How to secure DNS in the cloud

Ensuring transparency in the architecture and management of cloud services is one of the essential factors to gain trust from customers.


Domain Name System (DNS) is a system that allows the establishment of a corresponding relationship between IP address and domain. Each website is associated with a specific domain and IP address. In essence, DNS is a collection of hardware systems and software tools for domain resolution tasks. In addition, it is necessary to have DNS protocols (packet format, transfer protocol…) to be able to exchange information between client computers and DNS servers and between DNS servers.

Because of the complete convergence of factors: hardware, software and protocols, the DNS always contains vulnerabilities that attackers (hackers) can use to exploit and master the system, affecting users.


Some common DNS attack scenarios include:

- DNS cache poisoning

Fake DNS responses: This is an attack method where data is added to the cache system of DNS servers. From there, the wrong IP addresses (usually the IP addresses assigned by the attacker) are returned for domain queries to redirect users. To exploit in this direction, the attacker takes advantage of the vulnerability of the DNS software, where DNS responses are not verified to ensure they are sent from authenticated servers. Incorrect records will be cached and served to other users.

Fake DNS address: This is how some adware or malware often works. First, they build DNS servers, similar to the normal DNS servers. However, these DNS servers have the ability to control adding, removing or modifying DNS records to redirect users to incorrect IP addresses for the purpose of: increasing advertising, installing malicious code, replacing search results...

- DNS amplification attack

This is a form of distributed denial of service (DDoS). An attacker uses open DNS servers (responding to queries from every IP address) to overflow the bandwidth of the target. There are two basic elements to this attack: the attack address is hidden by mapping to a third party (reflection), and the traffic that the victim receives will be much greater than the traffic sent from the attacker (amplification).


Like most security challenges, solutions for DNS in the cloud are not really secure and depend on a combination of human factors, processes, and technologies. In addition to general protection measures for the whole system such as IDS, IPS, firewall, load balancing... customers using cloud services should also consider the methods applied separately for DNS to be able to choose the right supplier accordingly.


1. DNSSEC (Domain Name System Security Extensions)

The DNS protocol lacks security because there is no data source authentication tool that is exchanged between the DNS server and the client, or the forwarding process between this server and another server in the domain. At the risk of DNS data being fake and falsified, DNSSEC was born to solve this problem.

DNSSEC is an extended protocol based on DNS, providing the ability to authenticate and ensure data integrity for the DNS. DNSSEC has three main tasks: sender authentication, data integrity and authenticated denial of existence (preventing an attacker from sabotaging by automatically sending confirmation that no data that the client queries exists).

To perform the above tasks, in addition to the 4 main elements in the DNS (delegation, zone file management, zone file distribution, resolving), DNSSEC will have some more elements like zone file signing, verifying, trust anchor, key rollover, DNS aware, key master… Thanks to this, DNSSEC offers 4 new types of records: DNSKEY - DNS Public Key, RRSIG - Resource Record Signature, NSEC - Next Secure, and DS - Delegation Signer.

The goal is that DNSSEC does not change the DNS data transfer process and the transfer process from high-level DNS to lower-level DNS, and on the other hand, supports these extension mechanisms for workstations. An authenticated data zone will contain one of RRSIG, DNSKEY, NSEC and DS records.

Thus, by organizing new records and modified protocols to verify the origin and data integrity of the system, with DNSSEC, the DNS has been expanded with additional security features and enhanced safety, reliability, overcoming the disadvantages of the original design.

2. Anycast

Anycast is the type of information transmission in which the client transmits data at a time to different points. When retrieving, the data will be retrieved at the point closest to the client's location. If the nearest point is disconnected, the client will automatically be redirected to other points (as close as possible) to get the necessary data without any downtime in any case.

The principle of operation of the DNS-Anycast server is as follows: On the DNS server, the functional part is configured as a normal DNS server, but this DNS server is configured with 2 network interfaces, one for receiving anycast addresses to receive and answer domain queries, another receives real network addresses as management functions.

On the Internet, anycast is done using the global routing protocol BGP to synchronously promote a range of destination IP addresses from different points simultaneously on the Internet. Therefore, in the destination field of the packet on the network, this range of anycast addresses will be routed to the nearest point on the network according to the path selection algorithm in the network routing protocol. Network hosts are configured with the same anycast address.

Some advantages of anycast applied to DNS system:

- Clients, servers, routers do not need special software

- It does not adversely affect the current network, just take advantage of available infrastructure

- Load balancing

- Increased flexibility

- Reduced latency

- Dispersion mechanism that reduces the risk of DoS

3. DNS Monitor

DNS Monitor will help system administrators quickly detect suspicious signs, thereby taking necessary actions. Implementing monitoring will help:

- View working status of DNS server: DNS Monitor will send notice when the DNS server is not working properly. DNS Monitor can send DNS queries to all DNS servers as well as receive responses without affecting other machines.

- Analyze the quality of the responses from the monitored DNS servers: DNS Monitor can log and display each item of each response, allowing users to decide whether to optimize DNS server or not.

- Provide detailed information to solve the problem: Based on the "Success/Failure" information when querying a domain to a few DNS servers, DNS Monitor can provide related causes very quickly. With "Failure", DNS Monitor will display possible causes such as timeout, format error, server failure, name error, not implemented, request refused, send request failed, get part reply... With "Success", DNS Monitor can display detailed information from responses such as question section, answer section, authority section, additional section...


By: Mabel Dawson