Pragmatic Cybersecurity Tools for Canadian SMEs
How much damaging is a cyberattack on Domain Name System (DNS) Security? Let us consider the following cyber-incident scenario. A cyber-attacker malevolently gains access to a DNS server and alters the DNS records. That malignant actor changes the official IP address linked with a legitimate domain (e.g.: yourbank.com) to an IP address of a malicious server under the manipulative control of that mischievous actor. In good faith, a user tries to visit the legitimate website by typing “yourbank.com” into his browser. The altered DNS server responds with the IP address of the malicious server instead of the legitimate domain. The browser of the user is redirected to the malicious server. The malicious server hosts a fake website that looks identical to the legitimate banking website. Not at all suspecting anything wrong but believing it is the legitimate banking website, the user honestly logs into the fake website by entering his confidential login credentials. The innocent user’s confidential login credentials are then secretly captured by the cyber-attacker. That cyber-attacker has now access to the user’s confidential banking credentials. Disastrous consequences: that cyber-attacker can now use this confidential banking information to perform unauthorized transactions resulting into hurtful financial losses for the defrauded user.
Unfortunately, if DNS Security is not properly demarcated, understood, implemented, monitored and improved, the above-described DNS Security attack scenario does have the negative potential of badly harming and even ruining many people, including Information Technology Entrepreneurs who are honestly and courageously conducting their daily business operations within their Small and Medium Enterprises (SMEs). Consequently, how could our Information Technology Entrepreneurs protect themselves and defend their respective SMEs from more and more sophisticated DNS Security cyber-attack? To answer proactively such a down-to-earth question, this September 2024 Newsletter is meticulously and professionally written to help our hardworking Information Technology Entrepreneurs by providing them with an assortment of pragmatic cybersecurity tools that can help protect their DNS users, esteemed clients, valuable organizations[1] and precious financial assets.
[1] For the purposes of this newsletter, “organizations” is an umbrella term comprising “companies” & “SMEs” as delineated within the Canada Labour Code (R.S.C., 1985, c. L-2) and the Québec Labour Code and Regulation Respecting Labour Standards, CQLR c N-1.1, r 3.
DNS is essentially the Internet phone directory system that converts domain names into IP addresses
Domain Name System (DNS): A Synopsized Conceptual Definition
As one of the industry-standard suites of protocols that comprise TCP/IP, and as a fundamental component of Internet functionality since 1985, the Domain Name System (DNS) is simultaneously a hierarchical and distributed name service which delivers a naming system for all computers, IT services and other resources via the Internet or other Internet Protocol (IP) networks. Amalgamating a variety of information with domain names (identification strings) assigned to several interconnected entities, the DNS interprets readily memorized domain names into the numerical IP addresses needed for detecting and recognizing computers, services and devices with the underlying network protocols. Often referred to as the phone directory of the Internet, the Domain Name System (DNS) decodes human-friendly domain names (like www.example.com) into IP addresses (like 167.37.63.16) that computers use to identify each other across the worldwide web. Concisely articulated, the DNS is essentially the Internet phone directory system that converts website domain names (hostnames) into numerical values (IP addresses) so that they can be found and loaded into a web browser1.
[1] Joshu M. Kuo and Ross Gibson J.D. The Hidden Potential of DNS in Security: Combatting Malware, Data Exfiltration, and More Concepts – The Security Guide for Professionals. Paperback Edition of July 2023, Infoblox Education, Santa Clara, California, USA, 166 pages. https://www.goodreads.com/book/show/195658769-the-hidden-potential-of-dns-in-security
How Does the Domain Name System (DNS) Function?
When you type a web address into your browser, DNS performs the following steps1 to locate the corresponding IP address:
- DNS Query: Your computer sends a query to a DNS resolver, which is usually provided by your Internet Service Provider (ISP).
- Recursive Lookup: The resolver checks its cache for the IP address. If it is not found, the resolver queries other DNS servers in a hierarchical manner summarized as follows:
- Root Nameserver: The Root Nameserver directs the query to the appropriate Top-Level Domain (TLD) server (for example: .com, .ca, .us, .org, etc.).
- TLD Nameserver: The TLD Nameserver points to the authoritative nameserver for the specific domain.
- Authoritative Nameserver: The Authoritative Nameserver provides the final IP address for the domain.
- Response: The resolver returns the IP address to your computer, which then connects to the web server in order to load the appropriate webpage.
[1] John Bogna. What is DNS? Everything You Need to Know About the Web’s Phone Book. PC MAG, the 5th of July 2022. https://www.pcmag.com/how-to/what-is-dns-how-it-works-domain-name-system
Why Is It Imperative to Use a Secure DNS Server?
