The Dos and Don'ts of Domain Name System Services

WEBINAR TRANSCRIPT

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "The Dos and Don'ts of Domain Name System Services." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Bobby Huff. Bobby is CSC's product sales engineer for Security Services. Bobby is responsible for product demonstrations and advising enterprise organizations in North America on digital risk and the preventative measures to secure digital assets outside the firewall. And with that, let's welcome Bobby.

Bobby: For today's webinar, the agenda that we will cover includes: what is a domain name system or DNS; why DNS is essential to any business; the dos, which includes dual infrastructure, why it matters, and future proofing; the don'ts, which include ignoring threat areas and neglecting NIS2; and finally, we'll end with some takeaways regarding DNS administration and management.

DNS stands for domain name system, and it is a protocol for global routing involving different sets of servers to resolve requests or queries. To better understand DNS, let us imagine you want to visit a website, like www.example.com. Well, instead of remembering and typing in a long series of numbers, known as an IP address, to reach that website, like 192.0.2.1, you use something called DNS, which is like a phone book for the internet. So when you type in your browser www.example.com, the DNS quickly translates that to a human readable address into an actual IP address that your computer needs to connect to the website. It helps your computer find and connect to the right place on the internet without you needing to remember or type in complicated numbers every time.

Why is DNS essential? Well, regarding the authoritative hosting DNS, it is essential for businesses and organizations because it ensures that customers can easily access online resources and services by translating human readable domain names into IP addresses. This enables seamless navigation to websites, email servers, and other online platforms, enhancing user experience, brand visibility, and enabling business success. Additionally, authoritative DNS hosting plays a critical role in security by enabling global network services, such as apps and email, voice over IP and messaging, APIs, cloud integrations, and authorization and identity control mechanisms.

For this next section, we will talk about the dos of corporate DNS. For corporate DNS, choosing an enterprise-grade provider is essential if your entire business relies on DNS, and it does. From websites and email to Office 365 authentication codes to email DMARC policies, we use DNS for an awful lot of things today. It should be considered critical infrastructure. And if you're outsourcing, you need to be satisfied that your partner shares the same values as your organization. Security should be top of that list. Consolidation is clearly a major benefit, not just from a cost perspective, but also ease of management.

For over 20 years, we've muddled our way through this worldwide web thing. We've learned. We've changed from internal data centers to external to cloud. We've seen many changes, and that comes with a lot of noise. We've neglected housekeeping or basic cyber hygiene during this time, and now we are paying the price. We must start to document things moving forward. Too many times we look at records and think, "I don't know what that is or who owns it. Let's be safe and leave it alone." Cyber criminals love this. They prey on our poor cyber hygiene and exploit it as far as possible with techniques like subdomain takeover or hijacking.

Employees come and go. It is super important to regularly review who has access to what. Best practice says every month, not just for what they may do if they leave, but we must limit the exposure of a compromised user should they ever fall foul. Don't give cyber criminals the keys to the kingdom should they get a hold of someone's credentials. In addition, the days of username and password are behind us. Any data worth protecting must use multifactor authentication to ensure if the user is compromised. The cyber criminal will be blocked with challenge tokens.

Policy is essential to the continued protection of DNS, especially where dangling DNS records are concerned. Rather than to seek permission to delete things, the future should be of one policy issuance and the business having a clear understanding of that. For example, any subdomain on a 404 status for more than two days will be purged. It's time that DNS administrators own the space, not the business.

Future proofing is also a very important aspect of choosing a partner to provide DNS service. Be it additional features like alias records that are mandatory when using a cloud provider or supporting RFD changes, you need a provider that will keep up with the latest and greatest, giving you maximum flexibility for wherever your business needs to go. With this too, and we'll cover this a little bit later, dual infrastructure is going to play a vital role in the future. DNS for a long time has been a single point of failure for many businesses. There simply is no plan B. It can take up to 72 hours to make changes at the registry, where attacks can last 4 to 8 hours. By the time you change partners, the attack will most likely be done.

In conclusion, any business that cares about business continuity in disaster recovery planning, that's everyone, really needs to elevate the position of DNS within their organization. This is no longer some tech thing for websites. It really is critical to the operation of your business.

Let's talk for a moment about how DNS infrastructure can positively impact disaster recovery and business continuity planning. A common analogy that we use, when discussing dual infrastructure, is Noah's ark because you need two of everything. Having two infrastructures simply means that if one goes down, the other one can stand up and keep business moving. CSC's dual infrastructure DNS is an active-active network configuration to ensure optimum availability while also allowing customers to maintain more efficient routing mechanisms, such as failover and global server load balancing at the DNS level, thus providing an effective safety net to better help your organization plan for disaster recovery and maintain business continuity when considering risk at the DNS level.

By having a globally dispersed authoritative DNS hosting infrastructure of up to 48 nodes, this ensures that your customers requests are routed efficiently and your critical domains and services stay online. Using the infographic below, you can see how having one or two of these purpose built DNS infrastructures can help your organization maintain business critical uptime. CSC DNS customers have the option of using Advanced DNS or Ultimate DNS, which possess separate resources but can also overlap as well to maintain speed, another critical component of maintaining your organization's online presence.

Future proofing your organization's DNS refers to using technology advancements in DNS to optimize and secure your critical or vital domains. As you can see on the slide, there have been several advancements over the years to provide more efficient, smarter, and secure ways to resolve DNS queries. One of those advancements that we frequently receive requests from customers is alias records. Customers are typically having problems with static IPs or root domain traffic. So to solve this challenge, alias records provides CNAME-like behavior on the core apex domain, which automatically resolves a root domain to one or more A records.

