A modern business relies on its digital infrastructure. From applications to email, your domain is the foundation of daily operations. Increasingly, malicious actors target DNS infrastructures to cripple organization’s services. For example, in June 2024, Vercara found a 288% month-over-month increase in Distributed Denial of Service (DDoS) attacks, setting an all-time record by identifying 55,630 of them. In response to these attacks, organizations need to incorporate DNS security into their overarching security program more purposefully, especially as more industry standards and compliance mandates incorporate DNS specifically.
By understanding how DNS security fits into your compliance program, you can create a more comprehensive approach to monitoring and documentation to achieve audit objectives.
What is DNS security?
DNS security focuses on mitigating cybersecurity risk to the organization’s DNS infrastructure and limiting business interruption costs from a service outage. Since DNS translates human language internet requests into IP addresses, service disruption means that users will be unable to access the digital infrastructure.
Attackers may target either of DNS infrastructure’s two primary components:
- Authoritative server: contains all information about IP addresses and any updates made to them
- Recursive server (DNS resolver): retrieves IP information from authoritative server and responds to the initial request
Attacks against authoritative servers may include:
- Reconnaissance: trying to gain information about a target environment by using publicly available information
- Unauthorized update: inserting unauthorized DNS records into the DNS zone
- Subdomain attack: type of distributed denial of service (DDoS) attack sending high volumes of requests for subdomains that may or may not exist that interrupt DNS lookups
Attacks against DNS resolvers may include:
- Cache poisoning: corrupting the DNS cache with false information to divert requests to malicious websites
- NXDOMAIN (phantom domain): sending high volumes of queries to nonexistent recursive name servers to slow down the responses
Other attacks targeting the DNS infrastructure include:
- DNS amplification: type of DDoS attack sending high volumes of requests DNS name lookup requests to an open DNS server so that the server sends the targets a spoofed or malicious response
- DNS tunneling: sophisticated methodology using the DNS protocol to sneak through firewalls and route queries to a malicious command and control (C2) server
What compliance frameworks discuss DNS security?
While DNS security is critical to maintaining business operations and reputation, you may not realize that many compliance frameworks and mandates incorporate it.
National Institute of Standard and Technology (NIST) Cybersecurity Framework (CSF).
The updated NIST CSF 2.0 created a new Category name, Technology Infrastructure Resilience (PR.IR), which contains the following Subcategory:
PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
NIST CSF notes the following implementation examples:
- Ex1: Avoid single points of failure in systems and infrastructure
- Ex2: Use load balancing to increase capacity and improve reliability
- Ex3: Use high-availability components like redundant storage and power supplies to improve system reliability
Payment Card Industry Data Security Standard (PCI DSS) 4.0.
When the Payment Card Industry Security Standards Council (PCI SSC) updated their standard, they included DNS servers as one of several server types that require monitoring. Additionally, they included a special requirement directed at service providers:
11.5.1.1 Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert
PCI explains in the requirement’s guidance that:
DNS queries and responses are a key data source used by network defenders in support of incident response as well as intrusion discovery.
International Organization for Standardization (ISO) 27002-2022.
In ISO’s update to its 27002 standard, it noted under “8.15 Logging” that log analysis should include monitoring for anomalous behavior by:
- reviewing successful and unsuccessful attempts to access protected resources [e.g., domain name system (DNS) servers,
- checking DNS logs to identify outbound network connections to malicious servers, such as those associated with botnet command and control servers;
4 Best Practices for DNS Security.
Today, compliance violations can often have long-tail repercussions, especially if an organization experiences a data breach. To improve your compliance and security posture, your DNS security should be a priority, especially when you need to maintain continued business operations to mitigate financial risks.
1. Create block lists.
To control traffic, you should implement block lists to deny known malicious connections or traffic. Block lists may be based on:
- Fully qualified domain name (FQDN)
- Domain
- IP address
- CIDR network block
Block lists enable to mitigate phishing risk by blocking risky connections that attackers use for:
- Delivering malware and ransomware
- Using a C2 server
- DNS tunneling
- Botnets
For example, if a user types in www.example.com, the DNS server compares that URL to the information it contains, like IP address. If it finds a match on the block list, it will prevent the connection and forward the user to a different website.
2. Incorporate DNS threat intelligence data.
DNS-focused threat intelligence can help you identify new domains malicious domains based on relationships between indicators, like:
- Executable files
- Links to other files with malicious content
- Phishing sites
If you automate your block list updates, you can use these data points to mitigate risk and prevent users from communicating with attacker infrastructures.
3. Monitor for DDoS attacks.
By monitoring for a potential DDoS attack, you can implement security controls that protect your organization and data. Some examples of mitigations might include designing activity triggers based on bits per second or packets per second thresholds to automate:
- DNS redirections
- Updating Border Gateway Protocol (BGP) service configurations
4. Incorporate DNS Log into security monitoring tools.
As threat actors continue to target DNS, you should incorporate the monitoring into your overarching cybersecurity monitoring tool, like a security information and event management (SIEM) or security orchestration and response (SOAR) solution. This will help you correlate DNS security data with other network and endpoint monitoring data, like firewalls and anti-malware signals.
DNS Security for improved compliance with Vercara.
Vercara’s suite of DNS solutions enables you to build a secure, reliable, and scalable digital infrastructure. Our managed DNS services enable organizations of all sizes to implement enterprise-grade, authoritative DNS and proactive cyber threat detection at the DNS layers. For organizations managing their own DNS infrastructure, our hosted DNS transforms online experiences to provide the security, performance, and availability necessary for achieving mission-critical compliance objectives.