Security is crucial for DNS servers because they play a paramount role in the functioning of the Internet. Summarized hereafter are some decisive reasons1 underlying the importance of securing DNS servers:
1. Prevention of Cyber Attacks
- DNS Spoofing and Cache Poisoning: Unscrupulous hackers can redirect users to malicious sites by tampering with DNS data. This can lead to phishing, vishing and smishing attacks, malware distribution, and data breach plus data theft.
- DDoS Attacks: DNS servers are often targets of Distributed Denial of Service (DDoS) attacks, which can overwhelm the server and disrupt access to websites and online services.
2. Maintenance of Internet Availability
- Service Continuity: DNS servers are critical for converting domain names into IP addresses. If DNS servers are compromised, millions of users will not be able to access websites, email connections, and other online services, thereby leading to significant disruptions.
3. Protection of Sensitive Information
- Data Integrity: Ensuring that DNS data is accurate and has not been messed around is vital for maintaining trust in online communications and digital transactions.
- Privacy: Secure DNS protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT) help protect user privacy by encrypting DNS queries, thereby preventing exponential eavesdropping and man-in-the-middle cyber attacks.
4. Support for Secure Applications
- Foundation for Other Cybersecurity Protocols: DNS Servers Security is foundational for other cybersecurity mechanisms, such as DNSSEC, which helps verify the authenticity of DNS responses, and DNS-based Authentication of Named Entities (DANE), which in turn secures smooth email communications including the transmissions of attached documents.
5. Prevention of Unauthorized Access
- Access Control: Properly securing DNS servers helps prevent unauthorized changes to DNS records, which could lead to domain hijacking and other malicious activities.
6. Fortitude of Business Stability
- Reputation and Trust: A compromised DNS server can damage an organization’s reputation and erode its customers’ trust. Ensuring DNS Security helps maintain altogether the reliability, stability, continuity and credibility of online services.
7. Compliance and Legal Requirements
- Regulatory Compliance: To protect against cyber threats and ensure data privacy, many industries have rules and regulations that require robust security measures for DNS infrastructure.
To further understand DNS Security and its practicality for Internet users and domain name owners, let us now briefly outline several types of DNS Server usages.
[1] Michael Dooley and Timothy Rooney. Domain Name System (DNS) Security Management – Part of IEEE Press Series on Networks and Service Management. 1st Hardcover Edition of August 2017, John Wiley & Sons Inc. and IEEE Press, Hoboken, New Jersey, USA, 324 pages. https://www.wiley.com/en-us/DNS+Security+Management-p-9781119331407
Various Types of DNS Server Usages
As an Internet user, you often use DNS services provided by your Internet Service Provider (ISP). Sometimes, it might be advantageous to change your default DNS in order to generate the following beneficial outcomes1:
- Improved Speed and Performance: Some third-party DNS servers are optimized for faster domain name resolution.
- Enhanced Security: Many public DNS services offer additional security features, such as blocking access to malicious websites, adult content and protecting against phishing attacks. These services often have memorable IP addresses. Examples of such services: Quad9 (9.9.9.9), Cloudflare (1.1.1.1), Cira, Google public DNS (8.8.8.8).
- Better Privacy: Using a third-party DNS can help protect your privacy by preventing your ISP from tracking your browsing history. Some DNS providers – like Cloudflare, Quad9 and Cira – emphasize privacy and do not keep logs of your DNS queries.
When you are using public DNS services, it is advisable to operate DNS over HTTPS (DoH) or DNS over TLS (DoT) to greatly enhance security and privacy. These features encrypt DNS queries, making it challenging for third parties to intercept or tamper with the data.
As a domain name owner, you have the option to either use third-party DNS services or implement your own DNS infrastructure. Each approach has its own set of advantages and considerations:
- Using Third-Party DNS Services: Opting for third-party DNS providers, such as Cloudflare, Google Public DNS, or OpenDNS, offers several benefits. These services are typically easy to set up and manage, providing robust security features like DDoS protection, DNS filtering, DNSSEC and encryption through DoH and DoT.
- Implementing Your Own DNS Infrastructure: Setting up your own DNS servers gives you full control over your DNS settings and infrastructure. This allows for customization to meet specific needs. Nevertheless, this approach requires significant expertise and resources to maintain and secure the DNS servers effectively.