For this next section, we will cover the don'ts of DNS management. Don't ignore threats to DNS. Some of these threats include but are not limited to DNS spoofing or cache poisoning, refers to the manipulation of DNS responses to redirect users to malicious websites or servers. DNS spoofing involves providing false DNS information to clients, while cache poisoning involves injecting malicious data into DNS caches to redirect legitimate traffic to malicious destinations.

DNS hijacking is when attackers may compromise the authoritative DNS servers or domain registrar accounts to hijack domain names, redirecting traffic to malicious websites controlled by the attackers. This can result in financial losses, reputational damages, and data breaches for affected businesses.

Distributed denial-of-service, otherwise known as DDoS attacks involves DNS servers, which are vulnerable to DDoS attacks, where attackers flood DNS servers with a large volume of requests, thus overwhelming their capacity and causing service disruptions. DDoS attacks can disrupt online services, leading to revenue loss, customer dissatisfaction, and causing reputational harm.

DNS tunneling uses covert techniques to bypass network security controls and exfiltrate sensitive data or establish covert communication channels with malicious servers. DNS tunneling attacks can be difficult to detect and can facilitate data theft, espionage, or malware propagation within the corporate network.

Domain hijacking and typo squatting involves the registration of domain names like legitimate business domains or hijack expired or abandoned domains to impersonate trusted brands. This can lead to phishing attacks, malware distribution, and brand damage as unsuspecting users may visit malicious websites or disclose sensitive information.

DNS infrastructure abuse occurs when attackers may exploit vulnerabilities in DNS servers or protocols to launch reconnaissance attacks, DNS amplification attacks, or protocol level exploits targeting DNS software implementations. These attacks can compromise the integrity, confidentiality, and availability of DNS infrastructure, impacting business operations and service delivery.

We'll talk about subdomain hijacking in a later slide.

Don't ignore legislation. A prime example was GDPR, and we believe NIS2 will follow suit in the tech world. On October 17, 2024, this becomes law. The EU Initiative and UK will follow suit. This is important because NIS2 also applies to U.S.-based companies doing business in these global regions.

The impact of NIS2 on DNS primarily revolves around enhancing security and resilience of DNS infrastructure to mitigate cyber threats and ensure the continuity of critical services. Some key aspects of NIS2's impact on DNS includes improve security measures. NIS2 may require organizations operating DNS infrastructure to implement enhanced security measures to protect against DNS-related cyber threats, such as DNS hijacking, cache poisoning, and DDoS attacks. This can involve implementing DNSSEC to cryptographically assign DNS records, thereby ensuring the authenticity and integrity of DNS data.

Enhanced resilience and availability. NIS2 may encourage organizations to implement measures to enhance the resilience and availability of DNS services, ensuring continuous access to critical online resources. This could involve implementing redundant DNS servers, load balancing, and failover mechanisms to mitigate the impact of DNS outages or disruptions.

Redundant DNS is having standalone resources globally in the event of an outage or a security incident.

Regulatory compliance requirements. NIS2 may introduce regulatory compliance requirements for DNS service providers, mandating certain security standards, practices, and reporting obligations to ensure the security and stability of DNS infrastructure. Compliance with these requests may necessitate regular audits, risk assessments, and security incident reporting.

Collaboration and information sharing. NIS2 may promote collaboration and information sharing among DNS stakeholders, including DNS service providers, government agencies, and cybersecurity organizations, to address emerging threats and vulnerabilities affecting DNS infrastructure. This can involve sharing threat intelligence, best practices, and mitigation strategies to improve the overall security posture of DNS ecosystems.

Overall NIS2's impact on DNS is aimed at strengthening the security, resilience, and regulatory compliance of DNS infrastructure to mitigate cyber threats and ensure the continuity of critical online resources within the European Union.

Going back to term number seven on threats to business, you do not want to ignore the importance of subdomain management and the new threat of subdomain hijacking. Subdomain hijacking occurs when an attacker gains control of a legitimate subdomain hostname from a third party or a cloud provider that is no longer in use by the brand. Your defunct subdomain can then be used to direct users to criminals' content. CSC's research has found that one in five DNS records points to content that does not resolve, leaving them potentially vulnerable to subdomain hijacking. So it is critical for disaster recovery and business continuity planning to work with a DNS provider or a partner that can provide daily monitoring and alerts around subdomains to reduce the associated risk of subdomain hijacking.

Finally, we will cover takeaways from today's presentation. From what we've covered in today's presentation, there is an inherent risk for your network resources outside the firewall. For that reason, it is imperative to assess your enterprise DNS policy and security posture to assist in disaster recovery and business continuity planning.

When partnering with an enterprise-class DNS provider, you want to consider high performance, using BGP and anycast routing to resolve billions of global authoritative DNS queries a day. Availability, keeping your website and business critical assets online and available, backed by industry-leading service level agreements or SLAs, that include availability, change propagation, query latency, and customer support. Security, protect your domains and vital DNS using multifactor authentication, SAML-based single sign-on, access control list, and advanced role-based security, as well as the option of using DNSSEC for query validation. DDoS protection, the frequency of these attacks continues to grow, highlighting the importance of having a built-in DNS distributed denial-of-service protection, which includes local mitigation services as well as appliances and bandwidth to be able to withstand supersized attacks. And last but not least is a comprehensive SLA, that again should cover query resolution, query latency, packet loss, secondary DNS services, change propagation, API and portal availability, traffic management, as well as customer support.