Protecting your computers has never been more important. Here are ten ways to ensure your digital devices are in the best of health
The amount of data that the Internet contains is growing at an astronomical pace. A single computer doesn’t hold it all, of course; this much data must be distributed across countless computers all over the world. Even so, with an Internet connection, you can navigate to any file on the Internet as easily as you find a file on your own hard drive. This amazing capability comes from the Domain Name System or DNS. DNS is the tool that your browser uses to quickly find a file that might be stored in a computer anywhere on earth.
“DNS is becoming a more common target of network attacks,” explains Ali Sleiman, Technical Director Middle East & Africa at infloblox. “As one of the oldest and most relied-on protocols of the modern Internet, DNS is the cornerstone of almost all other services and protocols. This makes DNS an appealing target to attackers. Because it is one of the most relied-on protocols, stopping attacks can’t be as simple as adding a firewall rule.” He suggests 10 simple steps to improving DNS security.
Use Dedicated DNS Appliances
If you host your own DNS servers, make sure to use the right hardware. you should employ a dedicated DNS hardware appliance or non-open-source DNS software.
Keep DNS Server Software Up-to-Date
As with any other computer application, service, or protocol, new DNS vulnerabilities continuously crop up. Attackers dedicate a lot of time to discovering these weaknesses and figuring out how to exploit them. That’s why keeping your DNS server software updated with the current software versions and security updates is a job that you can never permanently cross off your to-do list. Whether you find a dedicated appliance that applies updates for you or has to apply updates manually, you simply must stay on top of it.
Have an Onsite DNS Backup
Even if you outsource your DNS to a managed DSN service provider, you should host your own dedicated backup DNS server. Neither Internet service providers nor managed DNS service providers are impervious to attack. In 2016, DNS service provider DYN and Internet service provider Deutsche Telekom were both victims of massive DDoS attacks that caused widespread outages. A coordinated attack on your vendor isn’t the only reason to have a backup. More commonly, hardware or network failures can cause slow DNS performance or an outage.
Avoid Single Points of Failure
A single point of failure is a part of your network that, if it stops working, shuts down the entire process. Eliminating single points of failure throughout any system or network is a basic principle of secure, resilient design. One important way to avoid single points of failure is to have multiple Internet links from different ISPs pointing to your websites. By introducing different ISPs, you increase the authoritative DNS servers that cache your links and reduce the risk of cache poisoning diverting your visitors.
Run Authoritative DNS Servers inside DMZs
If attackers manage to compromise an authoritative DNS server, they can change the DNS data of any domain for which that server is authoritative. The effect can be devastating. These changes quickly replicate across the Internet and, in some cases, take days to fix. Stop these problems before they start by setting up your authoritative DNS servers inside a secure network demilitarized zone (DMZ). The DMZ allows the importing of DNS records only from a secure primary server that is also located in your DMZ.
Turn Off Recursion
As much as possible, you want to control who can ask your authoritative DNS server for information. You can restrict zone transfers to the specific IP addresses of your secondary DNS servers, for example, to prevent attackers from getting hostnames and IP addresses for your network. For another example, you can digitally sign your zone transfer records to prove their authenticity
Use Threat Intelligence
Threat intelligence is information about your network’s weakest points and the most likely attacks you are likely to receive. You can use this information to make decisions and set priorities about how to protect your company.
Use Response Policy Zones
A Response Policy Zone (RPZ) allows you to set policies for specific domains.
As your network grows, even keeping visibility into everything becomes a challenge. With an enterprise-grade IP Address Management (IPAM) solution, you can consolidate information about your core network infrastructure into one comprehensive and authoritative database. This solution lets you see your entire network topology.
Automate Security Tasks whenever Possible
Tasks that you can automate with DNS security software include many common scenarios:
i. When your DNS security solution detects DNS-based data exfiltration or malware from an infected host, it should notify an endpoint security solution to clean the infected endpoint.
ii. When a new device joins the network, your DNS security solution should trigger a vulnerability scan.
iii. Until the completion of the vulnerability scan and mediation of any problems, your DNS security solution should trigger a network access control (NAC) solution to prevent the endpoint from getting on the network until it is compliant.