{"id":4687,"date":"2010-06-01T12:41:56","date_gmt":"2010-06-01T19:41:56","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=4687"},"modified":"2020-05-06T10:31:46","modified_gmt":"2020-05-06T17:31:46","slug":"dns-as-security-enforcement","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/","title":{"rendered":"DNS As Security Enforcement"},"content":{"rendered":"<p>The Domain Name System was originally used as the Internet&#8217;s naming service that much isn&#8217;t contentious.\u00a0Over the years, though, clever people have found all sorts of new applications for DNS.\u00a0DNSsubiquity, distributed management and (relatively) easy extensibility made it an obvious target for new uses, including blacklists of various types, storage of email authentication and authorization data, and more.\u00a0Much more.<\/p>\n<p>One of these novel applications of DNS is its use to enhance client security.\u00a0David Ulevitchand his gang at\u00a0<a href=\"http:\/\/www.opendns.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">OpenDNS<\/a>\u00a0are pioneers in this area:\u00a0Their service can restrict access to content by domain name, so that if one of your employees or students tries to visit\u00a0<a href=\"http:\/\/www.hotmamas.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.hotmamas.com\/<\/a>, they&#8217;re directed to a page that says, in effect, tsk, tsk, no you don&#8217;t.\u00a0(Note to Infoblox IT:\u00a0I loaded that URL solely to make sure I wasn&#8217;t leading users somewhere unsavory, please don&#8217;t have me fired.)\u00a0Or if malware on your computer tries to surreptitiously resolve the domain name of it&#8217;s command-and-control channel to an IP address to ask SMERSH headquarters for orders, OpenDNS can prevent it and alert you or the administrator of your network that your computer has been infected.\u00a0Very handy.<\/p>\n<p>Some DNS purists, however, argue that this is a perversion of DNSs mission.\u00a0DNS, they argue, is a naming system, and the wrong place to implement policy.\u00a0Leave it to firewalls and proxies and such to make those decisions. Besides, they&#8217;d say, using DNS to enforce security policies doesn&#8217;t provide the necessary granularity of control.\u00a0You can only say yea or nay to an entire domain name, no matter how many web pages are offered by the server with that domain name.<\/p>\n<p>Honestly, I can see their point:\u00a0In an ideal world, some piece of security infrastructure would be responsible for implementing security policy (duh) and the naming service would be left to return information without regard to policy.\u00a0But the pragmatist in me knows how many organizations can&#8217;t afford that expensive security infrastructure and wouldn&#8217;t have the manpower or expertise to administer it even if they could.\u00a0It&#8217;s no good to simply leave those folks to the wolves while those of us who work for organizations that can afford commercial security products sleep soundly inside our gated Internet subdivision.\u00a0DNS, it turns out, can be a cheap, effective place to enforce security policy and, like it or not, folks are going to use it to do that.<\/p>\n<p>I&#8217;m interested in hearing your opinion, too.\u00a0Do you think we ought to leave DNS alone, or is it okay to adapt it to add capabilities that the founding fathers might never have envisioned?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Domain Name System was originally used as the Internet&#8217;s naming service that much isn&#8217;t contentious.\u00a0Over the years, though, clever people have found all sorts of new applications for DNS.\u00a0DNSsubiquity, distributed management and (relatively) easy extensibility made it an obvious target for new uses, including blacklists of various types, storage of email authentication and authorization [&hellip;]<\/p>\n","protected":false},"author":178,"featured_media":2565,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[30,230,16,15],"class_list":{"0":"post-4687","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dns","9":"tag-domains","10":"tag-infoblox","11":"tag-security","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>DNS As Security Enforcement<\/title>\n<meta name=\"description\" content=\"The Domain Name System was originally used as the Internet&#039;s naming service that much isn&#039;t contentious.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DNS As Security Enforcement\" \/>\n<meta property=\"og:description\" content=\"The Domain Name System was originally used as the Internet&#039;s naming service that much isn&#039;t contentious.\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2010-06-01T19:41:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-06T17:31:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/march-31-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Cricket Liu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cricket Liu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/\"},\"author\":{\"name\":\"Cricket Liu\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\"},\"headline\":\"DNS As Security Enforcement\",\"datePublished\":\"2010-06-01T19:41:56+00:00\",\"dateModified\":\"2020-05-06T17:31:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/\"},\"wordCount\":457,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/march-31-2.jpg\",\"keywords\":[\"DNS\",\"Domains\",\"Infoblox\",\"Security\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/\",\"name\":\"DNS As Security Enforcement\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/march-31-2.jpg\",\"datePublished\":\"2010-06-01T19:41:56+00:00\",\"dateModified\":\"2020-05-06T17:31:46+00:00\",\"description\":\"The Domain Name System was originally used as the Internet's naming service that much isn't contentious.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/march-31-2.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/march-31-2.jpg\",\"width\":660,\"height\":454,\"caption\":\"IPv6 Security Vulnerability Scanning\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/dns-as-security-enforcement\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DNS As Security Enforcement\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\",\"name\":\"Cricket Liu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"caption\":\"Cricket Liu\"},\"description\":\"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/cricket-liu\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"DNS As Security Enforcement","description":"The Domain Name System was originally used as the Internet's naming service that much isn't contentious.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/","og_locale":"en_US","og_type":"article","og_title":"DNS As Security Enforcement","og_description":"The Domain Name System was originally used as the Internet's naming service that much isn't contentious.\u00a0","og_url":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/","og_site_name":"Infoblox Blog","article_published_time":"2010-06-01T19:41:56+00:00","article_modified_time":"2020-05-06T17:31:46+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/march-31-2.jpg","type":"image\/jpeg"}],"author":"Cricket Liu","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Cricket Liu","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/"},"author":{"name":"Cricket Liu","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5"},"headline":"DNS As Security Enforcement","datePublished":"2010-06-01T19:41:56+00:00","dateModified":"2020-05-06T17:31:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/"},"wordCount":457,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/march-31-2.jpg","keywords":["DNS","Domains","Infoblox","Security"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/","url":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/","name":"DNS As Security Enforcement","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/march-31-2.jpg","datePublished":"2010-06-01T19:41:56+00:00","dateModified":"2020-05-06T17:31:46+00:00","description":"The Domain Name System was originally used as the Internet's naming service that much isn't contentious.\u00a0","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/march-31-2.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/march-31-2.jpg","width":660,"height":454,"caption":"IPv6 Security Vulnerability Scanning"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/dns-as-security-enforcement\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"DNS As Security Enforcement"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5","name":"Cricket Liu","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","caption":"Cricket Liu"},"description":"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.","url":"https:\/\/www.infoblox.com\/blog\/author\/cricket-liu\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/178"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=4687"}],"version-history":[{"count":1,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4687\/revisions"}],"predecessor-version":[{"id":4688,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4687\/revisions\/4688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/2565"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=4687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=4687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=4687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}