Updated January 17, 2018
Securing your company presence online includes DNS security (securing the domain name system (DNS) servers serving you and DNS records about you). Understanding how DNS works and what role servers and records play in your security is a great first step to keeping your site and email safe online.
A domain name server, or DNS server, is the first point of contact between potential web clients and the sites they connect to, in order to find specific services. DNS is an Internet protocol whose job is to turn alphanumeric domain names into numeric IP addresses that are used by servers to identify each other on the network.
Think of DNS as a zipcode or postcode. It enables people to get things to and from you, without actually knowing your house or apartment exact latitude and longitude.
DNS is a vital point of your website’s presence and accessibility. Anyone trying to reach your website over the Internet will not be able to do so if your DNS is not working properly. If DNS fails, people trying to reach you will receive the dreaded, “404 Page Not Found” message.
What is the Definition of DNS?
DNS is the domain name system that makes it possible for us to have URL’s like https://www.knownhost.com instead of https://22.214.171.124 (IPV4) or https://2400:cb00:2048:1::6814:2ee (IPV6). Imagine trying to remember the IP addresses for Amazon, eBay, Facebook, your company website, and the hundreds of others whose names you know by heart and can easily remember as domain names!
Although DNS is a system, most people immediately think of DNS as a domain name server – because nameservers are the things you often control directly yourself. The domain name system behind the scenes includes root servers and numerous other synchronized servers which keep the ‘big picture’ of the internet running well. That system is how our computers know where to go to see if an address is valid or which server is responsible for remembering our numeric address to domain name mapping.
What Types of DNS are There?
The domain name system is designed in a way that will be able to cope with infrastructure failures. In order to mitigate the effects of possible failure of the primary DNS system, multiple redundant systems can be installed. The three most popular methods of ensuring DNS is working for you properly are the use of secondary DNS server, failover system and external DNS.
Secondary DNS is just what the name suggests; it’s a secondary, independent server, usually located on a separate network than your primary DNS. It is setup to provide the redundancy for your primary nameservers. If something goes wrong with your primary nameserver, the secondary nameserver should be able to answer all the requests for your website. Servers that serve as primary nameservers for some domains are at the same time secondary for others, and are usually located in different geographical locations.
DNS failover is a method in which the DNS hosting company implements a system that supervises the servers in a way that independent nodes periodically check nameserver responsiveness. If during such monitoring process a server is found to be non-responsive, it is removed from the set of servers, and new DNS records are propagated throughout the system. To ensure that local network conditions do not influence the monitoring process, it is usually carried out by multiple nodes in diverse geographical locations.
While not to be seen strictly as a method of ensuring permanent DNS accessibility, use of separate external and internal DNS servers is a very important aspect of DNS security. DNS servers can provide a wealth of information about your network, which is extraordinarily helpful to the internal systems management personnel. For security reasons, that information should not be made accessible to any outsiders. The best way to do that is to design a dual server implementation, with internal DNS clients serving the requests from within the system, while offering a limited version of the information to the outside world through the separate, external DNS servers. When designing such system, the most important thing to remember is that internal and external DNS clients take different paths in resolving DNS queries. If the client is local, the requests will be resolved locally; if the client is remote, the requests will be resolved according to the root name servers.
What is DNSSEC and Why is it Important?
Hijacking DNS servers is one of the more popular ways hackers can compromise secure systems. It would be no different than someone hijacking your local post office and swapping the zipcode directory around. Suddenly, important mail would be misdirected to the wrong address which would mean that new big screen television you bought online would be delivered to someone a thousand miles away!
Realizing that DNS servers were a critical link in the chain, the Internet Corporation for Assigned Names and Numbers, or ICANN (a nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces) implemented DNSSEC – short for DNS Security Extensions.
To quote ICANN, “DNSSEC is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall processii. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.”
They continue to explain, “Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup…”.
You can see how this can be implemented via instructions on the Internet Society page.
If you’d like to read more DNSSEC explanations and details, Wikipedia actually has a very informative and thoroughly detailed page on DNSSEC.
If you’d like a hand with implementing this or have a question or concern, and are a KnownHost client – please remember all our plans are fully managed and we’d be glad to assist you – just contact our support team and we’ll be happy to help!