DNS is mandatory to access the Internet as it is the link between networks and applications. DNS is also the veins of your organization, so it’s a popular place to focus on getting information out, as it’s open in a lot of organizations, and frankly, often ignored. Hackers have well understood this: now over 90% of malware uses DNS in the cyber kill chain.*
On the other hand, it has been common for organizations in the banking and defense sectors to have isolated DNS to provide some “security by obscurity”. In other words, all potential DNS queries are answered by internal DNS servers because the organization has configured its own DNS to act like the whole Internet.
It means that an internal query for www.infoblox.com would get a Non-Existent domain (NXDOMAIN) reply and the same for APT or malware call homes like malwarec2c.info.
Over the years, some organizations have had to create thousands of records in this root zone to deal with exceptions for some financial, news or security solutions. Maintenance of these exceptions can be very time consuming and is reactive.
But, over the last two years, a clear trend has appeared: a rising number of these organizations have removed their internal root zone and opened DNS recursion to use Internet DNS for external queries.
The reason for that? SaaS & Cloud initiatives.
A couple of examples clearly illustrate this:
Office 365
Microsoft recommends not using a web proxy with Office 365**. The implication of this is that end hosts should be able to resolve DNS names associated with Office 365 resources using recursion querying Internet DNS.
Amazon AWS
When using Amazon Elastic Load Balancing, a load balanced IP address changes approximately every day***. When you rely on internet DNS resolution it is unnoticeable, but if you have an internal root, some organizations had to change the IP for all the records associated with an Amazon ELB each day.
So, removing this internal root zone opens the network to successfully communicating with SaaS & Cloud services, but the change needs to be carefully prepared:
1) Regarding the recursion flow. It is important to make sure that central internal DNS systems have the authority or conditional forwarding for all the internal zones. If not, these requests will flow to the Internet resulting in inaccurate replies and consequently impacting applications. This can also be a security issue since these requests reveal information about internal infrastructures and applications.
2) Regarding security. To address the risks of malware and APT DNS call home, DNS infiltration and tunneling, Fastflux & DGA that were the reason for implementing an internal root, it is critical to secure your DNS with reputation, signature and behavioral based security.
- Reputation to block known malware that uses DNS (more than 90%) for communication such as call home.
- Signature to drop known tunneling solutions.
- Behavioral analysis to detect and mitigate 0-day threats, infiltration/exfiltration, tunneling, FastFlux & DGA (more info here: https://www.facebook.com/Infobloxinc/videos/1892955797387222).
Infoblox can help you to build a robust DNS architecture as we have done for thousands of our customers, to make sure that your core services support your IT initiatives *securely*. Please contact us if you want to discuss this further.
References
* Source: Cisco 2016 Annual Security Report
***https://stackoverflow.com/questions/3821333/amazon-ec2-elastic-load-balancer-does-its-ip-ever-change
To get more context about the role of DNS in data exfiltration check out the SANS survey