Ultimately, the choice between using third-party DNS services and implementing your own DNS infrastructure depends on your specific needs, objectives, resources, and priorities. If you value ease of use, scalability, and advanced security features, third-party DNS services might be the best option. If you require full control and customization, and you do have the necessary resources, setting up your own DNS infrastructure could be more suitable.
[1] Neil J. Rubenking. How (and Why) to Change Your DNS Server. PC MAG. 7th of July 2023. https://www.pcmag.com/how-to/how-and-why-to-change-your-dns-server
How Can Organizations Safeguard their DNS Servers?
Safeguarding your DNS servers against cyber threats and cyber-attacks is vital to maintain and preserve the integrity and availability of your networks. Abridged below are some major cybersecurity tools1 and strategies to help protect the DNS servers of Canadian organizations:
1. Implement DNSSEC
- DNSSEC (Domain Name System Security Extensions): DNSSEC adds a layer of security by enabling DNS responses to be verified for authenticity. The implementation of DNSSEC helps prevent DNS spoofing and cache poisoning.
2. Operate Secure DNS Protocols
- DNS over HTTPS (DoH) and DNS over TLS (DoT): This operation encrypts DNS queries to protect against wiretapping and MITM cyberattacks.
3. Restrict DNS Resolver Access
- Private DNS Resolvers: Ensure that your DNS resolver is only accessible to users within your network. This blocks external actors from exploiting your DNS resolver.
4. Update Regularly Your DNS Software
- Keep DNS Software Updated: Regularly update your DNS software to patch vulnerabilities. Consider using the latest versions of DNS software like BIND can help mitigate cyber risks.
5. Monitor and Log DNS Traffic
- DNS Logging: Instigate and apply rigorous logging to monitor DNS queries and responses. This helps in detecting and responding to suspicious online activities.
6. Make Use of Anti-Malware and Firewalls
- Anti-Malware: Defend and shield your DNS servers with robust anti-malware solutions to avoid infections that could lead to DNS hijacking.
- Firewalls: Configure firewalls to block unauthorized access to your DNS servers.
7. Execute Rate Limiting
- Rate Limiting: Limit the number of queries per second to your DNS server in order to alleviate the impact of DDoS attacks.
8. Handle DNS Settings with Domain Registry Lock
- Domain Registry Lock: Use and apply a registry lock service to obstruct unauthorized changes to your DNS server settings.
9. Deploy Redundant DNS Servers
- Redundancy: Deploy multiple DNS servers in different locations to ensure continuous availability even if one server is compromised.
10. Conduct Systematic Cybersecurity Audits and Penetration Testing
- Cybersecurity Audits & Penetration Testing: Organize and perform systematic cybersecurity audits and penetration testing to identify and address vulnerabilities in your DNS infrastructure.
Whether you are using a third-party DNS server or managing your own, it is crucial to ensure that the above-mentioned measures are duly implemented.
[1] Cricket Liu and Paul Albitz. DNS and BIND: Help for System Administrators. 5th Edition of June 2016, O’Reilly Media American Educational Publisher, Sebastopol, California, USA, 642 pages. https://www.oreilly.com/library/view/dns-and-bind/0596100574/
What is DNSSEC and How Does It Operate?
DNSSEC (Domain Name System Security Extensions) are a collection of extensions to DNS servers that adds an additional layer of cybersecurity. More precisely, the Domain Name System Security Extensions (DNSSEC) are an all-inclusive compilation of extension specifications delineated by the Internet Engineering Task Force (IETF)1 for safeguarding data exchanged inside the Domain Name System (DNS) via Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
The condensed summary hereunder explains how does DNSSEC basically operate and why it is significant for the protection of DNS servers2.
- Digital Signatures: DNSSEC uses public key cryptography to sign DNS data. Each DNS zone has a pair of cryptographic keys: a private key used to sign the data and a public key used to verify the digital signatures.
- Chain of Trust: DNSSEC establishes a Chain of Trust from the root DNS servers down to individual domain names. Each level in the DNS hierarchy signs the level below it, ensuring that the sensitive data has not been tampered with.
- Resource Records: DNSSEC introduces new types of DNS resource records, such as:
- RRSIG (Resource Record Signature): RRSID contains the digital signature for a set of DNS records.
- DNSKEY: It comprises the public key that resolvers use to verify the RRSIG.
- DS ([Parental] Delegation Signer): DS links a child zone to a parent zone, helping to establish the Chain of Trust.
- NSEC/NSEC3: This is used to prove the non-existence of a DNS record, preventing certain types of cyber-attacks like DNS spoofing.
