Designing, implementing, and managing a thriving digital infrastructure requires investment in a wide range of assets. One aspect that’s easy to overlook—but important to overall security—is your Domain Name System (DNS). These systems are responsible for taking domain names, matching them up against specific IP addresses, and taking users to the right websites and online resources.
For instance, if you type solarwindsmsp.com into your browser, your computer won’t necessarily know where that website is or what its underlying protocols are. Instead, it’ll tap a DNS to compare that URL against a digital Rolodex of machine-readable IP addresses that are verifiably associated with that URL. Only then will your computer do the work necessary to guide you to a particular website.
While this may seem like a relatively innocuous function when it comes to cybersecurity, there are actually a number of ways that cybercriminals can leverage DNS workflows to attack your networks and systems. From DDoS to man-in-the-middle attacks, improper DNS implementation and insecure platforms can wreak havoc if left unaccounted for. To combat these issues, as a managed services provider (MSP) you need to ensure your customers invest in secure DNS services that close common vulnerabilities and deny bad actors the chance to access your IT infrastructure.
With experts projecting that cybercrime may cost companies as much as $5.2 trillion over the next five years, you and your customers need to be sure that you’ve considered every possible attack vector bad actors may attempt. Traditional technology such as firewalls are an essential part of any defensive posture, but modern cybersecurity strategies need end-to-end protection—and that means prioritizing security at every level of your organization.
What is a secure DNS?
To fully appreciate what a secure DNS does, it first helps to understand in greater detail how DNS services work. Essentially, DNS services handle two types of requests: those from inside their domain and those from outside their domain. If an external request comes in asking for validation of enterprise IP addresses—in other words, someone wants to access that company’s website—then that DNS will give the answer. If an internal request comes in asking for validation of a different enterprise’s IP addresses—someone inside a company is trying to go out on the internet—that DNS will communicate with other servers to find the right address.
There are a number of capabilities that DNS services offer organizations and individual users. As described above, if a request comes in—either internally or externally—a DNS will match a given URL with a specific set of IP addresses and underlying protocols. This allows whoever generated that request to actually get to a website or online resource rather than just being taken to a random, useless page. If, for example, a number of users are asking for the same URL, DNS services will often have cached answers to URL queries. In this way, it’s possible to cut down on the time necessary to search out the proper website location.
When the internet first came to scale and DNS was designed to match URLs with IP addresses, the online environment was a much smaller and much more secure space. Since then, the internet has changed in unpredictable ways and the growth of cybercrime has made it more dangerous to conduct business, make purchases, and share personal information while logged on. Accordingly, it’s become necessary to augment traditional functions such as DNS services to make them less vulnerable to cybercrime. Now, enterprises can rely on secure DNS services—that is, DNS platforms that are designed from the ground up with security in mind.
Secure DNS servers can take a number of forms. For organizations with considerable resources, it may be possible to create a DNS of their own. This involves investment in internal servers, the configuration of necessary protocols, and ongoing management of DNS efficacy. Businesses can also outsource DNS services to their internet service provider (ISP) or work with a third-party entity to access off-site DNS services.
With secure DNS services, the interactions described above between incoming and outgoing requests are stringently analyzed. While nonsecure options—that is, DNS services that are not designed with cybersecurity in mind—might fulfill requests without paying too much attention to where those requests are coming from, secure alternatives scrutinize the nature of queries to ensure that networks and systems are protected from bad actors. This kind of zero trust mentality makes it more difficult for cybercriminals, whether sophisticated or novices, to gain access to your DNS and plague it with DDoS attacks, for instance—effectively blocking others from getting responses from your domain.
Are DNS requests encrypted?
If you consider DNS functions from a cybersecurity perspective, there’s a lot to get anxious about. Basically, every online interaction begins with some kind of DNS request—to access a website, to access your email, and to access online resources. If you’re not careful, it’s possible for bad actors or nosy corporations to eavesdrop on your DNS requests, effectively seeing where you’re going and deduce what you’re doing. DNS services that encrypt requests can help prevent this from happening—or at least make it more difficult to carry out successfully. However, not all DNS requests are encrypted.
