How to secure your domain name services

Hello, everyone. This is Susan Bradley, for CSOOnline. Today, I’m going to talk about two different things about domain name services or DNS. One is for the admin and the other on the workstation side. First on the admin side, it happened the other day that I was making some changes to some DNS settings for a site that I manage. And I realized in logging in that I hadn’t changed the password for that site in years. And I stopped to think, hmm, how easy it would be for attackers to possibly guess that password and get into the system. It’s pretty easy to look up to see who’s hosting DNS in your environment and then possibly guess on the username and password. It is honestly not the first time that attackers have gone after DNS as a basic way to attack us. Log in to a DNS hoster, make changes to the settings in their records and off you go. So just like I’m obviously saying a lot about two factor authentication for such things as Office 365. I want you to think about two factor authentication for anything in your environment, especially things like DNS, because if an attacker can log in and make changes, that’s not a good thing. Microsoft is making several changes in the way of DNS. Are you aware that in Azure that you can use it to create DNS and even private DNS settings? Go into your Azure portal, go into create a resource. And from here, it may be just as easy to do search.

Click on DNS zone. You want to create. We’re going to start a free account. We’re going to set up a testing DNS. And we’re going to pick a location.

And from here, it starts to look like any pretty traditional DNS hoster where you can put in your records those you need. And obviously Azure supports two factor authentication.

Microsoft has also recently rolled out as a private DNS where you can use your own custom domain names rather than Azure provided names. But there’s another DNS for domain name services I want you to think about. And that’s when your workstations in your environment go out to the Internet and research and ask for responses back. So anytime you go to a Web site and you say, hey, I want to go to, let’s say CNN or Facebook or wherever, there’s a a transmission that goes out from your network out to an DNS provider and says, hey, I want to look that up. I’m looking at wire shark transmission here, and you can see that the transmission is going out Port 53 and they’re pretty much in plain text. So you can see what your workstations are going out and searching for and some of that information can be pretty and from it informational. Microsoft recently announced that they’re planning to move DNS over HTTPS or encrypted DNS traffic. Now note this is not the same as
DNSSEC or DNS security extensions is a security protocol that digitally signs data to and help ensure its validity. Indeed, DNSSEC, in order to ensure a secure look up the signing must happen at every level in the DNS lookup process. Now DNSSEC has been around for many, many years and can be set up on server platforms as old as 2012, but it’s not supported right now in Azire DNS over HTTPS is intended to protect your searches and traffic. It’s a new technology that encrypts your DNS queries so that only the intended recipient can decrypt and read them. Firefox, in fact, has actually come out supporting DNS over HTTPS. If you go into preferences networking connection settings down here at the bottom, you can click a box enabled DNS server over HTTPS and choose their default provider CloudFlare. CloudFlare and Firefox have made a deal where they’ve agreed to log less data about the Firefox users. Basically, Firefox has mandated exactly what will be tracked and what won’t. Or you can choose a custom DNS provider of your choice.

There’s several here in that list there. What they provide and what they support.

Chrome will support the DNS over HTTPS, but it’s not quite as easy to set it up in order to enable it. You have to go into the properties of Chrome and add a very nasty string here.

To the back end and save it.

Click OK, relaunch Chrome and it will now be providing HTTPS over DNS. Or rather, I should say, DNS over HTTPS. There there’s also a DNS over TLS, which is another option, but at this time not many browsers support it. So think of ways that you can protect both your domain name services from attacks as well as browsing ants and searching on your network.

Big data is a big problem these days. Think about ways to protect more information coming into and out of your environment.

Domain name services is such a foundational function in windows we too often take it for granted. Think of ways to increase its protection both in terms of your firm’s needed protections as well as protecting your workstations from snooping. And as always, don’t forget to sign up for tech talk from IDG, the new YouTube channel for the tech news of the Day. Until next time. This is Susan Bradley for CSO Online. Thanks again.