The Domain Name System (DNS) is at the heart of an organization’s IT infrastructure. It guides users to their respective application locations and translates URLs into their IP addresses. Because DNS is such a critical component of an organization’s infrastructure, many organizations prefer to control it themselves in their own data centers. Also, DNS changes often go through a strict change control process, access to which is given to very few people.
An organization’s reputation is affected by the availability of its applications and websites. And this is where attackers can cause severe damage–by affecting DNS services and preventing users from reaching apps and sites. This damage, in turn, leads to the evolution of new DNS management trends and practices to prevent further attacks.
However, DNS threats aren’t restricted to the organizational level. Hackers also have committed mass DNS hijackings, affecting dozens of companies and government agencies, and redirecting user traffic to scammed web applications. Clearly, robust DNS security is vital.
DNS Management Strategies
As part of their DNS management activities, most organizations lease their domain names from a registrar: a company accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) for providing domain name registrations to the general public. Once an organization leases a name, it can maintain a public, authoritative server to handle public DNS queries. Or it can choose to leverage the services of a registrar or web-hosting provider to manage its DNS records.
This can work well in a traditional data center environment. However, there are certain limitations, such as the lack of flexibility to perform dynamic changes and the overhead required to manage additional resources. At the same time, the limited security controls expose an organization to a higher level of risk.
With the adoption of cloud-native architecture, the growing focus on service-oriented architecture, and better security controls, organizations today have another option: cloud DNS management strategies. Each public cloud provider has its own service to manage domains and DNS records. These cloud management services provide a low-latency, high-availability, secure, and cost-effective solution for users to host their applications and services.
In this article, we will discuss some challenges faced by organizations using traditional DNS management and how cloud DNS management can help.
Why Traditional DNS Management Doesn’t Work
There are a number of reasons why traditional DNS management no longer meets the demands of organizations today. Let’s review some of these shortcomings.
Lack of Ability to Handle DDoS and DRDoS Attacks
Most DNS servers cannot withstand Distributed Denial of Service (DDoS) attacks. The hackers overload the servers by sending a massive flood of DNS resolution requests. Eventually, the servers are brought down, and users are not able to access the domain’s applications.
The more sophisticated version of DDoS is the Distributed Reflection Denial of Service (DRDoS) attack. This involves sending a large number of requests to DNS servers around the world. The requests are spoofed with the target’s IP address, so that the target is overwhelmed with incoming “replies” from the DNS servers.
DNS Spoofing or Cache Poisoning
These attacks are quite common. Hackers inject malicious data into a DNS resolver cache, which causes web users to be sent to a malicious page instead of the actual page that they requested. The malicious page masquerades as the legitimate page, and it usually attempts to capture user data such as login credentials.
The sole purpose of an NXDOMAIN attack is to block DNS servers from handling legitimate requests. An NXDOMAIN attack sends a large number of invalid queries to authoritative servers. This leads to a slowdown of DNS servers, which in turn causes legitimate queries to either be delayed or unfulfilled.
Lack of Support for Native Cloud Architectures
Traditional DNS management systems don’t support cloud-native architectures, which include dynamic updates, blue and green deployments, automatic registration and de-registration, automated DNS validation for certificates, and more. For an organization on its cloud journey, traditional DNS management can cause serious obstacles. For example, if you map AWS Application Load Balancer to a record of the root domain as an alias, you’ll find that (as of this writing) none of the traditional DNS registrars support this.
A DNS hijacking involves the exploitation of vulnerabilities in a registrar’s system and taking control of an organization’s DNS record. Once done, the attacker has the ability to redirect traffic from that organization to any desired page or system. Usually, the redirect sends visitors to fake login or payment pages, or other pages that attempt to steal user data.
How Can Cloud DNS Help?
Traditional DNS management systems have both security and technical limitations. These limitations have led to the evolution of new cloud DNS management solutions that allow organizations to secure their DNS as well as achieve flexibility and autoscaling.
Here are some of the key strategies being used today.
Internal Threat-Defense Systems for DDoS and DRDoS Attacks
Top-tier cloud providers usually include built-in defenses for certain types of attacks. For example, Amazon Web Services protects its customers via AWS Shield, and Google Cloud Platform offers similar support with Cloud Armor. These services safeguard cloud providers’ infrastructure, services, and customer applications from DDoS and DRDoS attacks.
Low Latency, Global Presence & Automated Scaling
Cloud providers such as AWS, GCP, and Azure have built resilient platforms, which provide low latency, a global presence, and automated scaling capabilities. These services can handle any amount of requests and can scale on demand, which improves the availability of their services and helps their customers achieve better uptime.
Support From DNSSEC
Whether it’s Amazon Route 53 or Cloud DNS, support from Domain Name System Security Extensions, or DNSSEC, is available in some form. (For Azure, it’s still in the works and yet to be released.) DNSSEC helps to eliminate middleman attacks and DNS hijacking and spoofing by authenticating responses to domain name lookups. DNSSEC adds cryptographic signatures to existing DNS records. For every query, the associated signatures are validated to ensure that it wasn’t altered.
Improved Security of DNS Servers
Under the shared responsibility model, cloud providers assume the management of the underlying resources used to deliver their services. Thus, it is their responsibility to patch their environments as needed. Essentially, cloud providers take away the overhead of management and operations responsibility from the users.
Availability of APIs
The DNS management services of all major cloud providers include APIs to manage the resources and DNS records. This helps an organization to better adopt cloud-native development principles and to perform dynamic updates to DNS records after the deployment of the infrastructure and application.
With the evolution of cloud and cloud design principles, organizations today are looking to build resilient architectures, including the DNS layer. Organizations rely upon the DNS management capabilities and services offered by cloud providers to meet their necessary security and technical controls. In addition, adopting cloud DNS management will help future security concerns as more sophisticated threat vectors arise.
Reblaze provide a full DNS service, running on Google Cloud DNS and AWS Route 53 (depending on your choice of cloud and configuration). It has low latency, high availability, and is a turn-key, cost-effective way to make your applications and services available to your users.
You can easily publish and manage millions of DNS zones and records using our simple user interface, command-line interface, or API. Your users will have reliable, low-latency access to Reblaze’s DNS infrastructure from anywhere in the world using a network of Anycast name servers.
For more information about this, or about other parts of the Reblaze web security platform, contact us.