DNS Security - First Line of Defense

DNS Security Prevents DNS Hijacking. Stop Man-in-the-middle attacks!

DNSSEC

DNSSEC

DNSSEC Protection

If DNS is the phone book of the Internet, DNSSEC is the Internet’s unspoofable caller ID. It guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden “man-in-the-middle” attacker. These attacks usually go unnoticed by sites’ visitors, increasing the risk of phishing, malware infections and personal data leakage

How DNSSEC Works

The domain name system (DNS) is the phone book of the Internet: it tells computers where to send and retrieve information. Unfortunately, it also accepts any address given to it, no questions asked.

Email servers use DNS to route their messages, which means they’re vulnerable to security issues in the DNS infrastructure. In September 2014 researchers at CMU found email supposed to be sent through Yahoo!, Hotmail and Gmail servers routing instead through rogue mail servers. Attackers were exploiting a decades-old vulnerability in the Domain Name System (DNS)—it doesn’t check for credentials before accepting an answer.

The solution is a protocol called DNSSEC; it adds a layer of trust on top of DNS by providing authentication. When a DNS resolver is looking for blog.website.com, the .com name servers help the resolver verify the records returned for website and website helps verify the records returned for blog. The root DNS name servers help verify .com and information published by the root is vetted by a thorough security procedure, including the  Root Signing Ceremony.

Introduction to DNSSEC

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

To facilitate signature validation, DNSSEC adds a few new DNS record types:

  • RRSIG - Contains a cryptographic signature
  • DNSKEY - Contains a public signing key
  • DS - Contains the hash of a DNSKEY record
  • NSEC and NSEC3 - For explicit denial-of-existence of a DNS record
  • CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone.

DNS Security – Advantages

  • Stop threats before they reach your network or endpoints
  • Block malware without latency
  • Improve visibility across the organization
  • Manage and control cloud apps
  • Simplify security management
  • Unmatched threat intelligence
  • Speed up incident response
  • Improve performance

DNS Security – Key Features

  • Block domains associated with phishing, malware, botnets, and other high-risk categories (cryptomining, newly seen domains, etc.)
  • Prevent malware or phishing attempts from malicious websites
  • Prevent web and non-web callbacks from compromised systems
  • Proxy and decrypt risky domains for deeper inspection of URLs and files
  • Enable web filtering using 85+ domain content categories
  • Pinpoint compromised systems using real-time security activity reports
  • Discover and block shadow IT (based on domains) with the App Discovery report
  • Use the Investigate web console for interactive threat intel access and the on- demand enrichment API to integrate intelligence into other systems
  • Protect mobile and roaming users who are off-network