DNS security is essential for any organization. We need to protect it as much as we can so the company’s regular work does not get affected in any way. Here we have a list of DNS best practices to do it.

Make available only the most necessary. Not everything should be available to the public. You could have private domain names. You should limit the access.

Make all internal DNS servers to be authoritative. You don’t need to allow recursive searches to happen on your DNS network and waste the use of those servers.

Guarantee availability. Having just a single authoritative nameserver is not enough. You need to think about redundancy. There are different methods to do so, with multiple DNS servers. Think about where do you need the DNS server. The closer you put DNS servers to the clients, the faster the DNS resolution will be. More is better here. 

Hide the primary servers. The primary server or servers is where you keep the master DNS zone with all the DNS records. This server should be hidden, so nobody knows about it and tries to attack it. Only those who administrate it could know about it and have access.

Have local DNS servers. At each office, you can have a different set of nameservers. That way, you won’t rely on a single DNS server in the headquarter of the company. Your organization could use them to create load balancers.

Protect the zone transfers. You don’t want man-in-the-middle attacks where a hacker updates the DNS records with forged information. Limit the access and use TSIG (transaction signatures)

Protect the integrity of the data. There is a security extension called DNSSEC (Domain Name System Security Extensions) that can encrypt DNS communication. It is a chain of trust that stops bad actors from changing the DNS data on the way by ensuring each step of the DNS resolution.

Include DDoS protection. Many of the DNS providers offer different plans that include DDoS protection that can withstand strong traffic attacks. Such a service will include a network of several DNS servers for load balancing and special DDoS-protected servers that can handle the attack.

Monitor your DNS traffic. It is not enough to simply set up and forget about your DNS. You constantly need to monitor the network performance and see eventual threats. You can manually ping the servers to see if they are online, but better to use more advanced software for rich statistics on the situation.

Failover. Create failover triggers that will automatically activate in case of an event. If one server is down and stops responding, you can get a notification and redirect the traffic. When it comes back, it can automatically signal that it is functional again and continue its work.

Having a secure network is a heavy task, but it is a must in today’s dangerous interconnected environment. Use these best DNS practices and bullet-proof the DNS as much as you can your system. Don’t let any DNS error lead to downtime, loss of information, or phishing attacks.

Cloud DNS services are getting popular. More and more companies are benefiting from the Cloud infrastructure and advanced tech that DNS providers can offer. To be able to make a choice, you need first to understand what Cloud DNS service is.

What is DNS?

DNS is an international system for domain resolution. It is responsible for linking domain names to their IP addresses. When a person writes a domain name in their browser, or they demand it through an application, his or her device needs to find where the domain name is. It will start a search that will involve DNS recursive servers that will ask, and Authoritative DNS servers will answer for the zone they are responsible for by providing an IP address in a case of A or AAAA records.

Why DNS in the cloud?

When you have a website or an application, you want this domain resolution to happen as fast as possible. A great way to achieve it is by shortening the distance between the person who needs the answer and the DNS servers that can provide it.

When we are talking about the cloud, we are referring to multiple DNS servers inside multiple data centers. Having more than one server provides answers closer to people because each DNS server can answer the DNS query.

The Cloud DNS beats a single DNS authoritative server because it can cover bigger territory and shorten the DNS query path and response time.

Cloud DNS service

Cloud DNS service is a cloud service, usually SaaS, that the users use to manage their domain name. They can create DNS zones, DNS records, set multiple points of presence (PoPs), load balancers, and CDNs.

A Cloud DNS service has an easy-to-use interface or API that makes it effortless to administrate domain names and use Advanced DNS services like GeoDNS, DynamicDNS, Forwarding, etc.

What is makes it especially good is that users don’t bother with hardware support or connectivity. The infrastructure and the software are 100% the responsibility of the provider. The provider must guarantee them and the normal functionality of the service they offer.