[1] INTERNET ENGINEERING TASK FORCE (IETF) – Standards Organization for the Internet, and Technical Standards for the Internet Protocol Suite (TCP/IP). Headquarters located in Wilmington, Delaware, USA. https://www.ietf.org/technologies/
[2] Anestis Karasaridis. DNS Security: In-Depth Vulnerability Analysis and Mitigation Solutions. Independently published in 2012 via Amazon Publishing, Seattle, Washington, USA, 334 pages. https://www.amazon.ca/DNS-Security-depth-Vulnerability-Mitigation-ebook/dp/B007ZW50WE/
What Are the Substantial Benefits of DNSSEC?
- Data Integrity: DNSSEC ensures that the data received from a DNS query has not been altered or infected in transit.
- Authentication: DNSSEC verifies that the data comes from the correct source, preventing cyber-attacks like DNS spoofing and cache poisoning.
- Enhanced Security: By securing the DNS infrastructure, DNSSEC helps protect against a variety of cyber threats, making the Internet more secure on the whole spectrum of the digital space.
Challenges and Considerations for Implementing DNSSEC
- Complexity: Implementing DNSSEC can be complex because it necessitates careful management of cryptographic keys.
- Performance: DNSSEC can introduce additional latency due to the extra steps involved in verifying signatures.
- Adoption: While DNSSEC provides significant security benefits, its adoption has been slow by organizations. Both DNS servers and clients need to support DNSSEC for it to be effective.
Implementation Steps of DNSSEC If You Are Managing Your Own DNS Server
- Sign Your Zone: Generate a key pair and use the private key to sign your DNS zone.
- Publish DNSKEY Records: Publish the public key in your DNS zone so that resolvers can verify your signatures.
- Update Parent Zone: Ensure that your parent zone (e.g.: your domain registrar) has the DS record pointing to your DNSKEY.
- Monitor and Maintain: Regularly monitor your DNSSEC implementation and rotate keys as needed to maintain digital security.
In a nutshell, DNSSEC is a powerful tool for enhancing DNS servers’ overall security but it does require careful implementation planning and IT management.
How Can You Set Up DNSSEC Within a Third Party Hosted DNS Server Environment?
Setting up DNSSEC for your DNS Server involves a number of operational steps1, and the exact process can vary depending on your DNS registrar and DNS hosting provider. Concisely elaborated below are some general advices to help you get started:
Operational Steps to Set Up DNSSEC
- Check DNSSEC Support:
- Ensure your domain registrar and DNS hosting provider support DNSSEC. Most major online services providers like GoDaddy, Cloudflare, and Google Domains do.
- Generate DNSSEC Keys:
- Zone-Signing Key (ZSK): This key is used to sign the DNS records in your zone.
- Key-Signing Key (KSK): This key is used to sign the DNSKEY records.
- Sign Your Zone:
- Use your DNS hosting provider’s tools to sign your DNS zone with the ZSK. This process will generate RRSIG records for your DNS data.
- Publish DNSKEY Records:
- Publish the DNSKEY records in your DNS zone. These records contain the public keys that resolvers will use to verify the signatures.
- Create and Publish Delegation Signer (DS) Records:
- Generate DS (Delegation Signer) records from your KSK and publish them at your domain registrar. This step establishes the Chain of Trust from the parent zone to your domain.
- Enable DNSSEC at Your DNS Registrar:
- Log in to your DNS registrar’s control panel and enable DNSSEC. You will need to enter the DS records that you have generated.
[1]Kevin Fall and W. Richard Stevens. TCP/IP Illustrated, Volume 1: The Protocols. 2nd Edition of November 2011, Addison-Wesley Professional Computing – https://www.oreilly.com/publisher/addison-wesley-professional/ and O’Reilly Media American Educational Publisher, Sebastopol, California, USA, 1056 pages.
https://www.oreilly.com/library/view/tcpip-illustrated-volume/9780132808200/
Conclusion
For what reasons is the Domain Name System (DNS) Security of utmost importance for the protection, betterment and progress of Information Technology Entrepreneurs doing business operations within the framework of their SMEs? Hereafter are 5 substantial reasons why our Canadian IT Entrepreneurs should consider implementing DNS Security for the safeguard of their valuable organizations, esteemed customers and precious assets.
Reason 1: As a pivotal component of the Internet infrastructure, DNS Security is a protective armor blocking cyber attacks. Nevertheless, DNS Security was not originally designed with cyber threats, cyber risks and cybersecurity in mind, thereby making it vulnerable to diverse cyber attacks such as DNS spoofing, cache poisoning, and DNS hijacking
Reason2: DNS Security is useful for protecting sensitive information and data. Cyber attackers can exploit DNS vulnerabilities to redirect unsuspected users to malicious websites where they can steal personal information, violate confidential data, distribute malware, launch DNS tunnelling falsification, perpetrate social engineering attacks, and conduct phishing assaults. By securing DNS, you can prevent such types of cybersecurity breaches.
