NIST's New Secure DNS Guide

A New Secure DNS Guidance From NIST: Important In formation For Operators

Let’s just face facts: most people use the web on an everyday basis without ever thinking about how it works. You type in a web address into your web browser, push Enter, and suddenly you’ve got cat-fights, news and shopping!

However, behind the scenes, there’s an extensive and complicated system that assures you receive the accurate web status/location you seek; it’s known as the Domain Name System (DNS). It is effectively the “master” phone book of our planet.

However, what happens if someone tampers with that “phone book?” For example, let’s say you wanted to call your bank but, somebody has stealthily changed your bank's phone number (in the “phone book”) to that of a scammer. As a result, you could very well end up on the phone with a “telephone scammer.” That's the kind of situation that keeps cybersecurity professionals up at night.

To prevent such a situation, the National Institute of Standards and Technology (NIST) develops standards to make sure that internet users can depend on the integrity and security of their phonebook—DNS. Recently, they released an updated version of their Secure DNS Deployment Guidance.

Whether you’re a network provider, IT specialist or just a user who manages web-based systems, the recent update to the documentation issued by the federal government relates to a lot of things that you will care about.

So no need to panic about it! It is common for people to not understand the complicated technology used in government documents. That is why we will summarize everything you need to know in a way that is easy to read, conversational and plain English. Now let’s see what this means for you!

What is DNS, and why is this necessary to protect against? Let’s  take a closer look at how the system works.

The computer does not understand that you want to go to a web address (or domain) such as “www.google.com” or “www.amazon.com.” All the computer understands is an IP address (Internet Protocol Address). The IP address has a long string of numbers, for example, 192.168.0.1. Humans, on the other hand, are not good at remembering numbers; we are much better at remembering names. DNS solves this problem.

When you type a web address in to your browser, your computer will make an inquiry with a DNS server, asking what the IP address is for that domain. The DNS server will search its database and return the IP address.

The problem with old DNS is that it was designed decades ago when the Internet was small and people were honest. Security features were not part of the original DNS design and were never added after the original design.

Because of this, hackers have found ways to hijack these requests for an IP address. For example, many hackers use "DNS Cache Poisoning" or "DNS Spoofing" to trick a DNS server into giving them the wrong IP address. Imagine going to your bank's website and not actually logging onto your bank’s real website.

NIST Enters the Tech Area: Inspectors from the Technology Sphere

For those not familiar with the NIST agency — the National Institute of Standards and Technology — is a nonregulatory agency at the Department of Commerce tasked with supporting innovation and industrial competitiveness. To that effect, in the area of technology, they are known as the “gold standard” for their guidelines regarding cybersecurity. When NIST speaks, people in the IT community listen!

NIST’s Secure DNS Deployment Guide, (formerly called 800-81, Special Publication 800-81), has been the definitive layout for securing the transport of data across the internet for many years now. However, technology advances so rapidly. What was once deemed safe to use 5 years ago is now filled with gaping holes; hackers become cleverer, computers run quicker and new and risky gaps in technology get discovered every day.

This is the reason NIST updated its guide; they wish to ensure network operators utilize only the most current and superior methods to implement protection for their “piece” of the internet.

DNSSEC is the Highlight of NIST Guide

You can't discuss the NIST guide without mentioning DNSSEC (Domain Name System Security Extensions). If DNS is the phone directory, then DNSSEC is a notary public who stamps and certifies every number in that directory.

DNSSEC is an enhancement that uses cryptographically signed records to provide assurance about the integrity of the data associated with each DNS record. When your computer queries a web server for the IP address corresponding to a given domain name, DNSSEC not only returns the IP address to your computer but also returns a digital signature along with it. Your computer then verifies that the signature matches the associated IP address, providing assurance that the IP address you received has not been tampered with by a malicious user (hacker).

NIST has made a more aggressive stance on DNSSEC in the new NIST guide than simply making a suggestion that organizations implement it; they are recommending that all organizations consider implementing DNSSEC as one of several key components of their network infrastructure.

What has changed with crypto graphy?

Cryptography uses math to enable digital signatures to be created. Subsequent improvements in computers mean that previously much more complex piece of math that used cryptology will eventually allow greater numbers of hackers the opportunity of breaking passwords and private keys.

The new recommendations in the updated NIST publication provide an enormous amount of updated cryptographic algorithms as recommended.

Farewell to the Past: The NIST recommends moving away from the original security zones for security systems established in the last century (e.g. RSA-1024).

Welcome to the Future: New recommendations for cryptographic algorithms have been identified (e.g. ECDSA and EdDSA) that will allow the creation of secure systems while still remaining within the realm of acceptable security. The newer cryptographic systems will decrease the operational load associated with performing binary mathematical calculations in the context of the cryptographic algorithm. The result of the systems will be faster processing of DNS requests.

The Latest Changes in Cryptography

Cryptography is how mathematical functions make electronic signatures valid and reliable. As time goes by, processors become faster at processing calculations; therefore, as time goes by, it becomes easier for hackers to crack previous structures of cryptography.

The latest draft of the NIST (National Institute of Standards and Technology) guidelines incorporates new updates and updates to previously recommended cryptographic algorithms.

Moving away from old algorithms: NIST encourages the deprecation and eventual supplanting of old, weak algorithms like RSA 1024 and SHA 1. If you are currently using these algorithms, then you are performing transactions in the same way as if you were using a piece of string to lock the front door to your home.

