According to the 2014 Arbor Worldwide Infrastructure Security Report, DNS is the second-most-popular attack vector.
Given the importance of DNS in helping customers, prospects, and partners find your business, blocking DNS queries on the mere suspicion of attack is like closing the door in your customers’ faces.
Most of these attacks manifest themselves as “website not found.” Even the early reports on the New York Times attack that happened in August of 2013 got reported as web-server failure. But the investigation process ultimately led to the DNS servers not been able to serve queries as the root cause.
Typically this kind of investigation requires network teams and security teams to cross organizational boundaries. Moreover, a lot of DNS offerings do not have a simple way to monitor the status of the service, which leads to further delay. Surprisingly, according to the Arbor survey:
Approximately 26 percent of respondents indicated that there is no security group within their organizations with formal responsibility for DNS security, up from 19 percent last year. This increase is surprising given the number of high-profile DNS reflection/amplification attacks seen during the survey period.
The responsibility for the DNS infrastructure sometimes is owned by the Windows team or the servers team if customers use built-in Microsoft server features. But as businesses scale and security concerns become evident, they start migrating to the commercial versions. And as this happens, responsibility transitions over to network teams that are focused on more general methods of ensuring availability. As a side effect, the special security requirements of DNS do not find a home.
With port 53 wide open in the firewalls, these orphaned DNS servers are exposed to all types of attacks and exploits.
Our approach at Infoblox is to address this problem holistically by building security within the DNS application itself. Infoblox Advanced DNS Protection offers self-protecting DNS servers of different capacities to match different deployment sizes. With advanced security techniques for threat detection and mitigation, they continue to perform even under attack by distinguishing attack queries from good traffic and dropping the attack traffic while continuing to serve legitimate queries.
So get smart and ready for the potential DNS attack by securing it from within!