A Records, CNAME, NS, what the heck do these mean and why is DNS monitoring important? Let’s find out.
The Domain Name System (DNS) database converts domain names (the user-friendly web address you type into your browser) into internet protocol (IP) addresses. With an IP address, the browser is able to locate the server providing the requested content. Together, the domain name and IP address create a namespace.
The DNS database is an important part of the internet browsing experience. As a result, DNS servers manage a huge amount of traffic. Most of the time, the servers handle this traffic without issues, but occasionally, vulnerabilities are exposed.
To protect your organization from DNS vulnerabilities, a strong DNS monitoring protocol is recommended. DNS monitoring protects against both cache poisoning (inserting false information into the DNS server cache) and other cyber attacks against the server.
The DNS database is a vast, distributed, hierarchical system, but when people refer to “DNS,” what they most often mean is the DNS record or zone file for a single domain, which is stored on the authoritative nameservers.
There are 40 different DNS record types, all of which include multiple fields that specify information about the domain. The following are some of the most commonly used DNS record types.
The A record is the IPv4 version of the IP Address. IPv4, which has long been the standard version for IP addresses, is a 32-bit format.
Because IPv4 addresses have become harder to obtain due to high demand, sites have begun a movement toward IPv6 128-bit addresses. If your site supports the IPv6 version, the AAAA record will store that address.
The canonical name, or CNAME, record returns an alias for an IP address request on the authoritative nameserver. This is useful for redirecting requests if your organization changes its hostname.
The mail exchange (MX) record routes mail for the domain using Simple Mail Transfer Protocol (SMTP).
The nameserver (NS) record indicates the primary nameserver for the domain to the resolver. It also indicates backup nameservers with the domain’s information. This prevents redundancy in case the primary server fails — as long as the servers are hosted separately.
The “start of authority” (SOA) record provides domain-level information. This record houses the serial number, which increases by increments of one each time a DNS record is updated. Monitoring this value allows you to identify whether anyone has made changes to your records.
The service (SRV) record provides the host and port for a service like instant messaging.
The text (TXT) record is a plain text entry used for notes. Mail servers sometimes use TXT records for Sender Policy Framework codes that enable the server to verify an email source.
DNS servers run in the background of your organization’s operations, so it is easy to take their simple functionality for granted. But without a monitoring mechanism, data attackers can take advantage of any vulnerabilities in DNS communications before you realize it.
Since the consequences of a DNS error or breach can be far-reaching, DNS monitoring can help you catch issues before they become major problems.
DNS monitoring allows you to identify and address several different DNS errors and breach types. Many are the result of malicious activity and could pose a substantial threat to your organization’s data security. Others are communications flow interruptions that compromise the functionality of your domain request resolution and slow down traffic to your sites.
If the NS record lists any of the IP addresses incorrectly, client machines waste time trying to access a nonexistent server and leave one of the actual servers unused. And if a local server fails, the result will appear as a loss of service to users launching domain queries. Monitoring can catch these errors right away and ensure that any outage is as brief as possible by identifying its source quickly.
The less time your website is down, the less your business traffic flow is interrupted. With increased uptime, any users trying to reach your site will be able to find their way to you without any interruptions.
DNS servers temporarily hold hostname information rather than repeating the resolution process for the same IP address. This helps them run more efficiently, but it also leads to vulnerabilities.
Cache poisoning occurs when invalid IP addresses are inserted into the DNS cache. This is usually due to viruses and malware trying to direct requests to a phishing site. Unsuspecting users may then enter their passwords into the site they’ve been redirected to, compromising their personal data and opening themselves to additional attacks.
Spoofing also involves the redirection of an IP address, but it has to do with subverting an authoritative name server or impersonating a legitimate one. This is also usually the result of malware.
Organizations and governments may block certain domains due to policy restrictions. The blocked domain acts as a firewall and prevents users from accessing particular sites hosted on that server.
Blocking can also be a security measure preventing users from accessing malicious domains. This practice, also known as “blackholing,” can back-fire and block necessary traffic to sites, which a monitoring infrastructure would detect.
Regularly monitoring traffic to all sites within your domain will detect any errors in blocking to ensure that requests are returned as intended and that your users can visit your sites without any obstacles.
Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks occur when one or more computers begin hitting the DNS rapidly to try and bring down the site’s supporting infrastructure. This both cripples the sites that store their name records on the server and uses that information to start attacking other sites.
The earlier the attack is caught, the more quickly it can be addressed before the name records on the server become weaponized by the attackers.
Because DNS servers manage a huge amount of traffic, most security software won’t be equipped to monitor the data packets that are exchanged. By monitoring traffic on the server to detect bursts of traffic to a previously unused name server or a large number of long requests and responses, DNS monitoring can catch tunneling and help to prevent any additional information from being exchanged. This is an important addition to your organization’s current security protocols, in which attackers are likely able to tunnel right past if they’re not being watched.
A high rate of failed DNS lookups can indicate malicious activity. Malware often uses a list or algorithm of possible domains to find a command-and-control server and then register a series of domains. Monitoring will detect an abnormally high failed lookup rate to protect the server.
Consequences of a DNS Breach
The consequences of DNS errors and breaches range from inconvenient to catastrophic.
A configuration error can prevent users from accessing your site and make it appear as if their internet is not functioning properly. This can drive traffic away from your domain and interfere with your business.
If the DNS cache becomes poisoned or spoofed, you also put your users at risk of phishing schemes. Compromising user data can seriously affect your brand loyalty and hurt your bottom line. Even more serious are DDoS, DoS, and tunneling hacks that allow attackers to weaponize name records and leak encoded data from the server.
Once a breach has been committed, it’s nearly impossible to restore the privacy and security of that data, so it’s a far better strategy to protect your DNS servers and prevent serious breaches from happening at all. A comprehensive monitoring tool can help you detect threats early so you can address them swiftly and prevent them from becoming larger.
Since 2011, WhatArmy has been helping clients maintain, monitor, secure, and improve their websites. To better serve customers, WhatArmy developed a proprietary DNS monitoring tool, WatchTowerHQ, which allows users to identify site issues quickly and easily using one dashboard.
There’s no need to visit several different sites to gather information. You can monitor site speed and uptime through actionable insights and an intuitive, visual interface. With WatchTowerHQ, you reduce bounce rates, improve user experience, and tighten your DNS security.
DNS servers provide an essential function to your business, helping its website run effectively and efficiently — but they also need to be monitored for leveraged vulnerabilities. Without adequate monitoring, you compromise your own data security and that of your customers.
Fortunately, this doesn’t have to slow your organization down. With dashboard monitoring through WatchTowerHQ, you have all the information you need to detect any DNS errors or breaches at your fingertips. Keeping an eye on key metrics like site speed, uptime, and domain request volume and timing can ensure the integrity of your servers and ensure that everything continues running smoothly.