Less than 31% of organizations are fully confident in the security of their DNS infrastructure, finds EMA. Credit: Imaginima / Getty Images Attacks related to Domain Name System infrastructure – such as DNS hijacking, DNS tunneling and DNS amplification attacks – are on the rise, and many IT organizations are questioning the security of their DNS infrastructure. Most IT organizations maintain a variety of DNS infrastructure for public services (websites and internet-accessible services) and private services (Active Directory, file sharing, email). Securing both internal and external DNS infrastructure is critical due to a growing number of threats and vulnerabilities that malicious actors use to target them. Unfortunately, very few organizations are confident in their DNS security. Enterprise Management Associates (EMA) recently examined the issue of DNS security in its newly published research report, “DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-Cloud Era.” Based on a survey of 333 IT professionals responsible for DNS, DHCP and IP address management (DDI), the research found that only 31% of DDI managers are fully confident in the security of their DNS infrastructure. Top DNS security concerns EMA asked research participants to identify the DNS security challenges that cause them the most pain. The top response (28% of all respondents) is DNS hijacking. Also known as DNS redirection, this process involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address. Hackers often achieve this buy infecting clients with malware so that queries go to a rogue DNS server, or they hack a legitimate DNS server and hijacks queries as more massive scale. The latter method can have a large blast radius, making it critical for enterprises to protect DNS infrastructure from hackers. The second most concerning DNS security issue is DNS tunneling and exfiltration (20%). Hackers typically exploit this issue once they have already penetrated a network. DNS tunneling is used to evade detection while extracting data from a compromised. Hackers hide extracted data in outgoing DNS queries. Thus, it’s important for security monitoring tools to closely watch DNS traffic for anomalies, like abnormally large packet sizes. The third most pressing security concern is a DNS amplification attack (20%). This is a kind of distributed denial of service (DDoS) attack, whereby a hacker tricks third-party, publicly addressable DNS servers into flooding a target DNS server with unwanted, spoofed query responses, overwhelming that server’s ability to respond to legitimate queries. This attack can make websites unreachable because end user’s DNS queries to the site cannot be resolved. How to improve DNS security DNS firewalls IT organizations can reduce DNS security risk by installing a DNS firewall. Nearly 47% of DDI experts told EMA that they have deployed a DNS firewall to protect their infrastructure, and these organizations revealed to us that they were much more confident in their overall DNS security. DNS firewalls are specialized network security devices that focus entirely on inspecting DNS queries and blocking connections based on threat intelligence and security policies. They have much more granular visibility into and intelligence about DNS traffic than a standard firewall. DNSSEC Another important measure is the use of DNS Security Extensions (DNSSEC), a suite of specifications created by the Internet Engineering Task Force (ETF). DNSSEC involves configuring DNS servers to digitally sign DNS records using public-key cryptography. This allows other DNS servers to verify the authenticity of a DNS record and it protects against forged and manipulated data. More than 47% of the organizations in EMA’s research use DNSSEC extensively. Those who do so told us that they are much more confident in their overall DNS security posture. However, DNSSEC does pose some challenges. DDI managers told EMA that it can lead to increased infrastructure overhead and increased management complexity. Some also perceived flaws in the overall security model of DNSSEC. Priority security policies for DNS Nearly 38% of organizations are setting automatic security policies that prioritize DNS security threats. For instance, they configure an intrusion prevention system to block DNS queries associated with known malicious IP addresses. Organizations that use this technique told EM that they were more confident in DNS security. Cloud collaboration Any DNS security strategy must also include the public cloud. Many DDI managers have traditionally owned DDI services for on-premises networks. Cloud teams often adopt their own solutions for DNS, DHCP and IP address management in public cloud infrastructure. In recent years, DDI teams have asserted themselves in the cloud to ensure cloud networks are secure and stable. “We try to work together with the cloud team,” said a DDI engineer with a Fortune 500 consulting company. “Five years ago, that wasn’t happening. There was a lot of risk. It’s easy to do things int the cloud without collaborating with network engineering and security. It can create problems. EMA’s research found that nearly 59% of DDI teams now have sufficient influence over their company’s cloud strategies. DDI professionals who had such cloud influence were much more confident in their overfall DNS security posture. DNS visibility Finally, DDI teams need to see what’s happening with DNS infrastructure. Many enterprises typically export DNS logs to security information and event management (SIEM) platforms, where cybersecurity teams can look for anomalous activity. Moreover, centralized monitoring of all DNS infrastructure is very important. Nearly 47% of DDI managers can monitor all DNS servers from a central console. These individuals were much more confident in their DNS security. To learn more about EMA’s DDI market research, check out the firm’s free research highlights webinar. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux news High-bandwidth memory nearly sold out until 2026 While it might be tempting to blame Nvidia for the shortage of HBM, it’s not alone in driving high-performance computing and demand for the memory HPC requires. By Andy Patrizio May 13, 2024 3 mins CPUs and Processors High-Performance Computing Data Center opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to Download our SASE and SSE enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what Secure Access Service Edge (SASE) and Secure Service Edge) SSE can do for their organizations and how to choose the right solut By Neal Weinberg May 13, 2024 1 min SASE Remote Access Security Network Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe