Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.
The Domain Name System (DNS) is a foundational component of the internet. DNS translates human-readable domain names like www.example.com into machine-readable Internet Protocol (IP) addresses like 168.192.123.145. DNS lets users access websites using familiar names rather than long strings of numbers.
Despite its criticality, DNS infrastructure was not initially designed to withstand the many types of cyberthreats that hackers use to gain access to IT systems or disrupt IT operations. DNS security is the task of implementing security measures and protocols to mitigate the vulnerabilities in the Domain Name System.
The basics of the Domain Name System
The DNS protocol is often referred to as the “phone book of the internet” because it matches the name of a website (the domain name) with a string of numbers (the IP address), allowing computers to quickly find the right address of the website.
The name and IP address of every website is held by an authoritative nameserver somewhere in the world. To speed connectivity and prevent congestion at authoritative servers, the DNS system also uses recursive DNS servers, or DNS resolvers, which are typically provided by internet service providers (ISPs). When a user types the name of the website into a browser, the user’s device first contacts a nearby recursive DNS server to request the IP address for the website.
Because recursive DNS servers keep a cache of IP addresses for many frequently used websites, they can often respond to DNS queries by providing the right address instantly. If the recursive server doesn’t have a current address, it will contact other recursive DNS servers or ultimately contact the authoritative nameserver for an accurate DNS record. This process typically happens very quickly, so most users are unaware of the DNS process.
However, DNS is susceptible to many cyberthreats that can interrupt DNS responses and cause servers to crash or slow down, resulting in slow page load times or inability to access the sites on the internet.
Leading threats to DNS security
Common DNS security threats include:
- DDoS attacks and flood attacks: Distributed denial-of-service (DDoS) attacks cause DNS servers to slow down or crash by taxing them with an overwhelming amount of requests for DNS records. DDoS DNS attacks typically use a botnet — a network of malware-infected machines that can be controlled by attackers who direct massive amounts of traffic to DNS servers.
- NXDOMAIN DDoS attacks: This approach overwhelms DNS servers by requesting nonexistent or invalid records, overloading the system and causing DNS servers and supporting infrastructure to slow down or crash.
- DNS tunneling: Because DNS is a trusted communications protocol, many IT environments allow DNS traffic to enter and leave their network freely. Threat actors take advantage of this trust by using DNS as a covert communication channel to evade detection by firewalls. DNS tunneling allows cybercriminals to exfiltrate sensitive data from an IT environment or to communicate with and control a compromised device within an IT system.
- DNS spoofing or DNS cache poisoning: This type of DNS security threat introduces forged DNS data into the cache of a DNS resolver, causing the DNS server to return an incorrect IP address for a domain. This technique is typically used to distribute malware and ransomware or to steal login credentials).
- DNS hijacking: This technique enables cybercriminals to use a compromised or malicious DNS server to send users to a fake, malicious domain rather than the address they’re looking for.
- Domain lockup: Threat actors can “lock up” a DNS resolver by establishing a TCP-based connection with the server and consuming all its bandwidth by continuously sending junk or random packets. This prevents the server from responding to legitimate requests.
Why DNS security is essential
DNS security is a critical part of a comprehensive cybersecurity program. Because DNS is integral to the internet, failure to provide DNS security can lead to a broad array of cyberattacks — everything from data breaches to many types of ransomware to massive DDoS attacks that disrupt business and threaten profitability. As IT environments become more distributed and as millions of IoT devices expand the attack surface beyond the traditional network perimeter, DNS security has become more important than ever. Superior DNS security enables organizations to protect against loss of data, threats to privacy, and disruption to business.
How DNS security works
DNS security solutions provide several lines of defense to protect DNS operations. Advanced DNS security solutions leverage machine learning, AI, and enhanced security protocols to detect and mitigate threats in real time. Superior DNS security technology relies on advanced threat intelligence that automatically detects anomalies in DNS traffic, automates incident response, and integrates with other network security systems.
Best practices for DNS security
To enhance DNS security, organizations and IT teams can adopt several key practices.
- DNS Security Extensions (DNSSEC): This security protocol adds a layer of security to the DNS system by allowing responses to be verified for authenticity. The Domain Name System Security Extensions protocol prevents attackers from tampering with or poisoning DNS data by using digital signatures to ensure that DNS records returned in a lookup are accurate and have not been maliciously modified.
- DNS filtering: This technology screens and blocks DNS requests for unwanted or malicious websites to reduce the risk of malware infections and data exfiltration.
- DNS firewalls: DNS firewalls can block requests to domains that are known to be malicious and provide rate limiting capabilities that shut down DDoS or amplification attacks.
- Secure DNS servers: DNS servers that support DNS over TLS (DoT) or DNS over HTTPS (DoH) enable DNS traffic to be encrypted, preventing attackers from manipulating or eavesdropping on DNS traffic.
- Regular updates: Regularly updating DNS servers and applying security patches can help to protect against known vulnerabilities and threats to DNS security.
- Security awareness: Training end users about the types of threats they may encounter — especially phishing messages — can significantly reduce the incidence of successful attacks.
- Increased capacity: To overcome DDoS DNS attacks, organizations can add additional capacity, establishing multiple redundant DNS servers that can handle requests when one server experiences an attack.
FAQs
Most DNS threats fall into one of four attack vectors. Volumetric attacks flood DNS servers with a large number of requests, causing them to slow down or crash. Protocol abuse attacks use DNS in unintended ways to exfiltrate data or conduct phishing campaigns. Stealth or slow drip DNS attacks degrade or interrupt service by communicating a steady drip of specific requests that exhaust the capacity of the DNS server. Exploits leverage flaws or vulnerabilities in DNS services, protocols, or operating systems.
DNS data exfiltration is a technique that allows hackers to steal data from an IT system by embedding it within DNS packets. Because DNS communications are generally trusted and unfiltered by security services and firewalls, data hidden inside DNS traffic is unlikely to trigger security alerts.