At some level, it makes sense that not all DNS requests are encrypted. For example, if a company wants to block employees from browsing some websites during work hours, identifying certain DNS requests and blocking or rerouting them somewhere else can be necessary. However, this can become an issue in other cases. When a user makes a DNS request, they’re effectively accessing public resources that contain pairings of human-readable URLs with machine-friendly IP addresses. While that information is public, you don’t necessarily want the way you or your employees use it to be readily viewable—whether by other businesses or bad actors. Unfortunately, unencrypted DNS requests make this possible.
For example, if a user accesses DNS services provided by their ISP, it’s very possible the ISP is collecting information on what websites that the user is viewing, how long they’re on those websites, and what kind of data is being transferred in the process. Alternatively, bad actors can get in the middle of unencrypted DNS requests and wreak havoc. For instance, it’s possible for cybercriminals to interrupt routine DNS interactions and reroute certain requests. If this happens and a request is hijacked, users might be taken somewhere they didn’t intend and inadvertently download malware or reveal sensitive personal or enterprise information. These vulnerabilities underscore the importance of using secure DNS services.
What is the best DNS to use?
For enterprises across a range of industries, deciding which DNS to use can take some time to figure out. While there are plenty of options out there, from in-house servers to ISP-provided DNS services, to third-party entities, the right choice will differ from one team to the next. Ultimately, however, the most secure DNS server to use will be the one that fits each business’s unique needs while contributing toward a comprehensive cybersecurity strategy.
If you don’t set up any alternatives, you’re most likely going to be using the DNS services provided by your ISP. Most ISPs do have some level of cybersecurity capabilities built into their DNS services, but there are also drawbacks. As described above, relying on your ISP for all of your DNS requests can put you at the mercy of their own privacy protocols. It’s up to you and your clients to evaluate provider practices to determine whether that’s a viable option.
Another possibility is investing in DNS servers of your own. Organizations with ample resources might opt for this choice as it provides a level of control over what can be a confusing and messy process. However, it’s worth noting that setting up and managing your own DNS can be resource-intensive and time-consuming. What’s more, IT teams will need to be vigilant about DNS security, ensuring the latest patches are implemented to account for vulnerabilities and safeguards are in place in the event of DDoS attacks.
An increasingly popular option involves outsourcing some or all DNS services to a third party. In this model, enterprises can avoid being subject to the whims of their ISP while offloading some of the responsibilities that come with managing completely in-house solutions. With public DNS services such as OpenDNS, DynDNS, and Google Public DNS Server, enterprises have a range of options at their disposal. What’s more, these third-party services often entail stronger cybersecurity protocols than regular ISPs, thus going further to protect sensitive information and online activity.
Is Google Public DNS secure?
Since being announced in 2009, Google Public DNS has become a leading public DNS service in the world. While the service is separate from Google Cloud DNS, a DNS hosting service, Google Public DNS offers enterprises and individual users reliable access to DNS resolution services without over-reliance on ISPs or costly on-site solutions. Through a number of key capabilities, Google Public DNS is a safer, more secure way of making DNS requests.
As explained earlier, not all DNS requests are encrypted and that provides vulnerabilities bad actors can exploit and ISPs can leverage for financial benefit. However, Google Public DNS does take steps to encrypt requests and make it more difficult for cybercriminals to see what you’re doing. For example, Google provides DNS-over-TLS and DNS-over-HTTPS functionalities that encrypt requests to prevent eavesdropping and spoofing.
Additionally, Google takes steps to make DDoS and phishing attacks harder to carry out through DNS services. While there is a set of industry-standard DNS security protocols known as DNSSEC, there hasn’t been widespread adoption of these across the internet, thus leaving many users vulnerable. With the moves Google has made independently with its Public DNS, users can enjoy an improved level of protection while making DNS requests.