Google Cloud DNS
      Back to home
      1. Knowledge Base
      2. GCP Knowledge Base
      3. Google Cloud DNS

      DNS Security Disabled

      Risk Level: High

      Description

      This plugin guarantees that DNS Security is empowered on totally overseen zones.

      DNS Security is a component that verifies all reactions to space name queries. This keeps aggressors from submitting DNS seizing or man-in-the-centre assaults.

      About the Service

      Google Cloud DNS:

      The Domain Name System Security Extensions (DNSSEC) is an element of the Domain Name System (DNS) that validates reactions to space name queries. It doesn't give security insurances to those queries, however keeps aggressors from controlling or harming the reactions to DNS demands. For full DNSSEC insurance, you should utilize a DNS resolver that approves marks for DNSSEC-marked areas. You can empower approval for individual frameworks or your neighbourhood storing resolvers assuming you oversee your organization's DNS administrations. To know more about GCP Cloud DNS click here.

      Impact

      DNS is an acronym for Domain name System. Despite the fact that DNS isn't straightforwardly identified with your Internet speed, it can impact how quickly a singular site page shows up on your PC. When an association has been set up, however, it ought not to influence download speeds. To correct your switch's DNS servers nonetheless, this can assist with working on your general speed. This plugin is meant to ensure that DNS Security is enabled on all managed zones. DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man-in-the-middle attacks. The prescribed activity for the equivalent is to ensure DNSSEC is empowered for all oversaw zones in the cloud DNS administration.

      Steps to Reproduce

      Using GCP Console-

      In order to ensure or determine, if Domain Name System (DNS) Security is enabled on all managed zones, follow the steps mentioned below:

      1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
      2. Now, from the top navigation bar, select the GCP Project you want to investigate.
      3. From the Navigation Menu on the left, you may find the Networking section.
      4. Click on the Network Services subsection under Networking.
      5. Under the Network Services navigation panel, you may find Cloud DNS as shown in the figure below.
      6. Click on the Cloud DNS navigation link and a Cloud DNS Page will appear on the screen. Click to open directly from here.
      7. On the Cloud DNS page, click on the Zones Tab, present at the top of the navigation bar. This is to access the list of all the Zone Names present within the Google Cloud DNS in your GCP Project.
      8. The list of all the DNS Managed Zones will be displayed. Choose the “zone name” of the zone you want to examine. 
      9. Check under the DNSSEC column present in the zone table. 
      10. In case, the value of the DNSSEC attribute is set to OFF, then the DNS security is not enabled for that particular zone, in your current GCP project.
      11. You may repeat steps 8-10 for other zones in your GCP Project.
      12. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.

      Steps for Remediation

      Using GCP Console-

      In order to enable Domain Name System (DNS) Security in all managed zones in your Google Cloud Platform (GCP) project, follow the steps mentioned below::

      1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
      2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
      3. From the Navigation Menu on the left, you may find the Networking section.
      4. Click on the Network Services subsection under Networking.
      5. Under the Network Services navigation panel, you may find Cloud DNS as shown in the figure below.
      6. Click on the Cloud DNS navigation link and a Cloud DNS Page will appear on the screen. Click to open directly from here.
      7. On the Cloud DNS Page, click on the Zones nav link, present at the top of the navigation bar. This is to access the list of all the Zone Names present within the Google Cloud DNS in your GCP Project.
      8. The list of all the Zones will be displayed. Choose the “zone name” of the zone you want to examine. 
      9. Check under the DNSSEC column present in the zone table. 
      10. In case, the value of the DNSSEC attribute is set to OFF, then the DNS security is not enabled for that particular zone, in your current GCP project.
      11. To enable DNS security for that zone, click on that zone name. A new page with all the details of that zone will be displayed. 
      12. Click on the Edit option present at the top navigation bar. A new Edit page will be opened up.
      13. On the Edit Page, check for the DNSSEC Box, present at the bottom and click on it.
      14. Choose the ON option from the three choices given. This will enable the DNS security services.
      15. Click on the SAVE button to update the configurations and go back to the previous page.
      16. You may repeat steps 8-15 for other zones in your GCP Project.
      17. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.