DNS is the Rodney Dangerfield of network security. DNS is typically viewed as a fine method for a post-incident investigation, but that’s about all. In truth, given the reality of the threat environment, DNS can save money, accelerate blocking attacks and defend against a wide range of DNS-specific attacks that can’t be blocked any other way.
Let’s start with cost reduction. Deployed properly, a DNS defense will block attacks at the DNS level, long before other areas of the enterprise environment are touched. That means fewer attacks for the firewall and other traditional defenses to fight. When the volume drops low enough, we have seen IT teams be able to repurpose some of their hardware firewalls as replacement units. In other words, by taking the load off of devices and applications, depending on how those systems charge, the ROI and cost-savings are quite real.
Anthony James, a VP for product marketing at Infoblox, said that he sees that kind of load reduction often.
THE MAGIC OF DNS COST-SAVINGS
“I get a DNS query going to a DNS server. If the DNS server says, ‘You know what? Where you’re going is bad. I’m not going to give you the address to contact.’ That means my firewall never saw it. My cloud security platform never saw it. ” James said during a recent podcast. “I’ve now saved a bunch of cycles by eliminating problematic network traffic”. In addition, I may be able to avoid overage charges from my cloud security platform. “I’ve also reduced my firewall (load) because it reduced the burden of having to send traffic.”
Bob Hansmann, an Infoblox senior product marketing manager who was on that same podcast, said the nature of those other networking security mechanisms is what fuels this cost-savings.
“When they start doing more and more on that box, now it’s going to be built for maximum I/O. It’s going to be built for maximum CPU analysis, maximum amount of RAM to cache things to be analyzed. They get very expensive,” Hansmann said. “I recall a company that had a rack of firewalls when they started blocking at the DNS level. Their load was so low, they said ‘Hey, guess what? We got a couple of brand-new cold spares.’ There was hardly any malware to analyze anymore.”
“We all know that with firewalls, the size is based on how much traffic it can handle. If we say that the top 5 percent (of the traffic) is malicious, a firewall has to do more work to process that because it’s inspecting the traffic. But let’s say I took that 5 percent and the DNS said ‘You know what? I’m not even going to send it to the firewall.’ Now my processing is down,” James said. “The more you can process at the DNS layer, that saves a firewall from having to accept the request in the first place. You’ve just saved resources on the firewall. I don’t have to upgrade it later. Or I can decommission a firewall because I’ve saved so much traffic and use it as a spare.”
BAD GUYS TAKE ADVANTAGE OF THE FACT THAT HARDLY ANYONE WATCHES THE DNS SPACE CAREFULLY
The sad truth is that attackers tend to be better financed than defenders (CISO teams), have more patience than defenders and are often better at watching their opponents than CISO teams are.
Case in point: the DNS space still has elements of the Wild West, with hardly anyone truly watching what is going on. As James has said, “No one really inspects the content of a DNS query. They just assume that it’s a valid query.”
Once the bad guys figured that out, they started launching a wide range of attacks in the DNS space, disguising their attacks as innocuous queries.
Many years ago, when the Internet was in its infancy, it may have been possible to access services via static IP addresses, but that is no longer feasible. “We have all these other fancy tools that do load balancing and things like that. And there are services that rely heavily on a domain name versus a static IP address,” James said. “Attackers are leveraging DNS as this kind of open communication channel, because no one checks it. Firewalls, proxies, advanced malware detection tools, CASBs look at DNS as just a way to translate something from a good name that we can remember to an IP address. But the attackers have realized that they can start sending command and control communications through the DNS channel because no one cares. It’s become this open channel of misuse that needs to be protected.”
And that situation can get a lot worse.
“If I’m an attacker, I’ve now got this open channel of communication to my endpoints that I’m controlling. So, I can either send commands or I can take data out and I can do whatever I need to do. Using DNS is like a party line. For an attacker, this is fantastic. I can get in. I can do what I want,” James argued. “Now as an enterprise, if you want to protect yourself, well, let’s start doing some stuff on DNS. Now we’ve compounded the issue because the standards bodies have said, you know what, DNS should be protected because if you see a DNS query on the open, you can kind of assume where people are traveling and that creates some privacy issues. So, let’s implement DNS over TLS or DNS over HTTPS. So now that channel is not only open to the attackers, it is now encrypted from inside the network. So, the endpoint that got infected is now using DNS over HTTPS on TCP port 443. So the traffic is encrypted all the way out to wherever the attacker wants it to go and you as an enterprise are now blind to the fact that this channel is open.” James went on to point out that just using a static list of known bad domains is no longer sufficient. What is required to keep up with attackers is to have visibility into this communication channel and to apply AI and machine learning. Attackers continue to increase the sophistication of their attacks, trying to spread traffic across multiple different domain names or other “sophisticated DNS manipulation to get around threat intel.”
SPEED IS CRITICAL WHEN DEFENDING AGAINST AN ACTIVE ATTACK, AND DNS WILL SEE THE ATTACK FIRST.
A fact of modern-day cybersecurity is that when an enterprise is under an active attack, speed is essential. You only have X minutes to learn everything you can about the attack, decide what to do and try and do it before the attackers can complete their evil plan.
The beauty of a DNS defense is that, due to the very nature of DNS, it is the earliest point where an attack can be detected and blocked. That buys the SOC valuable minutes to do what they have to do.
“Every device on the network, if it has to communicate to an outside entity, requires DNS, and this is the absolute pure value of DNS as a security control because it’s a giant blanket over everything. We always talk about computers, servers, laptops, smart devices, phones and iPads, and so forth. They all use DNS as they browse different types of outside locations.” “Think about an IoT device: a thermostat, an ATM going to a management platform uses IP communications and DNS, OT technology even though the OT might be a particular protocol like SCADA, the management platform is probably IP and is going to [use] DNS. What do you do for this particular type of unique infrastructure?” James said. “They’re all going to use a centralized DNS infrastructure.” “It’s such an easy process where you can say ‘Well, I already have DNS configured.’” “You just add some additional intelligence on that, or you have that redirect to another DNS server that has the intelligence, you’re done for everything on your network.”