DNS plays a fundamental role in almost all malware campaigns with threat actors exploiting the lack of security visibility and control on DNS within most enterprises. In many ways, this has contributed to the industrialization of malware as actors leverage the inherent scale, reliability and accessibility of DNS to execute their campaigns.
In recent years, the cyber industry has begun to respond by re-imagining DNS as a security visibility and enforcement point. The result is a plethora of new terms which we will de-mystify in this blog.
Protective DNS
The UK government, via the National Cyber Security Center (NCSC) first coined the phrase Protective DNS service back in 2017. The highly successful service that continues to run today enables government departments, the national health service (NHS) and soon education institutions to forward their outbound DNS queries to a secure service operated by NCSC. The service uses threat intelligence to identify and block requests to resolve sites deemed to be a threat. This highly scalable service enables the UK to provide a protective shield for a whole range of institutions through a centralized security-conscious DNS service.
The UK is not alone in providing government protective DNS services with similar services operating in the United States (CISA, Dept of Defense), Australia (ACSC) and Philippines (DICT).
While Protective DNS services provide a highly scalable “shield”, it does not provide the operational tools and context to enable protected organizations to do event correlation or incident response.
DNS Detection and Response (DNS-DR)
The principles of Protective DNS, based on the ability to apply security policies to outbound DNS requests, have been available to Enterprise organizations as early as 2010. Through Response Policy Zones (RPZ), the DNS standard has facilitated the means to block requests to malicious or inappropriate sites. Infoblox, through our Threat Defense solution provides a suite of DNS-DR capabilities that enables blocking on DNS servers (PDNS functionality) as part of a hybrid architecture that includes blocking locally on existing on-premises DNS servers whilst simultaneously protecting roaming users or small sites via a SaaS based cloud platform.
Where DNS Detection and Response exceeds Protective DNS capabilities is the provision of operational tools to facilitate the incident response. Like other detection and response platforms such as Endpoint Detection and Response (EDR), Infoblox’s DNS-DR solution leverages AI based analytics to automatically correlate and identify critical priority incidents within the mass of security events generated by DNS based enforcement. With threat intelligence context and asset data, enterprises who have deployed a DNS DR platform can quickly assess the detected threats and drive towards an actionable response. Through ecosystem integrations, Infoblox Threat Defense can proactively and automatically trigger downstream responses on other security infrastructure including Next Generation Firewalls (NGFW), vulnerability scanners and many others.
Protective DNS and DNSDR are by no means mutually exclusive. In fact, DNSDR can be thought of as a superset to Protective DNS that adds incident response capabilities. As described in the recent CISA Protected DNS guidance published in April 2024, the US government actively mandates the deployment of on-premises DNS based security within the protected agencies. This enables the protected agencies to take operational responsibility for incident and threat response.
More details on that guidance is available here
https://www.cisa.gov/sites/default/files/2024-05/Encrypted%20DNS%20Implementation%20Guidance_508c.pdf
Zero Trust DNS
In April 2024, Microsoft announced their Zero Trust DNS strategy. With support from the US Government (CISA), Microsoft is working with industry partners such as Infoblox to evolve the existing encrypted DNS standards to enable client authentication. This brings standards such as DNS over TLS (DoT), DNS over HTTP (DoH) and DNS over Quic (Doc) in line with the core principle of Zero Trust, another key strategy set out by the government.
By enhancing the standard, this brings DNS firmly aligned with Zero Trust architectures, a long overdue development given that DNS is almost always the first networking service in any networked connection. With this development, the baseline for a secure on-premises DNS deployment will be raised with enterprises and government agencies adding identity and confidentiality to the DNS security stack matching principles that have been in place for other protocols (HTTPS) for some time.
The Zero Trust DNS market trend will complement the existing DNSDR and Protective DNS deployments with connection between the two leveraging encryption and authentication to ensure a tight bond between central government services and enterprise DNS deployments.
DNS as a Cyber Security foundation
DNS is coming of age as a foundational cyber security platform that allows organizations to leverage the scale, visibility and reliability of what has been a cornerstone of Internet infrastructure. With these new capabilities and innovations in DNS based threat intelligence, organizations from governments to enterprises will have the means to apply industrial scale responses to what has now become an industrial scale malware problem.
Links
Infoblox Threat Defense
NCSC Protective DNS
Infoblox Threat Intel
CISA Protective DNS Guidance
Microsoft – ZTDNS Announcement
Microsoft – ZTDNS – Private Preview