Reason 3: DNS Security ensures the availability, continuity and stability of IT services. DNS cyber attacks, such as Denial of Service (DoS) attacks, can overwhelm DNS servers – making websites and online services unavailable to millions of users. Effective DNS Security helps maintain the availability and reliability of Internet services.
Reason 4: DNS Security is beneficial to the general Internet experience of millions of users navigating daily across the networks of the worldwide web. Safe DNS servers can offer faster lookup times and enhanced connection speeds, which in turn perfects the overall user experience and productivity.
Reason 5: DNS Security undeniably helps to support business operations across the board. For SME, DNS Security is indispensable to protect their online presence and guarantee that thousands of customers can reliably and trustfully access their online services. DNS Security does unquestionably help in building trust and maintaining credibility with users in our fast-changing digital age.
By carefully implementing the multiple pragmatic cybersecurity tools highlighted in this September 2024 Newsletter, thousands of Canadian organizations can proactively safeguard their DNS servers for the ultimate satisfaction of their invaluable customers.
Resources and Bibliographical References
Joshu M. Kuo and Ross Gibson J.D. The Hidden Potential of DNS in Security: Combatting Malware, Data Exfiltration, and More Concepts – The Security Guide for Professionals Paperback Edition of July 2023, Infoblox Education, Santa Clara, California, USA, 166 pages. https://www.goodreads.com/book/show/195658769-the-hidden-potential-of-dns-in-security
John Bogna. What is DNS? Everything You Need to Know About the Web’s Phone Book. PC MAG, the 5th of July 2022. https://www.pcmag.com/how-to/what-is-dns-how-it-works-domain-name-system
Michael Dooley and Timothy Rooney. Domain Name System (DNS) Security Management – Part of IEEE Press Series on Networks and Service Management. 1st Hardcover Edition of August 2017, John Wiley & Sons Inc. and IEEE Press, Hoboken, New Jersey, USA, 324 pages. https://www.wiley.com/en-us/DNS+Security+Management-p-9781119331407
Neil J. Rubenking. How (and Why) to Change Your DNS Server. PC MAG, the 7th of July 2023. https://www.pcmag.com/how-to/how-and-why-to-change-your-dns-server
Cricket Liu and Paul Albitz. DNS and BIND: Help for System Administrators. 5th Edition of June 2016, O’Reilly Media American Educational Publisher, Sebastopol, California, USA, 642 pages. https://www.oreilly.com/library/view/dns-and-bind/0596100574/
INTERNET ENGINEERING TASK FORCE (IETF) – Standards Organization for the Internet, and Technical Standards for the Internet Protocol Suite (TCP/IP). Headquarters located in Wilmington, Delaware, USA. https://www.ietf.org/technologies/
Anestis Karasaridis. DNS Security: In-Depth Vulnerability Analysis and Mitigation Solutions. Independently published in 2012 via Amazon Publishing, Seattle, Washington, USA, 334 pages. https://www.amazon.ca/DNS-Security-depth-Vulnerability-Mitigation-ebook/dp/B007ZW50WE/
Kevin Fall and W. Richard Stevens. TCP/IP Illustrated, Volume 1: The Protocols. 2nd Edition of November 2011, Addison-Wesley Professional Computing – https://www.oreilly.com/publisher/addison-wesley-professional/ and O’Reilly Media American Educational Publisher, Sebastopol, California, USA, 1056 pages. https://www.oreilly.com/library/view/tcpip-illustrated-volume/9780132808200/
Cloudflare Docs. Domain Resolution – Enable DNSSEC – Cloudflare DNSSEC Guide. Cloudflare Inc., San Francisco, California, USA. https://developers.cloudflare.com/learning-paths/get-started/domain-resolution/enable-dnssec/ Cloudflare Universal DNS for Free. https://www.cloudflare.com/dns/dnssec/universal-dnssec/
Digital Ocean Holdings Inc. How To Set Up DNSSEC on an Authoritative BIND DNS Server. Digital Ocean Holdings Inc., New York City, USA. https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
Contributions
Special thanks for the financial support of the National Research Council Canada and its Industrial Research Assistance Program (IRAP).
Executive Editor: Alan Bernardi
Professional Writer & Certified Translator-Reviser: Ravi Jay Gunnoo (C.P.T. ISO 17100)