DNS is the Rodney Dangerfield of network security. DNS is typically viewed as a fine method for a post-incident investigation, but that’s about all. In truth, given the reality of the threat environment as well as the threat today, DNS can save money, accelerate blocking attacks and defend against a wide range of DNS-specific attacks that can’t be blocked any other way.
Let’s start with cost reduction. Deployed properly, a DNS defense will block attacks at the DNS level, long before the enterprise environment is touched. That means fewer attacks for the firewall and other traditional defenses to fight. When the volume drops low enough, we have seen IT repurpose some of their hardware firewalls as replacement units. In other words, by taking the load off of devices and applications, depending on how those systems charge, the ROI and cost-savings are quite real.
Anthony James, a VP for product marketing at Infoblox, said that he sees that kind of load reduction often.
THE MAGIC OF DNS COST-SAVINGS
“I get a DNS query going to a DNS server. If the DNS server says, ‘You know what? Where you’re going is bad.’ That means my firewall never saw it. My cloud security platform never saw it. My endpoint didn’t even see it.” James said during a recent podcast. “I’ve now saved a bunch of cycles, network traffic, sometimes my cloud security platform to charge me for over charges. I’ve reduced my firewall (load) because it reduced the burden of having to send traffic.”
Bob Hansmann, an Infoblox senior product marketing manager who was on that same podcast, said the nature of those other networking security mechanisms is what fuels this cost-savings.
“When they start doing more and more on that box, now it’s going to be built for maximum I/O. It’s going to be built for maximum CPU analysis, maximum amount of RAM to cache things to be analyzed. They get very expensive,” Hansmann said. “And I recall a company that had a rack of firewalls when they started blocking at the DNS level. Their load was so low, they said ‘Hey, guess what? We got a couple of brand-new cold spares.’ There was hardly any malware to analyze anymore.”
“We all know that with firewalls, the size is based on how much traffic it can handle. If we say that the top 5 percent (of the traffic) is malicious, a firewall has to do more work to process that because it’s inspecting the traffic. But let’s say I took that 5 percent and the DNS said ‘You know what? I’m not even going to send it to the firewall.’ Now my processing is down,” James said. “The more you can process at the DNS layer, that saves a firewall from having to accept the request in the first place. You’ve just saved resources on the firewall. I don’t have to upgrade it later. Or I can decommission a firewall because I’ve saved so much traffic and use it as a spare.”
BAD GUYS TAKE ADVANTAGE OF THE FACT THAT HARDLY ANYONE WATCHES THE DNS SPACE CAREFULLY
The sad truth is that attackers tend to be better financed than defenders (CISO teams), have more patience than defenders and are often better at watching their opponents than CISO teams are.
Point in case: the DNS space still has elements of the Wild West, with hardly anyone truly watching what is going on As James has said, “No one really inspects the content of a DNS query. They just assume that it’s a query.”
Once the bad guys figured that out, they start launching a wide range of attacks in the DNS space, disguising their attacks as innocuous queries.
“It’s fascinating to show that IP addresses on the internet as static addresses, that you connect to things, is from the past. Things like mail and other services don’t work. Because we have all these other fancy tools that do load balancing and things like that. And there are services that rely heavily on a domain name versus a static IP address,” James said. “Attackers are leveraging DNS as this kind of open communication channel, because no one checks it. Firewalls, proxies, advanced malware detection tools. CASBs’ look at DNS as just a way to translate something from a good name that we can remember to an IP address. But the attackers have realized that they can start sending command control communications through the DNS channel because no one cares. It’s become this open channel of misuse that needs to be protected.”
And that situation can get a lot worse.
“If I’m an attacker, I’ve now got this open channel of communication to my endpoints that I’m controlling. So, I can either send commands or I can take data out and I can do whatever I need to do. Using DNS is like a party line. For an attacker, this is fantastic. I can get in. I can do what I want,” James argued. “Now as an enterprise, if you want to protect yourself, well, let’s start doing some stuff on DNS. Looking at DNS inspection. Well, now we’ve compounded the issue because the standards bodies have said, you know what, DNS should be protected because if you see a DNS query on the open, you can kind of assume where people are traveling and gives you a little bit of privacy issues. So, let’s implement DNS over TLS for DNS over HTTPS. So now that channel is not only open to the attackers, is now encrypted from inside the network. So, the endpoint that got infected using DNS is HTTPS port 53. Kind of encrypted all the way out to wherever the attacker wants you to go and you as an enterprise are now blind to the fact that this channel is open. I’m not just going to give you a list I need to see if someone’s got malware that’s kind of bouncing and bouncing consistently. I need to have inspection of the channel and use AI and machine learning. This is not just someone trying to move traffic. It’s someone trying to bounce through these random domains or it’s doing a Fast Flux or it’s doing some other type of a sophisticated DNS manipulation to get around threat intel.”
SPEED IS CRITICAL WHEN DEFENDING AGAINST AN ACTIVE ATTACK, AND DNS WILL SEE THE ATTACK FIRST.
Another of the facts of modern-day cybersecurity is that when an enterprise is under an active attack, speed is essential. You only have X minutes to learn everything you can about the attack, decide what to do and try and do it before the attackers can complete their evil plan.
The beauty of a DNS defense is that by the very nature of DNS, that is the earliest point where an attack can be detected and blocked. That buys the SOC valuable minutes to do what they have to do.
“You have IP addresses, and you probably use DHCP. Every device on the network, if it has to communicate to an outside entity requires DNS, and this is the absolute pure value of DNS as a security control because it’s a giant blanket over everything. We always talk about computers, servers, laptops, smart devices, phones and iPads, and so forth. They all use DNS as they browse different types of outside locations, but anything that has a communication with an outside entity, like think about an IoT device: a thermostat, an ATM going to a management platform uses IP communications and DNS, OT technology even though the OT might be a particular protocol like SCADA, the management platform is probably IP and is going to do DNS. What do you do for this particular type of unique infrastructure?” James said. “They’re all going to use a centralized DNS infrastructure that is already configured for the entire network devices that attach. So, it’s such an easy process where you can say “Well, I already have DNS configured. I’m just going to redirect this DNS to another DNS solution that has this security capability and built-in support queries. Then go to that secondary or that recursive DNS and that becomes the authority to make decisions to inspect the protocols. DNS has already architected to everything, and it goes to a central place. You just add some additional intelligence on that, or you have that redirect to another DNS server that has the intelligence, you’re done for everything on your network.”