Transcription
Security SolutionsWhite PaperThe Case fora SecondaryDNS ServiceImproved Security Strategiesto Protect Your Online Assets
Security SolutionsWhite PaperThe Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your Business02
Security SolutionsWhite PaperTable ofContentsIt Can Happen to You04Digging Deeper Into the DNS Dilemma05The Proper Security Posture for Authoritative DNS06Recursive DNS: The Other Side of DNS Security08Double Down on DNS Attacks with Neustar09About Neustar10The Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your Business03
Security SolutionsWhite PaperIt Can Happen to YouOn October 21, 2016, a well-known managed domainname system (DNS) provider was rocked by a massivedistributed denial-of-service (DDoS) attack. The attacknot only suspended the availability and services of theDNS provider, but the collateral damage was also spreadto a number of well-known brands whose websites andapplications also suffered intermittent outages.In the aftermath of the attack came the soberingreality that no one is immune from DDoS threats,especially against their DNS. But of equal concern wasthe overwhelming notion that the affected companieshadn’t done anything wrong. They did what manyconsultants recommended at the time: Entrustedtheir DNS to a managed DNS service. But their lack of abackup proved to be the fatal flaw.The October 21 attack signaled a fundamental changein the way that DDoS assaults would be assembledin the future. This attack was launched using the“Mirai Botnet,” malware that is comprised of atypicalInternet-connected devices such as security cameras,DVRs and home routers. Taken together, the hijackeddevices formed a dangerously potent high-volumetricweapon. The Mirai Botnet unleashed a devastatingDDoS attack on a scale previously unseen. And dueto its effectiveness, the botnet would become adangerous harbinger of things to come.The Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your BusinessBut most importantly, the attackprovided an invaluable lesson on the newrequirements for DNS. Specifically, thatbusinesses shouldn’t exclusively staketheir entire online presence on just oneDNS service. The organizations that solelyrelied on one DNS provider showed thereal-world consequences of dependingon a single point of failure. If thosecompanies had split their DNS betweenmultiple services, then their sites, appsand other online assets would be lesslikely to have gone down - even during theheight of the attack.Compounding the problem is the paceof today’s cybercrime. A solid strategyto limit cyber attacks can be renderedobsolete in less than six months. This isparticularly the case for DNS services,as criminals realize the potentialfor disruption by taking aim at thevulnerabilities of DNS.In this paper, we’ll examinehow organizations caneffectively update theirDNS security posture withminimal cost and effortby incorporating newtechnology and revising theircurrent security strategies.04
Security SolutionsWhite PaperDigging Deeper Intothe DNS DilemmaIn today’s Internet age, enterprise security has focusedprimarily on protecting the online perimeter (i.e., the networkborder). The rationale was, if you could block malware and badagents from entering the network, then you could protect yourdata and your business. Cyber criminals, however, are persistentand adaptive. As one door closes, they discover a new, openwindow. And so, it wasn’t long before cyber criminals found thatthey could impact and disrupt organizations by attacking theprotocol responsible for their online presence - DNS.Despite its importance, for many years DNS was something ofa security afterthought. It was taken for granted as a publicprotocol that was used to route requests, but it wasn’t seen asa security vulnerability per se. All of that changed with denialsof service (DoS, and later, DDoS) attacks. By flooding a DNSserver with requests, cyber criminals can indefinitely shut downan organization’s website and applications. And since websiteand application availability are inextricably tied to DNS, securityquickly went from an afterthought to front of mind.In order to attack a DNS server, you first need its physicaladdress. Hosting your own domain name system can exposeyour DNS address to anyone with even a modicum of Internetskills. For example, a competent Internet user can discoveran unprotected DNS address in less than 30 seconds. Notsurprisingly, security consultants began to advocate thatorganizations use an external DNS provider to handle theirDNS requests in a more secure and efficient manner.The Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your BusinessQuick Primer:Understandingthe Differences inDNS – Authoritativeand RecursiveEvery organization that hasInternet-facing resources hasat least two DNS strategies,authoritative DNS and recursiveDNS. Authoritative servers areresponsible for connectingonline assets like websites andmobile apps to the outsideworld. Recursive servers worksomewhat in reverse. Theydirect internal users (i.e., anyonelogged into your network) toonline assets that reside insideand outside your network. Bothservices act as pillars for Internetconnection and communication.If one goes down, then theactions that it’s responsible forachieving go dark.05
