Since the Mirai botnet distributed denial of service (DDoS) attack in 2016, the DynDNS service has undergone a series of dramatic shifts. Later in 2016, Oracle acquired Dyn and vastly changed the landscape of enterprise-class domain name system (DNS) providers. Since the Oracle-Dyn acquisition, Dyn has since issued three end-of-life notices, as well as announcements that they will no longer support key DNS services as of May 31, 2023, including:
- DNS security extensions (DNSSEC)
- External nameservers
- Secondary DNS status notifications
- Zone publish notifications
- Advanced services notification for monitoring agent changes
What does this mean?
This means, companies will have to take some action. First, choose a new DNS provider, and second, migrate to their infrastructure. To understand the risk and impact of changing DNS services, companies must first understand the threats on the Authoritative DNS hosting level.
Perhaps the most disruptive and prevalent threat to modern day DNS is the DDoS attack. DDoS attacks target websites and servers by disrupting network services in an attempt to exhaust an application’s resources. The perpetrators behind these attacks flood a site with errant traffic, resulting in poor website function—or they knock it offline altogether. With the proliferation of unsecured “Internet of Things” (IoT) devices, bad actors can raise an army of botnets for their offensive.
DDoS motivations include extortion, smokescreens to hide intrusion attempts, state-sponsored attacks, anticompetitive business practices, hacktivists protesting the business’ activities, or sometimes they’re self-induced attacks via accidental misconfiguration. There’s no predicting where or when they’ll occur. DDoS attacks often target databases, applications, and infrastructure simultaneously to increase their chances of success.
DNS cache poisoning
Also known as DNS spoofing, DNS cache poisoning is when false information is entered into a DNS cache so DNS queries return an incorrect response and users are directed to the wrong websites. DNS resolvers are often referred to as the phone book of the internet. When resolvers work correctly, they resolve human readable text into IP addresses and store that into a localized memory to reduce the frequency for DNS queries.
DNS poisoning motivations include phishing, malicious content—such as computer worms or viruses—and personal information gathering, such as credentials or bank card details. Secure DNS with DNSSEC—it uses cryptographic digital signatures signed with a trusted public key certificate to determine the authenticity of data, and can counter cache poisoning attacks.
How to protect enterprise organizations from DNS threats
Mitigating DNS security threats begins with a layered approach or using multiple protection strategies in tandem. A fortified DNS infrastructure should be able to withstand super-sized DDoS attacks without dropping customer connectivity. Understanding the bandwidth ingestion rate of your DNS provider can help increase resilience and lower risks associated with network events. What can also help is the geographic dispersion of nodes because it provides benefits such as higher geographic and transit redundancy.
Having a dedicated 24x7x365 SOC infrastructure is also critical for monitoring and scrubbing anomalous traffic, which can be performed at local levels most of the time. Once detected using advanced data analysis techniques such as telemetry, anomalous traffic should be automatically isolated and redirected away from the target servers via countermeasures, most commonly Border Gateway Protocol (BGP) redirect. If attack traffic is trending towards exceeding local mitigation capacity, the target segment(s) should be shifted across global nodes. Having a separate and dedicated DDoS infrastructure allows customers to keep their business-critical infrastructure online while SOC specialists work to return DNS services to normalcy with minimal to no disruption. These networks should be independently audited and provide customers with public announcements to confirm they’re indeed separate in accordance with attestation standards established by the American Institute of Certified Public Accountants in SSAE No. 18.
Keeping with the theme of separate DNS infrastructure, a secondary DNS often allows one or more DNS providers to provide Authoritative DNS resolution services and better mitigate against the threat of DDoS. Maintaining advanced Authoritative DNS function across providers has proven to be a challenge to enterprise customers in the past, yet CSC’s Ultimate DNS was designed to meet the growing needs of businesses. It combines all the features an organization needs in DNS management, coupled with seamless integration of their DNS and domain portfolio, CNAME flattening (Alias records), and options for DNSSEC, geolocation, weighted load balancing, and failover. Ultimate DNS also has the added redundancy of a second global DNS anycast network via one user interface in active-active configuration, on a world-class infrastructure with the best uptime records in the industry.
What should you be looking for in a DNS provider?
Too often, cloud providers simply provide self-service tools and limit the ability to provide a separate secondary DNS infrastructure, thus exposing customers to the associated risks and threats. Based on the above explanations of the threats and the means to mitigate, corporations should look to contract with an enterprise-class DNS infrastructure provider with:
- A proven track record of 100% uptime
- The ability to mitigate the growing threat from DDoS
- A secondary enterprise-class infrastructure alongside the primary
- Advanced features on both the primary and secondary infrastructures
- A proven track record of migrating DNS for the biggest brands in the world
How to safely migrate or transition DNS providers
A successful migration means no down time for your organization. Having a well-defined project plan and team in place dramatically decreases the risk of downtime or associated outages on the DNS level.
Therefore, it’s essential to assemble the right internal team and to select a DNS partner that can support your migration.
Don’t wait until the last minute. As the DynDNS end of life approaches on May 31, 2023, provider resources to assist companies will become increasingly stretched. Although there are several DNS providers that companies could migrate to, few meet the enterprise-class criteria listed above, so research should start immediately.