Attacks against the Domain Name System (DNS) are numerous and varied, so organizations must rely on multiple layers protective measures, such as traffic monitoring, threat intelligence and advanced network firewalls, to work together. With the increase in NXDOMAIN attacks, organizations need to strengthen their DNS defenses.
With the Shield NS53 releaseAkamai joins a growing list of security vendors with DNS tools that can defend against NXDOMAIN attacks. The new service extends Akamai’s Edge DNS technologies in the cloud to on-premise deployments.
In an NXDOMAIN attack, also known as a DDoS DNS Water Torture attack, adversaries overwhelm the DNS server with a large volume of requests for non-existent (hence the NX prefix) or invalid domains and subdomains. The DNS proxy server uses most, if not all, of its resources querying the authoritative DNS server, to the point that the server no longer has the capacity to handle any requests, legitimate or bogus. More junk queries coming to the server means more resources (server CPU, network bandwidth, and memory) needed to handle them, and legitimate requests take longer to process. When people fail to reach the website due to NXDOMAIN errors, this results in potentially loss of customers, loss of revenue and damage to reputation.
NXDOMAIN has been a common attack vector for many years and is becoming an even bigger problem, says Jim Gilbert, director of product management at Akamai. Last year, Akamai observed that 40% of overall DNS queries for its top 50 financial services customers contained NXDOMAIN records.
Strengthen DNS protection
While it is theoretically possible to defend against DNS attacks by adding more capacity (more resources mean larger and longer attacks are needed to take down servers), it is not a financially feasible or scalable technical approach for most organizations. But they can strengthen DNS protection in other ways.
Enterprise defenders need to ensure they understand their DNS environment. This means documenting where DNS resolvers are currently deployed, how on-premises and cloud resources interact with them, and how they use advanced services, such as Anycast and DNS security protocols.
“There may be good compliance reasons why companies want to keep their original DNS resources on-premise,” says Akamai’s Gilbert, noting that Shield NS53 allows companies to add protective controls while keeping existing DNS infrastructure intact.
DNS protection should also be part of an overall distributed denial of service (DDoS) prevention strategy, as many DDoS attacks begin with DNS exploits. According to Akamai, nearly two-thirds of DDoS attacks last year used some form of DNS exploit.
Before purchasing anything, security managers need to understand both the scope and limitations of the potential solution they are evaluating. For example, while Palo Alto’s DNS security services cover a broad collection of DNS exploits beyond NXDOMAIN, customers only get that broad protection if they have the vendor’s next-generation firewall and subscribe to its threat prevention service .
DNS defenses should also integrate with robust threat intelligence so defenders can quickly identify and respond to potential attacks and reduce false positives. Vendors like Akamai, Amazon Web Services, Netscout, Palo Alto, and Infoblox operate large telemetry collection networks that help their DNS and DDoS protection tools spot an attack.
The Cyber Security and Infrastructure Agency has put together a series of recommended actions this includes adding multi-factor authentication to their DNS administrators’ accounts, as well as monitoring certificate logs and analyzing any discrepancies.