DNS Security

Repeated incidents in the recent past that have compromised DNS security are forcing corporate IT teams to rethink their strategy for protecting this crucial component of their business. In the case of many commercial establishments, DNS security depends on registrars and ISPs as it runs on infrastructure that is publicly available.

DNS Security Risks

DNS queries can be intercepted in the following ways:

1. Bypass the DNS configuration on the user’s endpoint device using malware.
2. Seize control of a public Wi-Fi session.
3. Hack DNS credentials to take control of specific accounts and route traffic to a site that they control. Or, modify multiple records after taking control of DNS registrars.

These attacks can be driven by different motives. Users could be directed to suspicious sites that compromise their credentials or download malware. Hackers can also compromise DNS security to smuggle data out of SaaS applications such as a CRM program. DNS attacks can also be directed at a specific company to gain access to sensitive corporate data.

DNS Security Solution

Averting DNS security incidents depends on the organization, its priorities and specific security objectives.

A DNS security solution essentially does the following to avoid suspicious domains:

• Verify DNS legitimacy
• Deny access to bad domains
• Use proxy access to suspicious domains
• For laptops beyond the LAN, use an endpoint agent along with the endpoint protection platform
• To ensure application security:
  • Use reliable DNS registration services such as Cloudflare or NS1 as they include DNSSEC – a security standard extension that validates DNS records through cryptographic signatures. It must be noted that this is not a comprehensive DNS security solution and systems can still be vulnerable to some risks.

Conventional VPN

Given the risks to which DNS security is exposed nowadays, many organizations are debating on the feasibility of exposing private applications to the internet. Cutting down on VPN access for internally used applications can drastically bring down their risk exposure. Many companies adopt this method when access is predominantly on the local LAN with functional remote access requirements.

Enterprise applications’ internet exposure has become more prevalent these days due to a rise in remote workers and cloud migration. Both employees and IT professionals have their reasons for being skeptical about using VPN. But there are way too many hazards to deal with – DNS security, protecting applications from DDoS, API, Client-side and other attacks that the internet is replete with.

Managed VPN

It is possible to cordon off enterprise applications from the internet and simultaneously handle the security and operational hazards of traditional VPN networks. Highly available VPN as-a-service can be provided through software-defined perimeters (SDPs). The solution is secure, easy to manage with cloud based access that is segmented at a granular level, with web security.

SDPs directly link users to applications, servers or other specific resources. All the other components aren’t visible to the user and hence immune to endpoint risks. This way, enterprise applications don’t interact with the internet while at the same time, their network attack surface is drastically reduced.

State of the art SDP solutions come with continuous security. So, regardless of the individual’s location, connection is first established and then access to enterprise applications and the internet is provided. This way, all three DNS security risks are addressed:

• Hackers can’t take control of sessions and route them to a suspicious DNS server
• Public DNS records can’t be compromised as access to enterprise applications is limited to the SDP
• A secure DNS server controls internet access while a DNS reputation service validates legitimate domains while blocking suspicious ones. Secure web gateway and web isolation services can also be made available, if required.

Conclusion

While implementing DNS security, IT teams often have to strike a balance between ensuring protection and investing in the resources required to make that happen. SDP solutions are packaged as a service with built-in DNS security. The always available VPN network ensures that users – no matter where they are located – have continuous access to enterprise applications and the internet.