The Domain Name System (DNS) is a very important part of how the Internet functions, and is relied on by software and end users when initiating almost everything online.
Because DNS is so important to how the Internet functions, DNS security is also an extremely important part the overall security and reliability of the Internet. Without the many things in place to help with DNS security, the Internet as we know it would not be able to function.
DNS security vulnerabilities can lead to things such as redirecting a website's traffic to an unauthorized copy used to steal personal information (such as passwords or credit card details), overloading DNS servers resulting in sites not loading at all, or potentially losing total control over a domain name.
When the Internet first came about, the Domain Name System was not designed with security in mind which lead to many of today's problems. As Internet technology progressed, the underling DNS system for the most part remained unchanged, this opened the door for malicious actors to take advantage of these limitations.
DNS Security Extensions (DNSSEC) is a new security protocol released in order to fix many of these shortcomings. DNSSEC helps to solve these issues by digitally signing responses while also maintaining backwards compatibility with the existing DNS implementation.
DNSSEC signs and protects all response types including IP addresses, TXT records and MX records. Each layer of the DNS lookup process is signed, this includes responses from the root nameserver to TLD nameservers, and TLD name servers to authoritative nameservers.
While DNSSEC provides many benefits it is unfortunately not yet widely adopted leaving many vulnerable to various different types of DNS attacks.
There are many different types of DNS attacks that can occur, some of these affect website owners and network providers while others affect end users or online customers.
DNSSEC provides the means to ensure the authenticity of data transmitted, the data itself is not encrypted and does not directly protect against some DoS attacks however in many cases can help.
DNSSEC alone often isn't enough to be fully protected against various DNS attacks and further measures can be taken in order to ensure the smooth operation of DNS servers.
A simple method is to over-provision servers responsible for handling DNS requests, however this may not be viable for many due to cost restraints. Using on-demand scaling of services may be a good compromise for price vs performance if this approach is to be taken.
Multiple servers combined with anycast routing is also a method that many providers use as this allows multiple servers to share a single IP address. This means that if any single server is to be overloaded then there are still more available to serve requests resulting in minimal disruption.
DNS firewalls are also an option that is available to help with DNS security and protection. DNS firewalls can offer simple rate limiting or provide advanced heuristics to determine if traffic is legitimate or part of a DNS attack.
DNS firewalls often also provide indirect security features like advanced caching options which can help with performance of serving results while at the same time lowering the requirements of the DNS servers that they are protecting.
DNS recursive resolvers used by end users can additionally provide security benefits by implementing content filtering rules to block certain website categories, or sites that are known to be distributing malware or spam. They may also help with limiting botnets from being able to communicate with their master servers.