Hybrid DNS Technology: A Way to Protect Against Crippling Cyber Attacks

Guest Room

Hybrid DNS Technology: A Way to Protect Against Crippling Cyber Attacks

By TMCnet Special Guest
David Williamson, CEO of EfficientIP
  |  May 12, 2014

Traditional security approaches aren’t sufficient to mitigate attacks on DNS servers, which are at an all-time high. With distributed denial of service, DoS and cache poisoning attacks becoming more frequent and disruptive, many companies, along with early adopters such as telcos, ISPs and managed services providers, are turning to a new approach – hybrid DNS technology – to help them outmaneuver cyber attackers. Hybrid DNS eliminates the code vulnerabilities of standard DNS engines, making it virtually impossible to compromise DNS servers.

In the last quarter of 2013 alone, the total number of DDoS attacks increased 26 percent from the same period the year before. The average attack lasted 23 hours with many consuming over 100gbps of bandwidth. For Internet-dependent businesses, DNS attacks can be crippling, resulting in significant revenue loss and damage to customer relationships and brand equity. 

Why are DNS servers so vulnerable? They play a central role in managing user access to websites, e-mail and other web apps, translating between IP address numbers and domain names. And because they are public by design, hackers are very familiar with the security holes and vulnerabilities of DNS servers and their software.

Traditional endpoint security solutions can’t protect against DNS attacks. That’s because tools such as antivirus, antispyware, firewalls and host intrusion prevention systems, are geared to protecting devices that access the network by ensuring they comply with corporate security polices, but they don’t protect the DNS servers themselves. This enables cyber criminals to manipulate DNS server software so that it contains bogus or fraudulent IP addresses. If the hack is successful, the targeted name server responds to client requests with these phony IP addresses. The misdirected client then communicates with the wrong servers, which are potentially owned and controlled by the hackers themselves.

Hybrid DNS technology takes a different approach. Whereas most DNS servers run a single DNS engine, such as Berkley Internet Name Domain, whose key authoritative and recursive functions are contained within the same code, hybrid DNS uses multiple DNS engines in the same server appliance, making its security footprint baffling to hackers. It achieves this by running a different type of algorithm for each DNS engine. By incorporating a second DNS engine in the same appliance with separate authoritative and recursive functions, the security and reliability of critical DNS services are significantly improved. Using an alternative DNS engine that is based on two different name server products, such as Unbound and NSD, enables performance to be significantly better than with BIND alone. Such high performance is particularly important for telcos, ISPs and other managed service providers, whose businesses depend on delivering fast and reliable Internet connectivity. Unbound, for example, is a validating, recursive and caching DNS resolver that is designed for high performance while NSD is an authoritative only, high-performance name server. At any moment, one DNS engine is active and the other is on standby, waiting to be activated to restore the service when needed.

Hybrid DNS technology provides the highest level of security for name servers and delivers several crucial benefits: When a new security alert is issued, a network owner can quickly and temporarily switch to another engine. The alternative engine can remain in place while DNS programmers patch, test and validate a security upgrade for the first engine. Moreover, with multiple DNS engines in place, hackers will never be sure which name server software is running. This makes the task of analyzing DNS network packet footprints to discover vulnerabilities complex and nearly impossible.

By using hybrid DNS technology, businesses can move from reactive mode – where their main focus is on analyzing the severity of attacks after they have occurred and the damage has been done – to proactive mode. Now, they can protect against DDoS, DoS and other DNS attacks happening in the first place.

David Williamson is CEO of EfficientIP (www.efficientip.com).        

Edited by Maurice Nagle