The Top 4 DNS Security Best Practices

What Is DNS & How Is It Vulnerable to Attacks?

The internet's domain name system (DNS) acts as a directory for the entire web. It allows users to access web pages—everything from sports and news sites to search engines and university systems—by translating site names into a string of digits a computer recognizes called an IP address.

DNS is a convenient tool that makes the web more usable for all of us. But it's not without vulnerabilities. Because internet service providers (ISPs) do not take it upon themselves to verify the accuracy of domain-name-to-IP translations, and because this process is largely invisible to the user, DNS requests are susceptible to attacks including:

• Denial-of-service (DoS) attacks that disable devices by overwhelming them with bogus requests to the point where legitimate ones cannot be made successfully.

• Distributed-denial-of-service (DDoS) attacks, which share the same end goal as DoS attacks, but use a network made up of many devices so they can’t be turned away by shutting down traffic from a single source.

• Cache poisoning attacks that occur when cybercriminals infect a computer’s temporary storage (the cache) with malicious code, and then the resolver redirects a legitimate DNS to that code for a specific purpose, like installing spyware or another type of malware.

• Registrar hacking, which is a DNS-enabled attack often stemming from a website owner's account credentials being compromised. After hacking a registered domain, cybercriminals can reroute legitimate DNS requests for that site to their intended target site.

4 Reasons Why Taking Control of Your DNS Is a Cybersecurity Best Practice

Businesses without a DNS security tool in place typically rely on their internet service provider (ISP) to resolve their DNS requests for nothing more than their monthly bill. However, the truth is there’s a lot of value in those requests for ISPs and other larger internet companies. They tell the story of how we use the internet and can be very powerful when paired with machine learning technology.

But rather than blindly donating this data, DNS security tools allow users to resolve requests on their own terms. In addition to added privacy, this presents several overall productivity and security benefits. General cybersecurity best practices are strengthened by strong DNS security.

Here's how:

1. Blocking risky DNS requests. ISPs tend to take a hands-off approach to resolving DNS requests. They’re not interested in whether you’re headed for a legitimate site, or one known to host malware. They’re just there to get you on your way. DNS security tools (at least the ones backed by quality threat intelligence) can see that a user on a network is trying to land on a known malicious site, and instantaneously block that visit from happening. Webroot data has found that 88% of malware can be stopped from ever entering a network by using this strategy.

2. Foiling cryptojacking scripts. Cryptojacking is the practice of using website scripts to steal visitor’s computing power without their knowledge to mine cryptocurrencies. All it takes is a few lines of JavaScript, triggered when a user lands on a site, to initiate the process. But because those snippets of code need to make a DNS request in order to begin, they can easily be blocked by using a DNS security tool. Without one, it can be very difficult to detect these malicious operations unfolding in the background since they are specifically designed to use just enough CPU to still evade detection.

3. Locking down your guest WiFi Network. There are portions of the internet which are inappropriate to access at any business. If you don’t want an angry phone call from your ISP for illegally downloading copyrighted material, or you don’t want your bandwidth sapped by a patron using file sharing sites on your network, you can prevent that by denying DNS requests to peer-to-peer torrenting or streaming sites. In addition to being a bandwidth drain, torrent sites are hotbeds for malware.

4. Boosting workplace productivity. Social media, fantasy sports, streaming video—there are a lot of distractions on the web. But just as ISPs do, examining your business’s DNS requests can tell you a lot about how your network is being used, even which devices are employed to access it. DNS security tools are capable of grouping sites into categories like those mentioned above—plus far more like gambling, adult, alcohol & tobacco, shopping, and so on—and blocking DNS requests to such sites from being resolved as needed. They can even shut down obtrusive ads on sites used for legitimate research or other business purposes. Finally, beyond blocking access to certain groups of sites outright, owners could simply create usage reports to monitor how their network is being used with an eye for any trends that may be problematic over the long run.