Often referred to as the “phonebook of the Internet,” the Domain Name System (DNS) is a standardized way of translating between machine-readable IP, such as 99.83.190.102 to human usable ones like “centerforcybersecuritypolicy.org.” Through a process called a DNS lookup, users simply enter the domain name of a site into a browser.

From there, the browser makes a request of a DNS resolver, which queries a series of DNS servers to find the desired IP address -- either a numeric IPv4 and alphanumeric IPv6 address. The DNS resolver then sends the IP address to the user device, allowing them to access the desired information. See Diagram 1, which depicts a DNS lookup.

Decades have passed since DNS was first put into use, and its importance has only grown. DNS is now commonly deployed within an organization’s networks to facilitate the internal functions of those intranets. Today, DNS is woven into the fabrics of almost every network, at every scale. It is therefore crucially important that DNS deployments are done securely and with the most modern best practices, lest attackers can compromise this vital component.

‍

Diagram 1: DNS Lookup

Additionally, DNS’s central position in the network enables it to act as a foundational layer of network security as part of a zero-trust or defense-in-depth security risk management approach. DNS services deployed to that end are called “Protective DNS,” and are a key component in securing organizational networks.

DNS as a Threat Vector and a Critical Security Control

DNS infrastructure is mission critical. If it fails, entire networks, along with their applications and users can be brought down. Thus, the DNS is a critical element in an organization’s digital resiliency and should be regularly assessed or re-evaluated.

Recent developments in network security best practices have driven an increased focus on the concept of “defense-in-depth,” the idea that no defensive measure is infallible and that therefore the best defense comes from multiple layers of protection. This style of cyber defense yields a more flexible, scalable, and resilient system that is more resistant to compromise and is more closely aligned to zero-trust principles.

As a fundamental network service, DNS has to be left open to enable Internet connections, and as a result, it has been used by threat actors as a strategic vehicle to send malware and conduct data exfiltration, command and control (C2), etc. According to CISA, “DNS infrastructure is a common threat vector for attack campaigns.”

Even when DNS traffic is encrypted, the system still needs to retain access to the Internet. This allows malicious actors to set up authoritative servers for command-and-control (C2) and data exfiltration, where encryption can work to their advantage. Therefore, it is crucial to implement strict controls and auditing on an organization’s secure resolvers, ensuring that only those resolvers that have the appropriate policy configuration are permitted to communicate with the Internet. Applying security in DNS infrastructure gives administrators the opportunity to not only review potentially malicious communications before they begin, but to automatically prevent them from happening.

Common victims of DNS attacks include:

• Large corporations and organizations that store large amounts sensitive data
• Internet Service Providers (ISPs) that manage and direct internet traffic for hundreds of thousands of clients
• Government agencies that manage confidential information critical to national security
• E-commerce platforms that handle financial transactions ane store customer information
• Critical infrastructure owners and operators, especially those in the healthcare and financial services industry.

Types of Attacks:

Authoritative Attacks:

• Amplification DDoS - Attacker overwhelms the target DNS server with short requests that require long responses, preventing it from responding to legitimate requests.
• Reflection DDoS - Attacker spoofs the target’s IP address and uses it to send requests to a DNS resolver. The DNS resolver makes the request to the DNS server and passes the response onto the target.
• Combination DDoS - Attacker combines the amplification and reflection DDoS attacks, spoofing the target’s IP address and using it to send short requests that require long responses to a DNS resolver. The DNS resolver makes the request to the DNS server and passes the amplified response onto the target.

Caching Recursive Attacks:

• DNS Spoofing/Cache Poisoning - Attacker corrupts the records in a DNS resolver’s cache, forcing it to return an incorrect IP address for a domain. This allows the attacker to divert DNS traffic to a different destination.
• DNS Hijacking/Domain Theft - Attacker gains control of the target’s domain name, either stealing the owner's login credentials or exploiting a vulnerability in the domain registrar’s system. This allows the attacker to redirect DNS traffic to a different destination.

Other Types of Attacks:

• DNS Tunneling - Attacker hides non-DNS traffic from other protocols (e.g., SSH, TCP, and HTTP) inside requests to the DNS server. Since most DNS traffic passes freely through firewalls, this allows the attacker to insert malware or exfiltrate information.
• Lookalike Domains: These are domain names that are either created for malicious purposes or to catch user errors when typing domain names. They visually look like a legitimate domain name but will include, for instance, characters substituted from a different alphabet.

DNS as a Component of an Organization’s Security Strategy

Because DNS is critical to network connections, it is ubiquitous, and its universal deployment makes it an effective security mechanism. The DNS platform is already in use by all types of clients on the network, including on-premises, in the cloud, and all manner of IoT devices. Thus, any protection provided by DNS infrastructure benefits all clients that use that infrastructure for name resolution, regardless of the type of device.

