DNS in cloud services: Building Secure DNS schemas
Source: Internet
Author: User
KeywordsSecurity Cloud services
In terms of security challenges, the DNS solution in cloud computing is incomplete and relies heavily on the combination of people, processes, and technologies. Cloud computing has been challenged by the vast majority of businesses that have implemented a full range of outsourcing to these three areas by migrating applications to cloud computing. All the key technologies are in the cloud-computing vendor, and cloud users rely entirely on cloud providers to secure their information and infrastructure. Therefore, cloud computing customers must also consider the lack of physical control, and provide suppliers with DNS management and processing of relevant, very specific guidance.
This article is the next in a series of reports on DNS and DNS attacks in cloud computing, we will discuss relevant responses and provide guidance to cloud computing customers so that they can do so when they require cloud computing providers to ensure a secure DNS architecture.
Adherence to the DNS security extension (DNSSEC) signing area is an important first step because DNSSEC provides data integrity for your zone files, and DNSSEC validated customers to ensure that the DNSSEC zone is signed. While trusting regional signatories is another topic, this is still a good start.
However, DNSSEC is just an integral part of creating a secure DNS architecture in cloud computing. One step with the same importance is to run DNSSEC, which ensures that the DNSSEC key is properly managed and that the server is properly protected by security measures. Running DNSSEC only ensures data integrity; it does not guarantee proper configuration and prevents zone operators from inserting false records (because they can sign records as long as they have the key). It also fails to prevent common attacks such as buffer overflows, race conditions, and Dos attacks. In addition, the management of DNSSEC areas requires significant effort by the regional operators.
One of the major pitfalls of applying ndssec in cloud computing is the fact that many security professionals are unfamiliar with dnssec and lack the necessary knowledge to ensure successful implementation of service functions. Last year, Uncompiled.com published a study that says more than half of the IT staff responsible for Internet security in the world's largest corporations either have not heard of DNSSEC or have limited familiarity with them. This is not good news for cloud computing service providers (CSPs) that are widely used in DNSSEC requirements. However, cloud customers should still require the implementation of DNSSEC zone signatures.
In addition to DNSSEC zone signatures, cloud service providers must also open DNSSEC validation in a recursive resolver that customers use for name solutions. It is almost impossible to expect a single application to perform a dnssec check. You need to perform DNSSEC and DNSSEC checks in a cloud computing environment, especially those that provide an IAAS solution. In many cases, the impact of Dos attacks can be mitigated to some extent by using anycast, and anycast is already used in DNS management provided by most cloud services providers. However, customers should verify this by themselves. Anycast flow equalization is similar to DNSSEC, which is an add-on component in the overall DNS security policy.
One possible solution to DNS problems in cloud computing is to track and monitor DNS zones in IaaS cloud computing. The solution needs to set up a pair of servers for each instance and configure the monitoring software online in stealth mode. When updating a zone, the monitoring software should check the zone information to make it easier to determine if the change is legal. For example, a zone record that shows an IP address change requires a warning to the runtime. By developing appropriate monitoring solutions, these areas are likely to become highly reliable servers in IaaS cloud computing.
A successful cloud computing infrastructure requires a lot of time and effort from the IT team and the forensic team of the Enterprise and cloud computing service providers. One way to consider cloud computing migration is to think of it as buying a long-term partnership. Trust issues with vendors also require an open relationship between customers and CSPs. Currently, the best practice in managing the security industry is not to ensure that the same measures are also implemented in cloud computing. This means that, in most cases, customers and cloud computing service providers must work together to resolve new issues, understand new ideas, and accept new concepts. For this reason, the relationship between the two sides must be based on mutual trust and mutual understanding to ensure that knowledge and knowledge are shared in this new frontier.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.