Security SolutionsWhite PaperThe ProperSecurity Posture forAuthoritative DNSThe single most important thing that organizations can do toprotect their authoritative DNS service is to implement botha primary and secondary DNS solution. In the wake of theMirai botnet, industry analysts (e.g., Gartner) recommendthat organizations have a secondary DNS service for betterperformance and security.A secondary DNS service shouldn’t be confused with aredundant DNS provider. It’s not about having a Plan B incase your Plan A fails. It’s about having a smarter Plan Athat effectively splits your DNS traffic between two trustednetworks. This strategy not only prevents your brand againsta single, take-down DDoS attack, but also improves your DNSredundancy by splitting the load between two networks.Finding a secondary managed DNS service is the first thingthat you should do to shore up your DNS security. Second is toselect a DNS provider that offers a dedicated in-house DDoSmitigation service for its managed DNS networks. As moreconnected devices join the Internet and create the potentialfor more and broader botnet armies, a separate layer for DDoSprotection makes sound sense for organizations. Better still, ifyou can “hide” your DNS from direct exposure to the Internetthrough an air-gapped network, you can dramatically reducethe number of attacks against your DNS.The Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your BusinessA strongersecurity posturefor authoritativeDNS includes:- A primary and secondarymanaged DNS service;- Choosing a provider that hasa dedicated in-house DDoSmitigation service for itsDNS network;- The ability to hide DNS systemsfrom direct Internet exposure.06
Security SolutionsWhite PaperHOW PRIMARY & SECONDARY DNS WORKS1. DNS Admin logs intoDNS ADMINISTRATORDNS Management Portal2. DNS AdministratorPERFORMSDNS UPDATESupdates a DNS record3. Change propogatesthrough DNS network4. Secondary DNS will benotified there has beenan update and performsa zone transfer to receiveupdated recordDNS MANAGEMENT PORTALPRIMARYDNSZONETRANSFERThe Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your BusinessSECONDARYDNS07
Security SolutionsWhite PaperRecursive DNS:The Other Sideof DNS SecurityAlthough attacks on authoritative DNS tend to get morecoverage in the press—in part because the effects of theattacks are more public—organizations also need to bemindful of protecting their recursive DNS servers. Currently,most organizations host their own recursive DNS servers,which makes those servers more vulnerable to an attack. Asimultaneous attack on the authoritative and recursive DNSservers can literally shut down an entire organization, insideand out.One aspect worth mentioning here, however, is the ideaof a secondary recursive DNS service. In this sense, anorganization could use a managed DNS provider to secureselect recursive DNS servers against malware, phishing,inappropriate content (a growing problem for anyone with apublic wi-fi presence) and other threats.The Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your BusinessFor moreinformation onrecursive DNSattacks andpreventions, readour latest piece,“Master YourDomain: Why DNSMatters in theConnected World”08
Security SolutionsWhite PaperDouble Down on DNSAttacks with NeustarNeustar is the leading provider of network security solutions with over 19 years ofexperience in the DNS security space. Neustar has invested heavily in building advancedDNS security solutions that protect organizations from all types of threats, including DDoSattacks, ransomware, phishing and spoofing. Neustar is also in the process of building outa global DDoS mitigation network that, when complete, will represent one of the largestDDoS mitigation networks in the world. The network is dedicated to protecting both it’sauthoritative and recursive DNS networks.Thousands of organizations rely on Neustar for authoritative DNS protection as their primaryor secondary managed DNS provider. Our UltraDNS solution represents a highly sophisticated,scalable and secure DNS protection system that includes ultra-high availability, low latencyquery responses and built-in DDoS protection. UltraDNS also features Neustar DNS Shield ,a privatized DNS network between Neustar and its partners, which directly links partnerrecursive servers to Neustar UltraDNS and thus avoiding general internet connectivity forenhanced security and lower latency.Organizations that choose the UltraDNS solution can get further DNS protection by addingNeustar’s UltraRecursive solution to the mix. Both the UltraDNS and UltraRecursive servicesare co-located, which provides better reliability and near-zero latency responses betweenDNS requests. It’s yet another proof point that, where DNS security is concerned, two arealways better than one.LEARN MORETo learn more about how Neustar is buildingbetter DNS security for the future, visit usonline at www.home.neustar.The Case for a Secondary DNS Service: Improved Security Strategies That Can Save Your Business09
Security SolutionsWhite PaperSingle Point of Contact is a managed security service provider dedicated to helping businessesimplement the right IT security solution. We have our security experts in Palo Alto, CAreviewing alerts 24-7 to ensure your network is secure and compliant around the clock. Ourgoal is to help customers reduce risk, respond to threats faster, achieve compliance andensure continuity with our security monitoring tool. For more information on our services andhow we can help avoid costly mistakes, contact us today.10
UltraDNS also features Neustar DNS Shield , a privatized DNS network between Neustar and its partners, which directly links partner recursive servers to Neustar UltraDNS and thus avoiding general internet connectivity for enhanced security and lower latency. Organizations that choose the UltraDNS solution can get further DNS protection by adding
