What is DNS Protection?
DNS Protection is the concept of protecting the DNS service as a whole, sometimes with an emphasis on security. DNS protection can be split into roughly two (2) categories: protection of the DNS service itself, and protection of the security posture overall. DNS Protection is not an industry standard term; depending on the context, it may mean different things to different people.
Protect DNS Service
In this context, DNS Protection refers to protecting the integrity and availability of the DNS service itself, making it highly available to end users. This could include employing technologies such as anycast, load balancing, and other high availability and redundancy techniques to achieve and maintain the availability of the DNS service.
Part of the protection involves making configuration and design changes to protect your own DNS service, such as following the Best Practices by creating separate DNS views, maintain an online backup, run authoritative DNS servers in DMZ, disable or limit recursion, etc. Configurations such as disabling open recursion and enable Response Rate Limiting (RRL) help protect not only your own DNS services but other people’s as well, by reducing the effectiveness of amplification and reflection attacks.
DNS is a target to many types of probing attacks. Attackers and researchers alike routinely send crafted packets to DNS servers, hoping to discover additional vulnerabilities or to exploit existing ones. This comes down to the specific implementation of DNS by the vendor, and how well the administrators kept up with software and system updates. Some vendors, such as Infoblox, provide hardened appliance models that are designed to withstand probes, protocol anomalies, and volumetric attacks. Guarding against these attacks may involve coordination of firewall, network, and DNS devices to work together.
After the announcement by Department of Homeland Security (DHS) on DNS infrastructure tampering1, some people are now expanding the definition of DNS Protection to include not only the availability of the DNS service itself but also the correctness of the dataset housed in DNS.
Protect Security Posture
In this context, DNS Protection refers to the protection of other resources through the means of DNS. One of the most basic examples is the use of Response Policy Zones (RPZ) in recursive name servers. RPZ alters the behavior of recursive name servers, to stop answering queries for known “bad” domain names: perhaps it is associated with ransomware, or it is operating a known phishing scheme, or just has a bad online reputation. This does not protect the DNS service itself, but it protects the end clients who use DNS.
As more and more malware uses DNS as its first step to executing an attack, stopping the first step may prevent the rest of the attack from happening entirely. This was the case for the WannaCry ransomware, where the ransomware relied on making some specific DNS lookups before launching the attack. When researchers registered these domain names and essentially disabled the lookups, it stopped the damage done by the ransomware. Some people also referred to this type of preventative measure as DNS Protection. We probably will not get so lucky again to have such an easy “kill switch” built-in, but it is commonplace today that malware uses DNS as a transport to communicate with the Command-and-Control server(s), to update itself, to propagate to other devices, or to upload stolen information.
The last category is especially difficult to detect and brings corporate espionage to a whole new level. Client devices could house special software that makes outbound DNS connections that appear innocent to the human eye, and only through sophisticated computer algorithms and machine-learning can these patterns be detected. To learn more about DNS data exfiltration, click here.
DNS may aid in identifying security risks, such as a device stealing corporate secrets or that is infected with ransomware. But the stopping and remediation mechanism may sometimes involve integration and automation with other devices, such as a firewall or a security scanner. This integration part is rarely referred to as DNS Protection, it is often referred to as DNS Security Automation.
1 See the 2019 emergency directive here: https://cyber.dhs.gov/ed/19-01/
