DNS MythBusters - Straightening Out Common Misconceptions
Tuesday February 16, 2016
Over the last couple of years, the networking industry has grown aware of the various security issues that could potentially have a huge impact on their operations. One of the topics that has raised in appeal is DNS security.
Considering that much of the publicity around DNS is made by vendors trying to differentiate their solutions, there are many misconceptions out there that guide people into making poor investment in their infrastructure.
Here is a list of three DNS myths in need of busting:
Myth 1: The more queries your DNS server can serve out, the better it is.
The theoretical queries-per-second performance of your DNS server is not an indication of how secure it is, nor does it protect you against DNS downtime. The unfortunate reality is that when someone is able to remotely generate hundreds of thousands or millions of queries targeted at your DNS server, they are able to saturate your bitpipe regardless of how many queries your servers are able to serve out.
Getting to these levels of queries remotely is not easy. And if is someone is able to do it, they will be able to carry our a proper Denial-of-Service against you, regardless of how much traffic your DNS servers will be able to withstand.
In reality, even large service providers rarely get much more than 50,000 queries-per-second loads on their DNS servers in a properly distributed DNS environment. This is something that even a virtualized DNS server (vDNS) can easily do, so it isn't as if it makes sense to buy expensive accelerated hardware to do millions of queries.
Myth 2: The higher-performing DNS server I have, the higher the QoS.
A much better strategy is to scatter around a larger number of (virtualized) DNS servers, because it brings the servers closer to your customers. This reduces latency and increases redundancy, which ultimately are much more important considerations as far as your DNS service quality is concerned.
In the event that someone launches a regular attack on your distributed DNS platform, you are better off having embedded proactive Intrusion Prevention or rate-limiters that block the malicious traffic before it hits the actual DNS server processes. This allows you to respond to the attack locally before all those bad packets hit their target, which is much easier on your DNS server than trying to answer any and all queries that come in.
Myth 3: DNS can be used to secure my IT environment and to detect threats.
In reality, DNS can only be used to detect threats and protect your IT environment against activities that use DNS. As soon as the blackhats figure out that your DNS server is blacklisting them, an easy way around this is to use IP addresses to connect. This approach entirely bypasses DNS, which means that there are all kinds of malicious activities that could be going on in your network without you even realizing it.
This of course is not to say that one shouldn't protect her DNS. Rather, although running a secure DNS is important, one should use proper technologies such as Unified Threat Management (UTM) and proxy-level filtering to carry out security activities and to monitor and to block malicious traffic.
At best, DNS is only a partial solution to these issues, because it can easily be bypassed. Simply do a forward lookup to enter an IP address into your browser, and you will not be bogged down by DNS. The same applies to malicious code — simply use IP addresses as opposed to domain names, and you'll be home free.
Quality of service and security are important considerations when planning your DNS environment. That said, when planning the environment, it is wise to ignore the marketing messages and rather focus on the following:
1) Make sure that your DNS platform is properly distributed for high redundancy and low latency. To do this inexpensively, you might like to consider virtualizing most of your DNS server instances.
2) Make sure that your DNS servers have built-in security through hardening, secure configurations and proactive security measures such as Intrusion Prevention with configurable firewalls, rate-limiting, and so forth. Monitoring capabilities are also a nice touch, because they allow you to detect anomalies in the query patterns.
3) Make sure that your DNS servers are regularly updated. Often enough, automating the updates is the way to go — and when coupled with a security advisory service, you have your bases covered.
I have personally seen hundreds of DNS deployments that have never suffered DNS downtime simply by adhering to these simple principles. You do not need accelerated hardware or expensive threat streaming subscriptions to accomplish that either.
Just remember that although securing DNS is important, there are simple ways to accomplish that. Just be smart when designing the architecture, make sure that the DNS servers themselves are well protected, and don't mistake secure DNS for Unified Threat Management.