Moving to new algorithms: The guidelines encourage the use of new algorithms such as ECDSA (Elliptic Curve Digital Signature Algorithm) and EdDSA. The rationale behind recommending both of these newer algorithms is that they provide a much greater level of security while simultaneously requiring much smaller key sizes than traditional algorithms. This means that your servers will utilize much less processing power and, therefore, your DNS queries will run with their typical speed.

The Operator’s Playbook: Actions To Take

No, let's get back to real-life examples. If you are an operator and sitting at your desk thinking “What am I supposed to do today?”, then this will help you. Below is a series of conversations of all the things you should be doing from the new NIST Book.

1. Perform An Audit On Your Existing Set Up

You can't fix something you don't understand. Before you can fix anything, you must take a closer look at your current DNS Infrastructure. Does anything need updating? Is your equipment located in appropriate places? The NIST Guide conveys a very strong message regarding server health. Make sure every system you run has the latest operating system with security patches installed, unnecessary services disabled, and limit server access only to those that actually require access to them.

2. Upgrade To Current Algorithms

If you currently have DNSSEC, congratulations! However, that does not mean you're finished yet. Are the algorithms you are using to sign your zones modern? If you are using any of the legacy RSA algorithms, then you need to plan to migrate to ECDSA (Elliptic Curve Digital Signature Algorithm). The NIST Guide details how to transition without interrupting your website’s availability.

3. Automate Your Key Rollover

Your cryptographic keys are similar to the passwords for your servers, and just like you shouldn’t use the same password for 10 years, you should not use cryptographic keys for an indefinite period. The practice of regularly changing these cryptographic keys is known as “key rollover.”

In the past, performing a key rollover was often a frightening and time-consuming manual effort. If you got it wrong, your web site was gone from the internet forever. The revised NIST guide urges operators to automate this process. Most current DNS software has been built specifically to automatically perform key rollovers. Turn on the automation! Automating the key rollover process reduces the chance of human error and guarantees that your keys are secure and fresh at all times.

4. Securely Implement Split-Horizon DNS

"Split-Horizon DNS" is a common practice used by businesses. In simple terms, you have an "internal" directory of phone numbers for employees who use private addresses at work and another "external" directory of phone numbers that is publicly available on the internet.

The new guidelines set forth by NIST offer further clarification about how to handle these directories. NIST emphasizes that your internal and external DNS servers must be physically distinct from one another (meaning that if an intruder were able to compromise your external or "Public/World" facing DNS Server, that intruder would not be able to pivot to and view any internal company confidential information via an attack on your Internal or "Private" DNS Server).

5. Protecting Day To Day Operations

The goal with this step is not only to protect the final result (the answer), but also to protect how the answer is arrived at (the conversation). If your primary DNS server communicates with a backup DNS server (through zone transfer), you need to ensure that communication is secure. The National Institute of Standards and Technology (NIST) suggests the use of security protocols such as Transaction Signatures (TSIG) or DNS over TLS (DoT) to provide encryption of the server-to-server communication between your primary and backup DNS servers so that no one can intercept the communication.

Obstacles That Prevent Operators from Moving Forward

Although all of this sounds good in theory, in practice, many IT teams are under-resourced and budgets are constrained. Let's discuss what may be holding some of the operators back based on the well-known problems that may exist in this case.

"This is Too Involved!"

DNSSEC and cryptography can be dauntingly complicated — the good news is that it has become much easier to work with those tools. In the last 10 years, configuring DNSSEC took PhDs to use command line interfaces; today, most DNS vendors and control panels have made DNSSEC a simple one-click process, so there is no need to perform extensive calculations to set up proper security.

"This Will Slow Down My Network"

This was an issue in the past. The addition of cryptographic signatures increased the size of DNS packets, making it much slower to process them. Fortunately, due to the transition to Elliptic Curve algorithms (such as ECDSA), this performance issue has been almost entirely eliminated. The resulting size of the signatures is so small that current systems have essentially no performance impact.

"Don't Fix It unless It is Broken."

This is the most deadly mindset that exists in cybersecurity. Just because you haven't experienced any incidents doesn't mean that your DNS is safe from attack.

The Effects on the Internet at Large

Why is the NIST concerned about this? Because without secure DNS (Domain Name System), we cannot have a trusted Internet.

Think of the "ripple effect". If a hacker manages to poison a critical DNS cache, they don't just create inconvenience for a handful of people; they can redirect millions of individuals accessing portals for government agencies, health care providers and large financial institutions. They could also intercept email messages, steal login information from users on a vast scale and distribute malware faster than we can respond to it.

By updating this document, NIST is trying to build "herd immunity" for the Internet. By having the majority of network operators implementing these up-to-date security standards, it becomes exponentially more difficult for malicious actors to carry out widespread attacks. Protecting your own organisation is also protecting the overall integrity of the digital ecosystem.

To sum it up

The National Institute of Standards and Technology (NIST) has done all of the research and testing necessary to determine the best methods to protect the domain name system (DNS). The most recent version of NIST’s Secure DNS Deployment Guide provides an easy-to-follow action plan for how to best secureDNS implementation going forward.

For network operators, this means that your current security measures are no longer acceptable. You should conduct an inventory of your systems, use current cryptographic techniques, enable all automation as much as possible, and guarantee that users who enter your domain name receive a safe and appropriate destination.