DNS Protection: The Need to Step-Up Security

Posted by B. Hale

Using the Internet wouldn’t be as enjoyable if you had to recall IP addresses whenever you wanted to find content on the Net. If you remember the name of a person but not their telephone number, it’s easy to check in a phone book. DNS can be compared to an Internet phone book. However, DNS comes with one major problem: DNS protection and security.

Why Have DNS Protection

It is a good idea to consider the DNS as the Internet’s Achilles heel. Everything is wonderful when your DNS is working perfectly as it ought to. However, the DNS is very susceptible to network and power outages. Whenever the DNS fails, your web apps, website, email as well as your web services, all come down.

DNSSEC Protection

DNS cache poisoning or DNS spoofing are the most widespread attacks, basically forcing incoming traffic to get blindly diverted to another IP that will typically have malicious content downloaded onto your computers.

The recently introduced Domain Name System Security Extensions (DNSSEC) helps in preventing attacks coming through your IP. DNSSEC is a security specifications set that helps in preventing DNS spoofing at the client level. This is achieved through authenticating name servers coming between the registry level and a zone file using a private and public key.

DNSSEC protects your DNS data through digitally signing records utilizing public key cryptography. Owners of domains can work together with their domain registrar in setting DNSSEC public keys at the domain registry root zone.

DNS Cache Locking

This is a unique security feature allowing the operator to have control over when the information held in the DNS cache can get overwritten. Whenever a recursive DNS server is responding to an incoming query, the server caches the results enabling a quick response in case it receives another query that is requesting similar information.

DNS Socket Pool

Your DNS socket pool makes it possible for a DNS server to employ source port randomization whenever it is issuing DNS queries. As soon as the DNS service starts, your server selects a source port from an available sockets pool for issuing queries. Rather than utilize a source port that is predicable, the DNS server opts for a random port number selected from the pool.

Cache-tampering attacks become more difficult with the DNS socket pool as a malicious user will have to correctly guess both the random transaction ID and the DNS query source port to successfully launch an attack.


Often, the DNS is the forgotten component in the majority of cyber security strategies despite the fact that DNS security solutions are today easy to deploy and exceptionally affordable. As cyber-attacks become more common, it is important that organizations step up their DNS protection. A redundant and properly configured DNS forms the first line of defence towards a more secure Canadian Internet.