There are multiple Cloud DNS service providers like ClouDNS.net, Cloudflare.com, DNSimple.com, and big cloud providers like Amazon, Google, Microsoft, and many more.

Usually, choosing a smaller provider can offer better performance and more features per dollar than the big providers. While the big ones often can offer a larger DNS network. 

It is very important to check the DNS network of the available DNS server of the provider you want. See if it covers the right region for you. 

Benefits of Cloud DNS

Speed. A shorter travel distance of the DNS query will mean faster DNS resolution and a better experience for the users who want to access the domain name. 

Redundancy. It will provide additional DNS servers and remove the single point of failure. Now even if one of your DNS servers is down, your domain could still be accessible. 

Scalability. An important aspect of cloud services is that upgrading or downgrading is usually easy. It only takes a few clicks and selecting the right plan for you. 

Additional feature. DDoS protection is a good benefit that some DNS providers have. It will add a layer of protection that will stop many DDoS attacks. GeoDNS is also an interesting additional feature that will understand the traffic and provide IP-specific answers to the clients that will lead them to the closest DNS server. There are many more great features. 

Conclusion

Cloud DNS service is an easy way to speed up your domain resolution easily and cost-effectively. It can add a better performance to your site, whether it is a small blog or a massive e-commerce site. 

What is DNS poisoning (DNS spoofing)?

DNS poisoning (DNS spoofing) is a technique that hackers use. It imitates another device, user, or client. It acts as a cover, which makes it easier to disrupt the regular flow of traffic or reach protected information.

The attackers remodel a Domain Name System (DNS) into a spoofed one. So, when a client wants to visit a website, they will be directed to a completely different site, rather than opening the legitimate destination they requested to visit. Users usually don’t even understand that they have reached a fake site. That is because they are designed as same as the original site without any major differences.

After the attack is initiated, the traffic is directed to the non-legit server. Therefore hackers are capable of performing malicious actions, such as man-in-the-middle attacks and steal sensitive information. Another scenario is installing a virus to the victim’s computer and cause a lot of damage. Even further, they can place a worm to expand the harm to more devices.

How is DNS poisoning so dangerous?

DNS poisoning poses risks to organizations and also to individuals. Maybe the biggest risk is that once a device has become a victim of DNS poisoning, it is very challenging to solve the issue. This is because the poisoned device will continue to go back to the forged site. Besides, the DNS poisoning attack is very hard to be detected by a user. The attackers direct the traffic to a very similar website. In this situation, the visitor doesn’t identify that there is something wrong. The user inputs their sensitive information as usual and doesn’t realize that they exposed themselves to severe risk.

Here are some of the severe dangers that this type of attack includes:

  • Robbery

With DNS poisoning, it is easy for attackers to steal sensitive information. For example, logins for protected sites – banks, organizational systems, or information about house proprietary. The personally identifiable information is also valuable, like social security numbers or information details about payments.

  • Malware and viruses

After a visitor is led to a forged website, for the attackers is possible to access and install a host of viruses and malware to the users’ device. It includes a virus designed to harm their device and also other devices with which it interacts. On the other hand, the malware provides the attackers continuous access to the device and the information inside it.

  • Security blockers

With DNS poisoning, malicious actors can cause critical damage in a long time period. This happens through redirecting the traffic from security providers to block devices from getting essential updates and patches that keep the strong security. In this way, the devices are becoming more defenseless through time. So like that, the door is open for various other kinds of attack, such as Trojans.

What are appropriate protective measures against it?

There are possible ways to protect the resolution of the DNS name from being tampered with. As an example, by implementing DNS cookies that secure the integrity and authenticity of clients, DNS queries can be protected. Also, the servers and the information which is transferred between them. Another thing that can help with protecting against DNS spoofing is implementing a DNSSEC technology.

To create DNS tampering even more difficult, it is essential to use well-maintained and up-to-date software on routers, name servers, and all kinds of devices. This is because the weaker points for attack performed by attackers and malware are far less on the patched system.

