The difference between DNSSEC and DNS security is that DNSSEC is part of DNS security, whereas DNS security is a larger, more general concept that covers a wide range of technologies and solutions.
DNSSEC is a standardized solution to add authentication to DNS responses, providing authentication of the sender and the integrity of the message. Although it does not solve all of the security problems associated with DNS, it should definitely be part of the DNS security toolkit as it prevents some of the most damaging attacks from happening, such as cache poisoning.
Components of DNS Security
DNS Security is the generic concept of securing the DNS service, this includes securing the service, the protocol itself, and other precautions and measures discussed in these pages.
System and Control Security
All the basics apply here: keeping the operating system secure, keeping the software up-to-date, having redundant systems in place to ensure service availability, maintaining secure update measures to ensure only authorized personnel can modify DNS entries, etc. This basic (and sometimes boring) layer is often overlooked when considering “DNS security,” but disastrous consequences can ensue when not properly maintained.
In early 2019 the Department of Homeland Security (DHS) issued an urgent warning advising of potential DNS “hijacking.” The report detailed a hacking effort carried out by a cyber-espionage group believed to operate out of Iran that had manipulated DNS records for the domains of private companies and government agencies1. The warning highlighted that a core vulnerability in DNS security was the lack of protection of the data update process. Because of this oversight, malicious attackers were able to gain access to the authoritative DNS server data, and modify records to lead users to the wrong IP addresses.
This event also pointed up the need to consider configuration of DNS servers themselves. Taking actions such as disabling open recursion and implementing Response Rate Limiting are both helpful in the reduction of volumetric DDoS attacks on the Internet as a whole.
The obvious enhancement is DNSSEC, which adds authentication and data integrity to the signed DNS data, but that is only a small fraction in the entire DNS security landscape. There are other protocol enhancements, such as DNS over TCP and DNS over HTTPS, that adds data privacy on top of DNS communication. There are also features such as Response Policy Zone, that changes the way recursive DNS servers answer queries, to proactively prevent end users from resolving known malicious domain names.
Security and Threat Intelligence
RPZ allows administrators to create rulesets to block certain domain names, but its power comes from the ability to harvest a list of domain names published by others, such as security research firms that have dedicated teams to curate and maintain the list. This list-oriented or “feed” approach is known by its more generic term “Threat Intelligence,” and is very relevant to security overall, not just DNS. A good RPZ feed that comes from a well-researched company, would have more accurate and up-to-date information about what domain name is safe to resolve, and what domain name is not. See Threat Intelligence for more information. We need to take a more active stance in analyzing outgoing DNS data than just simply blocking it based on RPZ data. Threats like DNS Tunneling are difficult to detect, even with the help of RPZ, and may require more advanced technology to analyze outbound DNS queries in real time.
Analytics and Reporting
No one gets security right the first time, and even if you did, the landscape changes constantly, and maintaining an effective posture requires constant adjustment and tuning. In order to know where to tune, we need analytics and reporting. Your DNS servers should not only produce logs but have mechanisms to extract meaning from those system logs and alerts into actionable items. There should always be a reporting feature to allow you to produce reports to help you quickly identify security problems and issues, or spot emerging trends. Click here to learn more.
We are way past the days where each person tackles security individually. In the old days, we may have thought of a “firewall” as the answer to all security problems. In the modern enterprise environment, devices and products need to work together quickly to address security issues that arise.
Because of what is at stake with security, manual resolution may not be preferred, or even possible. Imagine when a device has been identified as infected with ransomware: every second lost might mean another network file is encrypted. DNS has worked its way to become one of the first steps for many security breaches, making it the ideal notification agent to kick off security automation and remediation process.