NIST updates guidelines for securing the DNS
- By William Jackson
- Sep 23, 2013
The Domain Name System provides a global system for translating user-friendly Internet domain names to machine-friendly numeric IP addresses. Securing this service is essential to the integrity of the Internet, as the Syrian Electronic Army’s recent attacks on the New York Times and Twitter have shown. The National Institute of Standards and Technology recently updated its guidance for securing DNS in the government enterprise.
The latest revision of Special Publication 800-81, Secure Domain Name System (DNS) Deployment Guide updates information on the use of DNS Security Extensions (DNSSEC) for digitally signing zone information for verification.
Because DNS information is meant to be public, confidentiality is not a security concern As a result, the primary security goals for the system are data integrity and source authentication. DNSSEC helps ensure the authenticity of a domain name by cryptographically verifying its source.
The DNS infrastructure is a distributed, hierarchical system that provides domain name and IP address translation for Top Level Domains and millions of secondary domains. There currently are more than 300 Top Level Domains, with hundreds more expected to be added over the next several years. Authoritative domain name records for the entire Internet are maintained in 13 root servers. There also are millions of local name servers in the infrastructure, each providing information about a segment of the domain name space. The system depends on the ability of the elements to collaborate reliably, and domain name data provided by DNS is intended to be available to any computer anywhere in the Internet.
Securing DNS is complicated by the fact that it not only is susceptible to the same types of vulnerabilities as other distributed systems, but it also has unique challenges, including the lack of well-defined geographic or topologic system boundaries, and no need for data confidentiality.
Because of these characteristics, conventional network-level attacks against DNS can have different functional effects, such as the ability to launch denial of service attacks against broad sections of the Internet, misdirect traffic to malicious sites and undermine the integrity of the entire DNS system with obsolete or improper information.
NIST recommendations for secure DNS deployment include:
- Implement appropriate system and network controls for securing the DNS hosting environment, including operating system and application patching, process isolation and network fault tolerance.
- Protect DNS transactions within an enterprise’s control using hash-based message authentication codes.
- Protect the DNS query and response transaction by using digital signatures based on asymmetric cryptography as spelled out for DNSSEC.
Agencies are mandated to implement DNSSEC in their enterprises. According to a NIST deployment dashboard, 85 percent of 1,315 .gov domains tested on Sept. 22 had DNSSEC enabled. Industry lags far behind in DNSSEC deployment, with only 1 percent enabled of more than 1,000 domains tested.
Basic steps for DNSSEC deployment in NIST guidance are:
- Install DNSSEC capable name servers.
- Check zone file(s) for integrity errors.
- Generate a key pair for each zone.
- Sign the zone using private keys.
- Load the signed zone onto the server.
- Configure the name server to turn on DNSSEC processing.
Copies of public signing keys also can be sent to a parent zone for secure delegation.