The Domain Name System (DNS) is essential for the security of infrastructure and enables all digital services of an organization. However, with just one Distributed Denial of Service (DDoS) attack, cybercriminals can make DNS unreliable, slow, or even inaccessible, negatively affecting the digital service experience for both clients and employees. These attacks drain the time and energy of IT staff, security administrators, and leaders who are trying to maintain an exceptional customer experience.
Common Cases Consuming Time and Energy
According to Akamai’s 2023 State of the Internet (SOTI) report, “Attack Autobahn: A Deep Dive into Malicious DNS Traffic,” DNS attacks driven by malicious entities using sophisticated and distributed bots and botnets are a growing concern for nearly all industries.
One of the major issues is the increase in size, frequency, and sustained duration of malicious NXDOMAIN attacks. A 2023 report from the U.S. Health Sector Cybersecurity Coordination Center (HC3) illustrates how cybercriminals are using NXDOMAIN attacks to target critical public infrastructures like healthcare.
Enhance Your DNS against NXDOMAIN Attacks
To prevent NXDOMAIN attacks, your network needs enough capacity to handle large volumes of traffic. This can be a challenge as it is often difficult to predict the size and duration of a sudden surge. One way to boost capacity sufficiently is by using elastic services with large amounts of scalable capacity, such as an external DNS service.
Another key to success is ensuring that a DNS system handling traffic floods applies policies like prioritizing queries from allowed sources. This is crucial as blocking legitimate requests with approaches like limiting DNS response rates can disrupt services.
Establish DNS Diversity
To achieve DNS diversity, deployment networks should use Akamai’s IP Anycast technique combined with globally diverse locations of physical name servers. External DNS services need redundant network links, colocation with ISPs worldwide, and robust interconnection agreements. Other ways to create DNS diversity include:
– Use of large multi-homed DNS data centers: Network diversity can be as important as capacity. Large DNS DDoS attacks can overwhelm upstream ISPs and other networks before reaching a data center, causing congestion and service outages even if the data center remains intact.
– Placement of DNS name servers within ISPs: In many cases, DNS name server clusters should be directly within individual ISP networks. These name servers often deliver their IP Anycast traffic only within those networks and resolve DNS queries only for end-users of those ISPs.
– Intelligent client deployment throughout the global platform: Assign clients to diverse cloud environments, some with specific ISP server locations, and others with a variety of connected machines. This architecture ensures that a client’s recursive name servers always connect to a fast DNS edge.
Use Unique Network Routes
The amount and design of DNS delegations and name server addresses can also impact diversity. For example, using two delegation servers offers two network routes to authoritative responses, while using six delegation servers offers six network routes. Each name server address has its own routing path in separate geographic locations. For IPv4, this means that each name server address must have its IP address /24.
Diverse Deployment Implementation
Diversifying your DNS delegation deployments is another way to help prevent DNS attacks. For example, one delegation address can use a DNS proxy server to protect source name servers, another can use a secondary authoritative DNS service to host zone information that an origin name server transfers, and a third can use network-level policy enforcement to forward only clean and valid DNS traffic to the client origin.
Get DNS Protection from Akamai
If you’re concerned about resilience against DNS attacks and lack strong and reliable defense strategies, try deploying protection services like a DNS proxy to protect source name servers or a secondary DNS service. By doing so, you’ll expand your current DNS workflow with an additional set of authoritative servers that provide enduring responses over your zones while hiding your source name servers from malicious attackers.
Benefits of Akamai’s DNS Defense Approach
– Improved customer service
– More time to focus on previously neglected projects due to ongoing DNS protection efforts
– Better employee morale, as there are fewer repetitive incidents consuming personal time and causing burnout
Akamai Shield NS53, part of the Akamai Edge DNS suite, helps protect organizations, their customers, and employees from hostile types of DNS attacks. This DNS infrastructure and DDoS protection solution offers comprehensive security and unparalleled performance to make it quick and easy to find and remedy DNS vulnerabilities on the world’s most distributed edge platform.
Strengthening DNS infrastructure is crucial to protecting digital services and avoiding IT team burnout. Implementing DNS diversity and using elastic external services can provide the capacity and resilience needed to counter relentless attacks like NXDOMAIN. With Akamai’s solutions, organizations can enhance their DNS security position from start to finish.
About the Authors: Steve Winterfeld is the CISO Advisor at Akamai. Prior to joining Akamai, he was the Cybersecurity Director for Nordstrom and CISO of Nordstrom Bank. Jim Gilbert is the Director of Product Management at Akamai with over ten years of experience in DNS services and technology.
Source and more information: [Akamai](https://www.akamai.com/blog/security/battling-dns-fatigue-defend-against-relentless-attacks)