Two other advantages of using DNS are scale and efficiency. DNS has evolved over decades to scale to support massive networks like the Internet, so DNS security tools can handle a tremendous number of clients simultaneously. Name servers can load a large volume of data, whether that is authoritative data or threat data. Taking protective actions with DNS is also efficient. Because DNS queries precede network communication streams; by enforcing policy with DNS, malicious or suspicious communication streams are not able to begin.

Protective DNS decreases malicious, suspicious and unauthorized traffic on a given network, which benefits the entire network infrastructure by alleviating the burden on other security elements, such as infrastructure components (e.g., firewalls) and human resources (e.g., the Security Operations Center).

Protective DNS

Protective DNS is a DNS service that is enhanced with security capabilities to analyze DNS queries and responses and takes action to mitigate threats. Protective DNS prevents the delivery of malware, ransomware, phishing, and other web-link centric attacks that attempt to deliver spyware and viruses as well as blocks access to malicious websites.

Protective DNS can be provided as a service from a vendor, deployed on internal DNS infrastructure, or a combination of the two. There are potential benefits to using a combination of externally provided Protective DNS with internally deployed Protective DNS. While this approach may not be applicable in all cases, it is recommended that this combined hybrid scheme is utilized where feasible.

The outcomes of deploying Protective DNS should include:

• Block or redirect harmful traffic in real time at the point of domain name resolution, typically before malicious activity starts.
• Block categories of traffic with DNS, via the categorization of domain names that do not conform to an organization’s policies or matching against known bad actor lists.
• Deliver visibility into real-time and historical DNS query and response data to facilitate digital forensics and incident response.
• Integrate with the wider security ecosystem as part of defense in depth; such as correlating an organization’s data on assets -- devices and cloud workloads -- and users with the IP addresses of blocked queries.
• Facilitate an organization’s responsibility to comply with regulatory or contractual requirements for blocking traffic to disallowed sites -- copyright violations, legal restrictions, etc. 

Protecting the DNS Protocol

If a DNS server is compromised, there is little limit to the amount of short- or long-term damage that can be inflicted, often while avoiding detection. To that end, it is crucial to prevent bad actors from using DNS as a threat vector. There are two equally important halves of accomplishing this: protecting internal and external authoritative and recursive DNS services against threats, and usage of Encrypted DNS and authentication to protect privacy and confidentiality.

The DNS protocol refers to the standardized communications carrying DNS information between networked entities. Securing the DNS protocol itself is a well-studied problem with tested mitigation methods available.

DNSSEC is one such method, a standardized set of extensions to DNS for securing DNS protocol communications against compromise. It should be noted that DNSSEC, while invaluable for securing DNS communications, is only one part of the wider idea of “DNS Security,” and must be implemented alongside other best practices. It must also be noted that while DNSSEC does help protect against compromise of DNS communications, it does not provide any privacy protection such as encryption. Those capabilities are provided by technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ).

 Protecting the DNS Service and Infrastructure

DNS software must run on some existing host platform, which includes the hardware, firmware, and software that is required for DNS services to operate. A compromise of any of these results in a potential compromise of the DNS service, which can cascade into significant operational failures or loss of integrity and confidentiality. In this context, securing the platform and host refers to following the relevant best practices for securely deploying the non-DNS components that DNS relies on.

Cyber criminals and other actors will seek to amplify and maximize the disruption of any cyber incident by attacking any systems hosting mission critical systems, with preference towards attacking targets that are hosting multiple such critical components. To ensure cyber resiliency it is recommended to limit the coexistence of multiple mission critical services on a single system. This separation of duties will ensure the highest possible resilience in the case of a cyber event. It is also recommended that the infrastructure hosting DNS services be dedicated to that task and hardened for this purpose to reduce the attack surface and ensure that adequate system resources are available to the DNS service.

As a critical service DNS is a core network service, so resiliency of the DNS service is critical to business continuity. This can be accomplished using network and geographic dispersion and by implementing best practices for server backups and recovery.

DNS Security and the NIS 2 Directive

In December 2022, the European Commission published the NIS 2 Directive (Directive (EU) 2022/2555), which aims to enhance cybersecurity across the European Union by managing cybersecurity risks and minimizing the impact of incidents. NIS 2 mandates that entities classified as “essential” or “important” — encompassing various types of critical infrastructure — adopt several cybersecurity best practices.

These practices include incident handling, supply chain security, vulnerability management and disclosure, the use of cryptography, business continuity planning, and basic cyber hygiene measures such as multi-factor authentication and authentication protocols and training.

 Regarding DNS, Annex 6.7.2 of the European Commission’s 17 October 2024 Implementing Regulation requires relevant entities to “apply best practices for the security of the DNS.” This means that many essential and important entities will likely need to implement DNS security practices. Additionally, ENISA is currently incorporating public feedback to refine its Implementing Guidance on the regulation, with plans to release the updated guidance later this year.

Member States are in the process of transposing the directive into national law, although many have experienced delays and have missed the transposition deadline of 18 October 2024.

‍