We could not skip one of the essentials – the DNS CNAME record- to expand the information about Domain Name System records. So let’s dive in and explain a little bit more about it.

DNS CNAME record explained

Another way that the DNS CNAME record is also known as the canonical name record. It has a very specific role. Which is to define one domain name is just a different way to receive the primary hostname. This host name is also known as the canonical domain. Through you are able to benefit from the CNAME record. You can use it for different results and many purposes, but the appropriate way of applying it is for subdomains.

Simply directing your subdomains to your primary domain is the perfect case of using the CNAME record. 

There is one thing that you should remember for the DNS CNAME record. If you have such a record already created for one hostname, it will not give you the chance to import any other DNS records for that specific hostname. If you desire to have an action similar to this, directing one hostname to another but also adding more records, such as MX records, you can use the ALIAS record. And that will help you achieve this goal.

Structure

The DNS CNAME record is a simple text file with several elements inside it:

  • Host – The current hostname. Here it can be a subdomain or service that you want to direct to the actual host. 
  • Type – CNAME. Here is the type of DNS record that you want to apply.
  • Points to – Here, set the actual canonical name. You are capable of importing several CNAME records, which are from several subdomains to the accurate one. 
  • TTL – This is the time period that displays how long will be cached the cache data on the recursive DNS server

Example of the DNS CNAME record 

  • Host: www.example.com
  • Type: CNAME
  • Points to: example.com
  • TTL: 1 Hour.

You can use DNS CNAME for:

  • To guide usual subdomains and such ones that are for services like FTP or email to the primary host. 
  • Content Delivery Networks (CDN) can benefit from DNS CNAME records to better coordinate the traffic. A query, which is for the original server, can be guided to a CNAME record. Which is a component of the CDN, and it will provide back a result, which will fit the user best.
  • When one company owns many websites, the DNS CNAME record can be beneficial to point all of them to just a single one. 

CNAME record VS ALIAS record

The DNS CNAME record can point one name to another hostname. It is important only to be applied when there are no other records for that hostname. On the other hand, the ALIAS record also leads a name to another hostname. The difference is that the ALIAS record is able to coexist with other records on that hostname. The ALIAS record is also possible to be added for the root domain. 

Conclusion.

The DNS CNAME record is really beneficial. Just make sure you use it the right way.

Nslookup explained.

Nslookup is a very practical network administration command-line software. It is very useful, and it has a simple interface. Its name breaks to “ns” for nameserver and “lookup” for querying it. Primarily is used to find the IP address that corresponds to a host. Also, for a process called “Reverse DNS Lookup,” which is the domain name that matches an IP address. You can use it from the Terminal. Check domains, devices/IP addresses, or DNS records. It is available on the traditional computer operating systems Linux, macOS, and also Windows. 

For most Linux distros, it comes pre-installed, so you don’t have to download it by yourself. Network admins enjoy it because it also has extra options to adjust the query by picking a port, timeout period, and more. This command comes up with a clean and simple answer. 

You will receive the IP address – when you checked the domain.

Or you will receive the domain – for Reverse Lookup.

The command will tell you that and information such as if the answer comes from an authoritative or non-authoritative server. 

For what is it used?

Nslookup is appropriate in different situations. The command-line program is an essential tool when resolving DNS problems. 

  • A data query helps detect the cause of the issue.
  • Check if all involved servers are converted in the domain name system properly. 
  • When several subdomains are involved, you can check for connection problems.
  • Search for mail servers (SMTP, POP, IMAP) for the domain. Nslookup shows the servers based on the MX records that belong to the email provider’s domain. These records contain the IP addresses and names of the provider servers.

Nslookup guide

Try it Nslookup command with these examples of general use cases:

  • The A record of a domain (shows IP address)

nslookup example.com

You will see the address of the domain. 

