Skip to main content

What is DNS Security?

(Image credit: Image Credit: Mopic / Shutterstock)

Have you ever wondered what goes on behind the scenes when you type a website address in your browser’s search bar? The page you’re looking for appears in a matter of seconds more often than not. While it might be more comfortable to take this for granted, knowing how the Internet works will help you better protect your data online in the long run.

A little thing called the DNS is responsible for the inner workings of our daily web browsing, and it was invented almost four decades ago. In the lines below, I will explain what it stands for, how it works, and how you can achieve proper DNS security.

What does DNS stand for?

The acronym DNS stands for Domain Name System, a decentralized structure known as the phonebook of the Internet. Invented by American computer scientist Paul Mockapetris in 1983, it came as a solution for the issues posed by ARPANET, the Internet’s predecessor.

On the ARPANET, hostnames and their numerical address translations were all mapped in a single table named HOSTS.TXT. This turned out to be less than ideal in the long run, which is when Paul Mockapetris stepped in and proposed a more dynamic framework – the DNS.

When the Internet Engineering Task Force (IETF) was put together three years later in 1986, the Domain Name System became one of the very first Internet Standards. Its large-scale implementation made the Word Wide Web significantly more user-friendly and easier to navigate.

How does DNS work?

Simply put, what the DNS does is convert a domain name (www.example.com) into a machine-readable numerical IP (192.168.1.1). Just like you would need a street address to find someone’s house, you will also need a particular Internet Protocol address to find a certain device on the Internet.

Therefore, when you want to load a website, a translation between what you type into the address bar of your browser and the corresponding computer-friendly address needs to occur. While you put in www.example.com, the page’s host reads the numerical 192.168.1.1 and fetches back the desired result.

Other than placing the initial request, your personal computer plays no other part in the DNS retrieval process. The task is then passed along through four distinct servers:

  • DNS recursor, which receives your queries and makes additional requests to fulfill them
  • Root nameserver, the first step in interpreting the human-readable domain name
  • TLD nameserver, the next step in the translation process and. It holds the last portion of the hostname, namely the dotcom
  • Authoritative nameserver, the last step needed for retrieval. If it has the IP on record, it will send it to the recursor, which in turn will display the corresponding website for the user

Is DNS secure?

The short answer here is no, but allow me to elaborate on the reasons behind this. First and foremost, it is important to keep in mind that, when the DNS was developed almost four decades ago, cybersecurity threats were not a thing. The Internet was far smaller, and thus a lot more secure by default, which left the system with some design limitations.

In addition to this, you should also consider the fact that the infrastructure of the Domain Name System was fiddled with throughout the years. Multiple additions were made to this framework, and some of them might not have been the most fortunate.  Needless to say, this led to quite a few vulnerabilities.

Here are some of the most common ways in which hackers can exploit the DNS:

  • DNS spoofing, where phony data infiltrate the cache of a DNS resolver. For this reason, it is also known as cache poisoning
  • DNS tunneling, where attackers use HTTP, SSH, or TCP protocols to smuggle malware into the system undetected
  • DNS hijacking, where hackers redirect user queries to a malicious domain name server, targeting the DNS record of the website rather than the cache
  • Man-in-the-middle, where malicious third parties eavesdrop and intrude on the communication between two parties, impersonating both to some extent
  • NXDOMAIN attack, where domains are inundated with requests for inexistent records, thus causing a denial of service

Simply put, the DNS is not secure unless you take some extra precautions to make it so. But how can you do that? Let’s find out.

Secure DNS - How can I get it?

The DNSSEC (DNS Security Extensions) is the cornerstone of achieving DNS security. First released by the IETF in 1997, they came as supplementary specifications that help secure the Domain Name System. DNSSEC ensures the confidentiality of your data online, which is something that the DNS did not previously handle on its own.

DNS Security Extensions digitally sign data, which guarantees its authenticity. This happens at every step in the domain name translation process to ensure proper security. So, when you type in www.example.com for instance, the root server authenticates the dotcom domain with its signature, while the TLD nameserver similarly validates the authoritative nameserver.

In addition to relying on the DNSSEC, network administrators can go the extra mile by implementing procedures like over-provisioning infrastructure and anycast routing. The former implies purchasing additional server space to allow for the handling of traffic spikes, while the latter allows for multiple servers to share an IP.

One final add-on that can help improve your network’s DNS security is the DNS firewall. The firewall is a layer of protection situated between the recursive resolver, the first step in the translation process, and the authoritative nameserver, the final step. Its rate-limiting features shut down denial of service attacks, while its immediate downtime response is to fetch DNS responses from the cache. This keeps your systems up and running despite hacking attempts.

Wrapping up…

The DNS is an essential piece of infrastructure for the Internet as we know it today. Due to how involved it is in our day to day activity, knowing how to protect yourself against attacks that target it is vital in the modern cyber-landscape. Applying the necessary DNSSEC protocols and enforcing additional measures to safeguard your data is up to you.

Alina-Georgiana Petcu, Communications and PR Officer, Heimdal Security