As with most security challenges, the solutions for DNS in the cloud are incomplete and rely on a combination of
people, process and technology. The cloud presents challenges on all fronts since most organizations are essentially outsourcing various aspects of all three of the aforementioned items by moving applications to the cloud. The technologies reside at the cloud provider and the cloud customer relies on the provider’s processes in order to ensure and secure both their information and their infrastructure. Therefore, the customer must consider this loss of physical control and provide very specific guidance to the provider on the management and processing of DNS data.
To read part one of this two-part series, DNS attacks: Compromising DNS in the cloud, click here.
In this article, the second of a two-part series examining DNS in the cloud and DNS attack vectors in the cloud, we’ll look at mitigation measures and provide guidance for cloud customers on what they should demand from cloud providers to ensure a secure DNS architecture.
Insisting on DNS Security Extensions (DNSSEC) signed zones is an important first step since DNSSEC provides data integrity for your zone files, and DNSSEC-aware clients offer assurance that the DNSSEC zones are signed. Trusting the zone signer is a different issue, but this is still a good start.
However, DNSSEC is only one component in creating a secure DNS architecture in the cloud. Equally important to running DNSSEC are the procedures to ensure DNSSEC keys are properly managed and servers properly secured. DNSSEC only works to ensure data integrity; it does not guarantee proper configuration nor does it prevent zone operators from inserting bogus records (as long as they have the keys to sign the records). It also does not prevent common attacks like buffer overruns, race conditions and DoS attacks. Furthermore, managing DNNSEC zones requires a significant effort by the zone operators.
A major issue facing the adoption of DNSSEC in the cloud lies in the fact that many security experts are unfamiliar with DNSSEC and lack the required understanding in order to ensure successful implementation of the service feature. Last year, Uncompiled.com published a study that found half of IT personnel in charge of Internet security at the world’s largest organizations either haven’t heard of DNSSEC or have limited familiarity with it. This does not bode well for widespread adoption of DNSSEC by cloud service providers (CSPs). Still, cloud customers should require DNSSEC zone signing.
In addition to DNSSEC zone signing, CSPs must also turn on DNSSEC awareness in the recursive resolvers that clients use for name resolution. Expecting individual applications to perform DNSSEC checking is nearly impossible. DNSSEC and DNSSEC checking will need to occur in the cloud, especially for those providers that offer IaaS solutions. DoS attacks can, in many cases, be mitigated through the use of anycast, and most CSPs offering DNS management should already be using anycast. Nonetheless, the customer should verify this. Anycast traffic balancing, much like DNSSEC, is an additional component to the overall strategy for secure DNS.
One possible solution to the DNS in the cloud problem may lie in shadowing and monitoring DNS zones in the IaaS cloud. This solution would involve maintaining a dual set of servers for each instance and placing monitoring software in stealth mode on the line. When a zone posts an update, the monitor could check the zone information in order to determine if the changes are legitimate or not. For example, an update to a zone record that shows the IP address changing networks might set off an alarm to the operator. With proper enactment of the monitoring solution, these zones could possibly become highly reliable servers within the IaaS cloud.
Successfully navigating the cloud infrastructure will take time and considerable effort by both IT and legal groups within an organization and the CSP. One way to think of a cloud migration is to consider it the purchase of an ongoing relationship. Trust issues with providers will require that both the customer and CSP maintain an open relationship. Presently, the best practices that govern the security industry are not guaranteed to perform as well in the cloud. This means that in many cases the customer and the CSP will be working through new issues, new thoughts and new concerns together in a collaborative effort. For this reason, the relationship must be built on mutual trust and understanding in order to ensure the acquisition and sharing of knowledge in this new frontier.
About the author:
Char Sample has close to 20 years of experience in Internet security, and she has been involved with integrating various security technologies in both the public and private sectors. She is a doctoral candidate at Capitol College, where her dissertation topic deals with the use of cultural markers in attack attribution.