem occurs.