Tip

DNS in the cloud: Building a secure DNS architecture

As with most security challenges, the solutions for DNS in the cloud are incomplete and rely on a combination of people, process and technology. The cloud presents challenges on all fronts since most organizations are essentially outsourcing various aspects of all three of the aforementioned items by moving applications to the cloud. The technologies reside at the cloud provider and the cloud customer relies on the provider’s processes in order to ensure and secure both their information and their infrastructure. Therefore, the customer must consider this loss of physical control and provide very specific guidance to the provider on the management and processing of DNS data.

Part one

To read part one of this two-part series, DNS attacks: Compromising DNS in the cloud, click

    Requires Free Membership to View

In this article, the second of a two-part series examining DNS in the cloud and DNS attack vectors in the cloud, we’ll look at mitigation measures and provide guidance for cloud customers on what they should demand from cloud providers to ensure a secure DNS architecture.

Insisting on DNS Security Extensions (DNSSEC) signed zones is an important first step since DNSSEC provides data integrity for your zone files, and DNSSEC-aware clients offer assurance that the DNSSEC zones are signed. Trusting the zone signer is a different issue, but this is still a good start.

However, DNSSEC is only one component in creating a secure DNS architecture in the cloud. Equally important to running DNSSEC are the procedures to ensure DNSSEC keys are properly managed and servers properly secured. DNSSEC only works to ensure data integrity; it does not guarantee proper configuration nor does it prevent zone operators from inserting bogus records (as long as they have the keys to sign the records). It also does not prevent common attacks like buffer overruns, race conditions and DoS attacks. Furthermore, managing DNNSEC zones requires a significant effort by the zone operators.

A major issue facing the adoption of DNSSEC in the cloud lies in the fact that many security experts are unfamiliar with DNSSEC and lack the required understanding in order to ensure successful implementation of the service feature. Last year, Uncompiled.com published  a study  that found half of IT personnel in charge of Internet security at the world’s largest organizations either haven’t heard of DNSSEC or have limited familiarity with it. This does not bode well for widespread adoption of DNSSEC by cloud service providers (CSPs). Still, cloud customers should require DNSSEC zone signing.

In addition to DNSSEC zone signing, CSPs must also turn on DNSSEC awareness in the recursive resolvers that clients use for name resolution. Expecting individual applications to perform DNSSEC checking is nearly impossible. DNSSEC and DNSSEC checking will need to occur in the cloud, especially for those providers that offer IaaS solutions. DoS attacks can, in many cases, be mitigated through the use of anycast, and most CSPs offering DNS management should already be using anycast. Nonetheless, the customer should verify this. Anycast traffic balancing, much like DNSSEC, is an additional component to the overall strategy for secure DNS.

One possible solution to the DNS in the cloud problem may lie in shadowing and monitoring DNS zones in the IaaS cloud. This solution would involve maintaining a dual set of servers for each instance and placing monitoring software in stealth mode on the line. When a zone posts an update, the monitor could check the zone information in order to determine if the changes are legitimate or not. For example, an update to a zone record that shows the IP address changing networks might set off an alarm to the operator. With proper enactment of the monitoring solution, these zones could possibly become highly reliable servers  within the IaaS cloud. 

Successfully navigating the cloud infrastructure will take time and considerable effort by both IT and legal groups within an organization and the CSP. One way to think of a cloud migration is to consider it the purchase of an ongoing relationship. Trust issues with providers will require that both the customer and CSP maintain an open relationship. Presently, the best practices that govern the security industry are not guaranteed to perform as well in the cloud. This means that in many cases the customer and the CSP will be working through new issues, new thoughts and new concerns together in a collaborative effort. For this reason, the relationship must be built on mutual trust and understanding in order to ensure the acquisition and sharing of knowledge in this new frontier.

About the author:
Char Sample has close to 20 years of experience in Internet security, and she has been involved with integrating various security technologies in both the public and private sectors.  She is a doctoral candidate at Capitol College, where her dissertation topic deals with the use of cultural markers in attack attribution.

This was first published in July 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.