The Domain Name System (DNS) is a foundational Internet technology; it is used in every non-trivial IP-based transaction—if it’s not working properly, Internet transactions can grind to a halt.
Therefore, the security of DNS infrastructure should be a top priority for most organizations; unfortunately, statistics show that DNS servers and zone data are often neglected, which can leave organizations vulnerable to attacks.
Attacks against DNS infrastructure can have disastrous results, including lost revenue due to downtime, diminished customer satisfaction and lost productivity because of denial of service, and privacy breaches due to data hijacking, just to name a few.
Here you will find DNS security best practices, related information and resources to help you secure your DNS infrastructure, protecting your organization and the overall integrity of the Internet.
To learn more about how Infoblox can help you manage DNSSEC challenges and build a secure, resilient and automated infrastructure, check out our additional resources.
- Practice Safe DNS site offers education, tips and more
- The Internet Systems Consortium's BIND page – Straight from the horse’s mouth: Pointers to source code and information on BIND from its developers.
- The IETF DNS Extensions Working Group's web page
- The IETF DNS Operations Working Group's web page
Online Resources & Books
- Directory of information about DNSSEC, the DNS Security Extensions
- ISC's BIND Security Matrix, showing which vulnerabilities exist in eachversion of BIND
- "DNS Damage - Measurements at a Root Server"
- Cricket Liu’s O’Reilly Books on DNS
Systemic vulnerabilities to cache poisoning have prompted the Internet community to begin widespread implementation of the Domain Name System Security Extensions (DNSSEC). The recent Kaminsky bug demonstrated the frightening ease with which DNS cache poisoning attacks can be mounted. A successful DNS cache poisoning attack affects everything from e-commerce to online banking, from email communications to customer service, from encryption to government secrets.
DNSSEC is the only solution that solves the DNS cache poisoning security hole, conclusively. Many top-level zones, including .ARPA, .GOV and .ORG, as well as the root zone, have already been signed using DNSSEC. This new technological strategy allows appropriately configured name servers to validate answers cryptographically from these zones—effectively eliminating the possibility of cache poisoning. In the coming months, many additional zones will be signed, including .NET and .COM. Now, every organization needs to assess its DNSSEC implementation drivers and readiness, and develop a DNSSEC policy and implementation plan. Infoblox can help your organization develop its DNSSEC policy and implementation plan today.
Infoblox automates and simplifies the deployment and management of DNSSEC for you. Using hardened appliances that run on patented Grid™ technology, DNSSEC from Infoblox meets the challenges and eliminates the risks of DNSSEC implementation. Infoblox makes DNSSEC affordable, available, and accessible to organizations like yours. Reducing the risk of configuration errors, supplying the expertise you want to have available, and making the cost of implementation and maintenance manageable—these are part of the Infoblox DNSSEC solution.
DNSSEC Features & Benefits
Become compliant easily and cost effectively
The Infoblox DNSSEC management solution automates and simplifies DNSSEC deployment and administration, thus reducing operating costs and eliminating configuration errors and associated downtime.
- Accelerated path to security and compliance
- Lower operational costs and expertise risks
- Reduced configuration errors to ensure service availability
Lower the barrier to adoption by simplifying DNSSEC
DNSSEC by Infoblox offers central configuration of all DNSSEC parameters, enforces standards by configuring DNSSEC parameters at a Grid™ level (default key type, size and validity period&based on NIST-800-81 and RFC 4641 standards and includes NSEC and NSEC3 support. Configuring a secondary and/or recursive name server for DNSSEC can be accomplished with a single click, including enabling sending DNSSEC records as a secondary, enabling validation of DNSSEC for an external zone and easy importing of trust anchors.
- Configure all DNSSEC parameters graphically, in one place
- Built-in defaults according to NIST 800-81 ease configuration
- Supports NSEC3
- One-click zone signing
- Automated re-signing of zone (after modifying zone data)
- Automated roll over of Zone-Signing Keys
- Automated configuration of trust anchors for signed zones managed by the Infoblox Grid™