Review: DNS Security


About the authors

Allan Liska is a Consulting Systems Engineer at FireEye, and Geoffrey Stowe is an Engineering Lead at Palantir Technologies.

Inside DNS Security: Defending the Domain Name System

DNS security is a topic that rarely comes up, and when it does, it’s usually after an attack or breach disruptive enough to merit a mention in the news.

Last year’s DDoS attack against US-based DNS provider Dyn was one of those, but it isn’t included in this tome as it was released a few months before the attack. Nevertheless, the attack sparked an increase of interest in DNS security, and the world at large finally really understood the Internet’s and, therefore, their dependency on this system.

As could be expected, the authors first explain what DNS (Domain Name System) is, provide a short history of its creation and development, and a concise overview of how it’s used and what needs to be secured.

Next, they offer a brief history of DNS security breaches (both successful and unsuccessful) and a summary of common DNS security problems that someone attempting to secure a DNS infrastructure in an enterprise can be faced with. DNS security events can be the result of both external attacks and internal mistakes, and the authors provide some very good advice on how to keep on top of things, as well as instructions on how to develop a solid DNS security plan for one’s company. The next two chapters deal with common DNS configuration errors and external DNS exploits.

But many companies don’t have an expert in-house to deal with the DNS infrastructure, and often outsource DNS tasks. Chapter 9 addresses the things that companies have to think about and decide on when going for that option (this includes thinking about how much to outsource, and DDoS protection). The authors provide good pointers on the questions companies need to ask prospective domain registrars, and tips on how to work securely with a DNS provider.

The book contains information about DNS reconnaissance strategies employed by attackers (and how to thwart their efforts), DNS network security, Windows DNS security, and the security of BIND, the most widely used DNS software package on the Internet.

Readers will also learn enough about the DNSSEC protocol to implement it (on Window, Linux) and operate it, and to make an informed decision on whether to use it at all. And, finally, they will also get a peek at some real-world examples of complex DNS configurations.

A lot of material can be found and read online about DNS and DNS security, but if you want to take a systematic approach and not miss anything, this book is a good place to start.

Even if you’re not tasked with DNS security in your day-to-day job, you should pick it up, as it’s an easy, enjoyable read and – I would argue – it’s a good idea to know something about technologies that our daily lives are dependent on.