  • The NS records of a domain (the authoritative nameserver)

nslookup -type=ns example.com

You will see which are the non-authoritative and which is the authoritative nameserver.

  • The SOA record of a domain (start of authority)

nslookup -type=soa example.com

This record will provide you the start of authority and general technical information about the zone.

  • The MX record, information about the email exchange

nslookup -query=mx example.com

View the MX records of the mail servers. 

  • See all DNS records of the domain.

nslookup -type=any example.com

You can also make a more general query, and you will see all available DNS records. 

  • Check a specific name server.

nslookup example.com ns1.nsexample.com

You can also perform a query and see data for a particular name server. You will see the domain name, IPv4, and IPv6 addresses. 

  • Reverse DNS lookup

nslookup 11.22.33.44

Make sure that an IP address is matching the domain. Do a reverse DNS lookup and verify it. 

  • Check a domain through a specific port.

nslookup -port=51 example.com

The same, but the difference is that we are doing it through port 51. You can replace the number with the port that you like. 

  • Check a domain with a specific reply timeout interval.

nslookup -timeout=20 example.com

You can change the reply timeout interval. Here is set to 20 seconds, but you can extend to more time or shorten it to less. You are giving more time to the name servers to respond if you increase it. 

  • Activate the debug mode

nslookup -debug example.com

The debug mode will provide a lot more information. Further data will be given both for the question and the answer to the query. 

Using a Dynamic DNS could be very beneficial for many people. Simply this DNS service is an automatic method for refreshing the new IP addresses. A static IP address might be very pricey. So let’s explain a little bit more about Dynamic DNS and what are the benefits of using it.

Dynamic DNS explained.

Dynamic Domain Name System is also called DDNS or Dynamic DNS.

The standard DNS links domain names to IP addresses through A or AAAA DNS records. The advantage of having Dynamic DNS is that it automatically updates and changes the host’s IP address. Even if its IP address changes, the visitors can reach it.

Dynamic DNS is a simple to use service. It lets you reach your hosted services easily when your ISP changes your IP address. For example, you can have a web hosting server, mail server, database server, or use your home network for CCTV cameras with DDNS. 

Why would the ISP change your IP address? The truth is that it is easier to administrate the network that way. The IP addresses are leased to the clients for a particular amount of time. This task is assigned to a DHCP server, which the ISP relies typically on. So when that limited time finishes, customers will receive a new IP address.

The Dynamic DNS is an easy-to-use and easy to set up solution. It is usually free and serves nearly every scenario.

How does Dynamic DNS work?

If you want to implement DDNS, you have to sign up with a Dynamic DNS provider. After that, you have to install their software on the host computer. It applies to that exact computer that is managed as the server, like a web server or a file server. 

The software watches the dynamic IP address for changes. When it detects a difference in the address, it reaches the DDNS service to update your account with the new IP address. 

The DDNS software has to be constantly running and able to identify a change in the IP address. Thus the DDNS name you have associated with your account will proceed to direct clients to the host server despite the fact that the IPs could change a severe number of times.  

If you have files that you want to be able to access no matter at what location you are, a Dynamic DNS service becomes a requirement. Also, another case would be if you want to host your website from home, you like to manage your home computer network from a distance, you like to remote into your computer when you are away, or whatever other similar reason.

A Dynamic DNS service is unnecessary for networks with static IP addresses. After the IP address is initially told the first time, the domain name doesn’t need to ask a second time. The reason is simple – static IP addresses don’t change.

Benefits from using it

Holds you online. It will decrease downtime by auto-update the IP addresses. So, the devices or services will still be available through the net.

Easy-to-use. You need to set it up once. For example, for IP cameras for monitoring. You will have to set up your router by going to settings and putting the user and the password for your Dynamic DNS service. 

More affordable than static IPs. It will be much cheaper to pay for just one DDNS service if you have several devices. To pay for every static IP address could be pricey.