Every Enterprise has one or more Domain Name Servers (DNS) and, whether they are aware of it or not, every user accesses the system multiple times every day, to connect to internal and external information resources. For those not familiar with DNS, it’s the universal directory that translates resource names, such as familiar www.website.com addresses, that are not recognized by the network switching equipment, to Internet Protocol (IP) addresses that the network switches use to make the connection between the user’s computer and the information host.
Conceptually, think of DNS as a pyramid. If your local DNS cannot respond to a query, it asks the next level up. Eventually, the DNS will end up at one of 13 root zones, a network of hundreds of servers in many countries around the world, which know how to return the response.
DNS is a critical component to our connected world. At some point, every transaction, every web site access, every download, interacts with DNS. You may host your own DNS, you may use a DNS provided by an Internet Service Provider (ISP), or typical for medium and larger healthcare organizations, you may use a hybrid solution of both. Your local DNS supports access to internal resources, while the DNS provided by an ISP supports externally facing resources, such as Web Sites, Patient Portals, etc.
As with all connected technology, DNS can be vulnerable to attacks and pose security risks, with some security researchers thinking that DNS is the one of the most vulnerable components. Why is this and what can be done about it? It is worth noting that the original DNS specification had no security capabilities. Consequently, there are still millions of DNS servers built using those original parameters resulting in a system that is vulnerable to:
- Anyone creating a DNS server that can mask and replace the original DNS records
- Corruption of DNS data by sending corrupted update information, known as Cache Poisoning
- Protocol based attacks that exploit how a DNS processes data to slow it down or, in some extreme cases, cause it to crash – a Distributed Denial of Service (DDoS) attack
There are also risks created by how DNS is deployed:
Does your organization have a single ISP that presents your DNS records to the outside world? What happens if that ISP is attacked? Engage with a second ISP or DNS Service Provider to create a more resilient DNS presentation.
Do you only have one DNS server? Create a second DNS instance to mitigate the single point of failure – use a different system / software to mitigate operating system and software vulnerabilities.
Are all of your internal DNS servers on the same network and do they provide resolution for internal services such as patient portals? Create a second subnet and move one of the DNS servers to minimize the risks associated with DDoS attacks. Use a different type of DNS server as the secondary mitigate operating system and software vulnerabilities.
In addition, there are several other tactics that can be used to secure the DNS environment:
- Implement a DNS Firewall to filter threats that exploit DNS vulnerabilities
- Ensure the DNS software and server operating system is updated
- Architect for resiliency and security
DNS is the hidden, critical, component for all Internet services and if it performs poorly or is unavailable to your users, services degrade or disappear.