DNS service availability and integrity must become a key priority for any organisation as DNS targeted attacks rise across all sectors. We have previously written that not all DNS is created equally, and often DNS is the achilles heal in a business’s digital infrastructure. Ensuring that you have selected the appropriate DNS for your business-critical domain names will stave off attacks and provide greater capacity for your network to deal with spikes in traffic.
Attacks on the Rise
The 2020 Global DNS Threat Report, conducted in collaboration with IDC, shows that organisations across all industries suffered an average 9.5 attacks this year.
Overall, 83% of service provider organisations experienced a DNS attack. In addition to being well above the overall average of 79%, a successful attack on telecommunications providers can have especially far-reaching consequences as outages may affect customers in a wide variety of sectors relying on 24/7 availability of networks.
Most Common Attacks
The most common attack types used by hackers were:
- phishing attacks (37%),
- DNS-based malware (33%),
- DDoS attacks (27%),
- lock-up domain attacks (22%), which may cause DNS resolvers to exhaust their resources,
- DNS amplification attacks (21%)
Not all DNS Networks are the same
It is critical to ensure that organisations select DNS networks that reflect the criticality of their digital assets. There are many different types of DNS services to choose from, ranging from basic open bind DNS, unicast and large-scale anycast DNS networks.
Domain Name providers’ DNS typically use open bind DNS. This service usually comes free with domain names and the quality of DNS, security, and redundancy varies from Registrar to Registrar. Free DNS does not come with SLAs and there are some technical limitations, for example, if you require Dynamic DNS services (DNS records that are updated automatically when a destination’s IP changes), or weight load balancing, APIs etc, many Registrars do not offer these services.
Dedicated DNS hosting providers, such as UltraDNS, tend to have faster and much larger DNS Anycast infrastructure, designed from the ground up for hosting DNS query traffic and nothing else.
Summary of the Benefits of Anycast DNS
Improved Reliability – Anycast improves the reliability of DNS through the placement of multiple geographically dispersed servers at the same IP address. The redundancy of these DNS servers makes the service more highly available and reliable.
Improved Performance – Packets destined for Anycast DNS servers will be routed to the “nearest” server in the topology. This helps ensure that DNS clients are querying their local servers first before using remote servers based upon routeing and topology.
Enhanced Security – Geographically dispersed DNS servers that operate using the same IP address make the DNS service more resilient to DoS and/or DDoS attacks because it’s much tougher to launch attacks on hosts that use duplicated IP address schemes that reside in different parts of the network.
Protection against DDoS attacks – Successfully launched DOS and/or DDoS attacks will typically be localized and only affect a portion of the entire Anycast DNS group.
Increased Availability – A DNS Anycast server that becomes unavailable due to failure or routine maintenance will have very little impact on the name resolution service because its routes are withdrawn from the routeing tables. Routeing will divert this traffic to new alternate best path servers in the Anycast group.
How to choose a DNS Service?
Domain names can be classified depending on their criticality, whether they are live or not live, value, risk and a range of other metrics.
We recommend for any domain that is considered a critical business digital asset, that they are put on an Anycast DNS network. Domain names that are parked, forwarded, or don’t serve a critical function can use a domain name registrar open bind DNS service. This is the best approach for balancing risk, availability, and cost.
Selecting the DNS network that reflects the criticality of their digital assets is essential to ensure that your business stays online, all of the time.
Brandsec is a corporate domain name management and brand protection company that look after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.