<\/p>\n
Securing your company presence online includes DNS security<\/strong> (securing the domain name system (DNS) servers serving you and DNS records about you).\u00a0 Understanding how DNS works and what role servers and records<\/strong> play in your security is a great first step to keeping your site and email safe online<\/strong>.<\/p>\n <\/p>\n A domain name server, or DNS server, is the first point of contact between potential web clients and the sites they connect to, in order to find specific services. DNS is an Internet protocol whose job is to turn alphanumeric domain names into numeric IP addresses<\/strong> that are used by servers to identify each other on the network.<\/p>\n <\/p>\n Think of DNS as a zipcode or postcode.\u00a0 It enables people to get things to and from you, without actually knowing your house or apartment exact latitude and longitude.<\/p>\n <\/p>\n DNS is a vital point of your website’s presence and accessibility. Anyone trying to reach your website over the Internet will not be able to do so if your DNS is not working properly.\u00a0 If DNS fails<\/strong>, people trying to reach you will receive the dreaded, “404 Page Not Found<\/strong>” message.<\/p>\n <\/p>\n <\/p>\n <\/p>\n DNS is the domain name system<\/strong> that makes it possible for us to have URL’s<\/strong> like knownhost.com<\/a><\/strong>\u00a0 instead of https:\/\/67.222.0.5 (IPV4) or https:\/\/2400:cb00:2048:1::6814:2ee (IPV6).\u00a0 Imagine trying to remember the IP addresses for Amazon, eBay, Facebook, your company website, and the hundreds of others whose names you know by heart and can easily remember as domain names!<\/p>\n <\/p>\n Although DNS is a system, most people immediately think of DNS as a domain name server<\/strong> – because nameservers are the things you often control directly yourself<\/strong>.\u00a0 The domain name system behind the scenes includes root servers and numerous other synchronized servers which keep the ‘big picture’ of the internet running well.\u00a0 That system is how our computers know where to go to see if an address is valid or which server is responsible for remembering our numeric address to domain name mapping<\/strong>.<\/p>\n <\/p>\n <\/p>\n <\/p>\n The domain name system is designed in a way that will be able to cope with infrastructure failures.\u00a0 In order to mitigate the effects of possible failure of the primary DNS system, multiple redundant systems can be installed. The three<\/strong> most popular methods of ensuring DNS is working<\/strong> for you properly are the use of secondary DNS server, failover system and external DNS<\/strong>.<\/p>\n <\/p>\n Secondary DNS<\/b> is just what the name suggests; it\u2019s a secondary, independent server, usually located on a separate network than your primary DNS. It is setup to provide the redundancy<\/strong> for your primary nameservers. If something goes wrong with your primary nameserver, the secondary nameserver should be able to answer all the requests for your website. Servers that serve as primary nameservers for some domains are at the same time secondary for others, and are usually located in different geographical locations.<\/p>\n <\/p>\n DNS failover<\/b> is a method in which the DNS hosting company implements a system that supervises the servers in a way that independent nodes periodically check nameserver responsiveness<\/strong>. If during such monitoring process a server is found to be non-responsive, it is removed from the set of servers, and new DNS records are propagated throughout the system. \u00a0To ensure that local network conditions do not influence the monitoring process, it is usually carried out by multiple nodes in diverse geographical locations.<\/p>\n <\/p>\n While not to be seen strictly as a method of ensuring permanent DNS accessibility, use of separate external and internal DNS<\/b> servers is a very important aspect of DNS security. DNS servers can provide a wealth of information about your network, which is extraordinarily helpful to the internal systems management personnel. For security reasons, that information should not be made accessible to any outsiders. The best way to do that is to design a dual server implementation, with internal DNS<\/strong> clients serving the requests from within the system, while offering a limited version of the information to the outside world through the separate, external DNS servers. When designing such system, the most important thing to remember is that internal and external DNS clients take different paths in resolving DNS queries. If the client is local, the requests will be resolved locally<\/strong>; if the client is remote, the requests will be resolved according to the root name servers.<\/p>\n <\/p>\n <\/p>\n <\/p>\n Hijacking DNS servers<\/strong> is one of the more popular ways hackers can compromise secure systems.\u00a0 It would be no different than someone hijacking your local post office and swapping the zipcode directory around.\u00a0 Suddenly, important mail would be misdirected to the wrong address which would mean that new big screen television you bought online would be delivered to someone a thousand miles away<\/strong>!<\/p>\n <\/p>\n Realizing that DNS servers were a critical link in the chain,\u00a0the Internet Corporation for Assigned Names and Numbers, or ICANN<\/a> (a nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces) implemented DNSSEC – short for DNS Security Extensions<\/strong>.<\/p>\n <\/p>\n To quote ICANN, “DNSSEC<\/abbr>\u00a0is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying\u00a0DNSSEC<\/abbr>\u00a0on the root zone) is a necessary step in this overall processii<\/a><\/sup><\/a>. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.”<\/p>\n <\/p>\n They continue to explain, “Full deployment of\u00a0DNSSEC<\/abbr>\u00a0will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup<\/strong>…”.<\/p>\n <\/p>\n You can see how this can be implemented via instructions on the Internet Society page<\/a>.<\/p>\n <\/p>\n If you’d like to read more DNSSEC explanations and details<\/strong>, Wikipedia actually has a very informative and thoroughly detailed page on DNSSEC<\/a>.<\/p>\n <\/p>\n<\/h2>\n
What is the Definition of DNS?<\/h2>\n
What Types of DNS are There?<\/h2>\n
What is DNSSEC and Why is it Important?<\/h2>\n