DNS is the Rodney Dangerfield of network security. DNS is typically viewed as a fine method for a post-incident investigation, but that\u2019s about all. In truth, given the reality of the threat environment, DNS can save money, accelerate blocking attacks and defend against a wide range of DNS-specific attacks that can\u2019t be blocked any other way.<\/p>\n
Let\u2019s start with cost reduction. Deployed properly, a DNS defense will block attacks at the DNS level, long before other areas of the enterprise environment are touched. That means fewer attacks for the firewall and other traditional defenses to fight. When the volume drops low enough, we have seen IT teams be able to repurpose some of their hardware firewalls as replacement units. In other words, by taking the load off of devices and applications, depending on how those systems charge, the ROI and cost-savings are quite real.<\/p>\n
Anthony James, a VP for product marketing at Infoblox, said that he sees that kind of load reduction often.<\/p>\n
\u201cI get a DNS query going to a DNS server. If the DNS server says, \u2018You know what? Where you\u2019re going is bad. I\u2019m not going to give you the address to contact.\u2019 That means my firewall never saw it. My cloud security platform never saw it. \u201d James said during a recent podcast. \u201cI\u2019ve now saved a bunch of cycles by eliminating problematic network traffic\u201d. In addition, I may be able to avoid overage charges from my cloud security platform. \u201cI\u2019ve also reduced my firewall (load) because it reduced the burden of having to send traffic.\u201d<\/p>\n
Bob Hansmann, an Infoblox senior product marketing manager who was on that same podcast, said the nature of those other networking security mechanisms is what fuels this cost-savings.<\/p>\n
\u201cWhen they start doing more and more on that box, now it\u2019s going to be built for maximum I\/O. It\u2019s going to be built for maximum CPU analysis, maximum amount of RAM to cache things to be analyzed. They get very expensive,\u201d Hansmann said. \u201cI recall a company that had a rack of firewalls when they started blocking at the DNS level. Their load was so low, they said \u2018Hey, guess what? We got a couple of brand-new cold spares.\u2019 There was hardly any malware to analyze anymore.\u201d<\/p>\n
James agreed. <\/p>\n
\u201cWe all know that with firewalls, the size is based on how much traffic it can handle. If we say that the top 5 percent (of the traffic) is malicious, a firewall has to do more work to process that because it\u2019s inspecting the traffic. But let\u2019s say I took that 5 percent and the DNS said \u2018You know what? I\u2019m not even going to send it to the firewall.\u2019 Now my processing is down,\u201d James said. \u201cThe more you can process at the DNS layer, that saves a firewall from having to accept the request in the first place. You\u2019ve just saved resources on the firewall. I don\u2019t have to upgrade it later. Or I can decommission a firewall because I\u2019ve saved so much traffic and use it as a spare.\u201d<\/p>\n
The sad truth is that attackers tend to be better financed than defenders (CISO teams), have more patience than defenders and are often better at watching their opponents than CISO teams are.<\/p>\n
Case in point: the DNS space still has elements of the Wild West, with hardly anyone truly watching what is going on. As James has said, \u201cNo one really inspects the content of a DNS query. They just assume that it\u2019s a valid query.\u201d<\/p>\n
Once the bad guys figured that out, they started launching a wide range of attacks in the DNS space, disguising their attacks as innocuous queries. <\/p>\n
Many years ago, when the Internet was in its infancy, it may have been possible to access services via static IP addresses, but that is no longer feasible. \u201cWe have all these other fancy tools that do load balancing and things like that. And there are services that rely heavily on a domain name versus a static IP address,\u201d James said. \u201cAttackers are leveraging DNS as this kind of open communication channel, because no one checks it. Firewalls, proxies, advanced malware detection tools, CASBs look at DNS as just a way to translate something from a good name that we can remember to an IP address. But the attackers have realized that they can start sending command and control communications through the DNS channel because no one cares. It\u2019s become this open channel of misuse that needs to be protected.\u201d<\/p>\n
And that situation can get a lot worse.<\/p>\n
\u201cIf I\u2019m an attacker, I\u2019ve now got this open channel of communication to my endpoints that I\u2019m controlling. So, I can either send commands or I can take data out and I can do whatever I need to do. Using DNS is like a party line. For an attacker, this is fantastic. I can get in. I can do what I want,\u201d James argued. \u201cNow as an enterprise, if you want to protect yourself, well, let\u2019s start doing some stuff on DNS. Now we\u2019ve compounded the issue because the standards bodies have said, you know what, DNS should be protected because if you see a DNS query on the open, you can kind of assume where people are traveling and that creates some privacy issues. So, let\u2019s implement DNS over TLS or DNS over HTTPS. So now that channel is not only open to the attackers, it is now encrypted from inside the network. So, the endpoint that got infected is now using DNS over HTTPS on TCP port 443. So the traffic is encrypted all the way out to wherever the attacker wants it to go and you as an enterprise are now blind to the fact that this channel is open.\u201d James went on to point out that just using a static list of known bad domains is no longer sufficient. What is required to keep up with attackers is to have visibility into this communication channel and to apply AI and machine learning. Attackers continue to increase the sophistication of their attacks, trying to spread traffic across multiple different domain names or other \u201csophisticated DNS manipulation to get around threat intel.\u201d<\/p>\n
A fact of modern-day cybersecurity is that when an enterprise is under an active attack, speed is essential. You only have X minutes to learn everything you can about the attack, decide what to do and try and do it before the attackers can complete their evil plan.<\/p>\n
The beauty of a DNS defense is that, due to the very nature of DNS, it is the earliest point where an attack can be detected and blocked. That buys the SOC valuable minutes to do what they have to do.<\/p>\n
\u201cEvery device on the network, if it has to communicate to an outside entity, requires DNS, and this is the absolute pure value of DNS as a security control because it\u2019s a giant blanket over everything. We always talk about computers, servers, laptops, smart devices, phones and iPads, and so forth. They all use DNS as they browse different types of outside locations.\u201d \u201cThink about an IoT device: a thermostat, an ATM going to a management platform uses IP communications and DNS, OT technology even though the OT might be a particular protocol like SCADA, the management platform is probably IP and is going to [use] DNS. What do you do for this particular type of unique infrastructure?\u201d James said. \u201cThey\u2019re all going to use a centralized DNS infrastructure.\u201d \u201cIt\u2019s such an easy process where you can say \u2018Well, I already have DNS configured.\u2019\u201d \u201cYou just add some additional intelligence on that, or you have that redirect to another DNS server that has the intelligence, you\u2019re done for everything on your network.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"
DNS is the Rodney Dangerfield of network security. DNS is typically viewed as a fine method for a post-incident investigation, but that\u2019s about all. In truth, given the reality of the threat environment, DNS can save money, accelerate blocking attacks and defend against a wide range of DNS-specific attacks that can\u2019t be blocked any other […]<\/p>\n","protected":false},"author":332,"featured_media":7110,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[30,360,16,201,32,413,252,407,754],"class_list":{"0":"post-7969","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dns","9":"tag-dns-security","10":"tag-infoblox","11":"tag-firewall","12":"tag-malware","13":"tag-dot","14":"tag-doh","15":"tag-soc","16":"tag-port-53","17":"entry"},"acf":[],"yoast_head":"\n