As the Mirai botnet attack on 21 October 2016 proved, the DNS (Domain Name System) is not immune to cyber-attacks. If there is one key lesson to take from it, it’s that organisations relying on online assets for their day-to-day activities simply cannot afford to lose a service like DNS.
The importance of DNS to your overall web presence should not be overstated. If your DNS was to be compromised or taken offline, it would wipe out your website, email, apps and potentially other services, which could lead to lost revenues and poor brand perception. DNS is the lifeline of your digital existence.
Many organisations are still using a piecemeal approach to enhancing their DNS setup. However, employing a “set it and forget it” approach to DNS is like closing the door to a vault, but not ensuring it’s actually locked. And as cyber criminals continue to innovate new ways to attack and threaten businesses, vulnerable DNS equates to low hanging fruit.
A DNS environment can change rapidly, which makes it crucial for organisations to have a professional DNS audit. DNS is just like the oil in a car engine: it needs to be checked regularly, so issues like server overloads from negative caching or low set TTLs can be troubleshot and fixed early on, before they turn nasty. The following tips will help you make the most of your DNS audit:
Configure your SPF to stop email spoofing
The sender policy framework (SPF) helps prevent email spoofing. However, if it’s not configured properly, emails can be spoofed, damaging your brand’s reputation as it allows your audiences to receive vulnerable emails on your behalf that you didn’t send. Therefore it’s crucial to make sure configuration errors such as invalid syntax or the incorrect use of multiple strings are fixed before they create issues.
Check your negative caching
Negative caching lets a DNS server to hold the record of a negative response from a search. This means that when someone requests a name that does not exist and the server has already looked it up, it remembers the last result of the request. It can then respond automatically for a certain period of time without having to look up the information again. A negative caching set too low can overload the server and cause downtime, because it will use too much bandwidth by repeatedly retrieving the same information.
Make sure your TTL is configured properly
Time to live (TTL) sets up waiting times for recursive servers to refresh their DNS cache. A smaller TTL setting can overload the server with excessive queries. On the other hand, a setting that’s too high can make it difficult to change in the event of a needed configuration change. Understanding how DNS is used as part of your wider IT infrastructure is critical to setting a TTL that reduces query-load while providing adequate flexibility.
Zone delegation issues
One of the most common problems found during a DNS audit, is zone delegation, which can affect your DNS if not configured properly. Ideally, zones need to be set up correctly to adequately redirect DNS queries. Reviewing name servers and checking that names are pointing to the proper location is necessary during an audit, to ensure zones are correctly set up.
Remove internal IP addresses from external zones
In theory, you shouldn’t find any internal IP addresses in external DNS zones. In practice though, this is fairly common and errors can expose information about your internal infrastructure. This is why part of your audit should include checking that internal and external DNS are kept separate and that internal addresses are not found within an external zone.
Clean up your inactive domains
You need to keep track of which domains are active and inactive (e.g. a .biz domain you registered but never set up fully) and periodically clean up your inactive domains. Potential errors could be caused by typos, a server name change, or out-of-date information.
Test your PTR records
PTR records (pointer records) format an IP address in reverse order. They are commonly known as reverse lookup because you can use an IP address to find the host name. Normally PTR records reside in the reverse zone, but sometimes they are also found in error in the forward zone. During an audit, you should test PTR record lookups to make sure they reverse the order of the octets in the address correctly.
Consider increasing redundancy
Along with conducting a DNS audit, you should also look at the level of redundancy supported and determine if a secondary (or failover) DNS service is required, especially for areas where an outage could cause a major disruption. Implementing a secondary service can greatly reduce your risk of downtime due to DNS-related issues (like those experienced in October 2016) and will guarantee redundancy for your most mission-critical systems.
Robin Schmitt is general manager, Australia, at Neustar