How safe is your DNS?

Organisations put a lot of time, effort and money into protecting their back office systems but they often forget about external factors that could put them at risk - one of the most important factors being the security of your DNS provider.

The Problem

Most organisations depend on DNS providers in some capacity, be it for their SPF records, their website, online portals or their Exchange, for example. What organisations probably don't put enough thought into is how secure their DNS providers really are and what affect this has on their operations. You can lock down your internal back office systems, but it is relatively easy for a hacker to disrupt your services if you depend on an external DNS provider and their security measures aren't up to scratch.

Hackers could change, wipe or redirect your DNS, which could affect mail-flow, your website, marketing, or your provision of services or portals. You could even get locked out of the control panel you use to manage your DNS records if a hacker changes your password. A lot of DNS providers just use shared passwords with no Two Factor Authentication (2FA) to verify the user is legitimate – and we don't need to tell you how risky shared passwords can be. All it would take is for someone with the password to log on, redirect your IP to a malicious site containing malware, and then change your password so that you are locked out of the account and unable to resolve the issue.

Most organisations don't have plans in place for dealing with a scenario like that, despite how potentially devastating it would be.

The Solution

To alleviate some of the risk, you need to choose your supplier carefully. We recommend looking for security features like Two Factor Authentication. As the name suggests, 2FA is a two-part process, which usually includes a password and a separate code sent to a pre-verified device such as a mobile phone (that only the user could access). This is far more difficult for hackers to break without getting their hands on the pre-verified device, which means it is fast becoming an essential security feature for a lot of online services.

It's also incredibly important to keep accurate DNS records, which is something not enough organisations do. It can take up to 24 hours for DNS records to update, so a hacker could make changes to your DNS and you might not even notice until the following day if you weren't properly tracking your changes. Accurate auditing allows you to see what the DNS record was before and what it has been changed to, so you can easily revert to your original if an unauthorised change has been made. Most DNS providers will log the changes made, but they aren't always visible to the customer and may need be requested via a support request which takes time.

There are alerting tools available to help with this. These are tools that alert your IT team as soon as unauthorised changes are made to DNS records so you can react almost instantly. These are of course completely optional, and they do come at a cost. They may only save you a few hours but they could be crucial hours.

There isn't a failsafe way to protect your DNS – essentially it's down to your provider to do that, which means it all comes down to trust. By working with providers who can prove they take security seriously, you can limit your risks and have the peace of mind that you're in safe hands.