Mitigating common DNS Server attacks

Mitigating common DNS Server attacks

Posted by Brew City on September,23 2016


The DNs protocol is one of the oldest and most commonly used networking protocols globally, yet it is still the source of unprecedented number of network security issues. DNS has certain elemental limitations, but there is no reason for it to be the weakest link in your business’ security.

Although the dynamic nature of DNS attack or threats makes it almost impossible to stop the attacks outright, still there are certain things that can be done to significantly minimize them:

Hybrid DNS strategy

A hybrid DNS strategy makes dns security footprints quite baffling to most hackers by running a different algorithm for every DNS engine. This means that when a new security alert is issued, you can temporarily switch to another engine. The new temporary engine can remain in place as the DNS programmers test and validate a stronger security upgrade for the first DNS engine. Again, with many DNS engines in place, potential hackers will never be sure about the server software that’s running—making it hard for them to discover any vulnerability of the DNS network packet footprints.

Leveraging on high-performing DNS

During DoS attacks—where hackers use DNS servers that allow recursions to hit another DNS server with packets—the attacker will try to kill the DNS server or corrupt the cache to prevent some queries from being answered. Although some people run to DNS Queries filtering to mitigate this, it isn’t highly recommended method considering that you will be opening too many security holes. Instead, ensure that your DNS infrastructure is highly-performing and has the potential to answer all DNS queries.

Appropriate DNS Architecture for redundancy and security

Selecting an appropriate DNS architecture for your business is very crucial. Have in place deployment strategies that include high availability and built-in systems for quicker recovery in the event of an attack or a similar disaster.

Use the latest DNS software

Internet Systems Consortium often issue updates and patches for BIND—the most used DNS server. Although Bind is considered to outstandingly balance security and speed, robustness, and the ease of administration as well as universal applicability, it is also the most attacked DNS server. Accordingly, to be secure, you need to run the latest version of the software to protect you from any potential security flaw.

Bottom Line

With the advances in cloud solutions, mobile and other internet-connected devices, not only will DNS attacks continue to be prevalent and complex, but they will also continue to directly impact core business operations. So now is the time to employ the highlighted strategies and many more to be ahead of the attackers, minimize the impact of DNS attacks on your systems, and ensure that your business networks are up for the challenge.