DNS Security: More Bang for Your Buck

Share On Facebook
Share On Twitter
Share On Linkedin

At some point, most communication that happens on a network requires DNS, typically before the communication actually starts. This is true for legitimate traffic, of course, but also for malicious communication. Malware typically uses DNS for C&C communication, while advanced malware uses DNS to infiltrate malicious code or to exfiltrate data.

This makes DNS a top threat vector; hence, it is critical to set adequate protections in place to efficiently mitigate this threat. And when it comes to DNS – as with other forms of security controls – there are three ways to detect and block varying threats:

  • Signature: Many DNS exploits or malicious behavior patterns have known DNS signatures. This includes (D)DoS attacks aimed at the DNS service itself. Being able to detect these signatures and block related traffic is an effective defense against these well-known threats. Signature protection can be viewed as a first line defense, blocking “high and fast” or known malicious activity.
  •  Reputation: Security research can identify domain names and IP addresses associated with malicious activity. This is particularly important given that an estimated 50% of newly registered domain names will be blocked within a month and 25% within a day, according to Farsight Security1. Malicious domain names can be added to DNS services to block queries or redirect communication (e.g., to a honeypot). This approach has the advantage of blocking a communication beforeit starts, and by leveraging the scalability of DNS against malware, millions of Indicators of Compromise can be added to DNS.
  • Behavioral analysis: As malware becomes more adaptive and, in some cases, targeted at a specific organization, neither signature nor reputation-based approaches effectively mitigate against all threats. Examples of approaches that may evade traditional security measures include Domain Generation Algorithms, Fast Flux, and targeted data exfiltration using domain names historically registered for a specific attack. Behavioral analysis of DNS queries involves techniques such as maintaining state over many individual queries and “scoring” traffic based on algorithms to identify “zero day” attacks that cannot be identified by signature or blocked based on reputation.

All these mitigating techniques can be deployed either using on-premises DNS architecture, or via a Cloud based DNS service, and usually for a fraction of the cost of other non DNS-based solutions. In terms of risk mitigation strategy, DNS is not only a threat vector that must be covered but also provides more “bang for buck” than many other approaches.

Besides costs, traditional non-DNS-based solutions, such as “next generation” firewalls (NGFW), are limited by scalability challenges. That is not to say these firewalls do not protect an organization, rather that they do not scale when blocking threats based on domain names. For instance, a NGFW might be limited to 250,000 domain names as IoCs to block. By contrast, DNS response policy zones can scale to block millions of IoCs .

Deep Packet Inspection (DPI) solutions can also be costly to implement at scale, and a key limitation in their effectiveness is changing work patterns and the introduction of cloud-based services. Increasingly, points of Internet connectivity are not limited to data centers; branch offices have local Internet access for their cloud services and mobile users may access these services from any network across multiple devices. DNS, however, is a common factor and can provide a key point of visibility and control for these networks and devices.

While it can be difficult to directly distinguish between the costs of traditional security measures, such as firewalling or DPI, vs. security via DNS, validating data points provide a basis of comparison:

  • In large part owing to cost and scalability, mobile phone providers are implementing content control through the use of DNS rather than DPI. Blocking access to undesirable content, such as a parent wanting to block access to gambling sites, is much cheaper using DNS than inspecting the contents of individual network packets. This allows mobile providers to offer content control to customers at an acceptable price.
  • In an enterprise environment, calculating the cost of processing DNS queries per second vs. DPI is a difficult comparison, and not necessarily “apples to apples”. But one distinct advantage is that DNS coverage is likely to be more comprehensive. The following illustrates how Infoblox provides scalability and improves ROI of an existing NGFW investment:
    • A medium-sized Infoblox DNS appliance is sized for up to16 million IoCs at 100% of the maximum supported DNS rate (larger appliances can scale further).
    • An NGFW system of the largest size could scale to 200 thousand IoCs, i.e., 1.25% of the domain names that could be blocked, using the DNS service that the client device would query in any case.
    • Estimating how many NGFW devices it would take to block 16 million IoCs suggests a solution that would be significantly more expensive than using a DNS-based approach. Of course, a firewall is doing more than just blocking DNS queries.
    • What the above illustrates is that DNS scales well for its cost as a means to block malicious traffic. It also shows that a specific approach is necessary for securing DNS, in the same way that many organizations would deploy both a firewall and a web proxy (possibly with its own reputation data). Using a DNS approach also helps maximize investment in expensive NGFW/DPI technologies, essentially pre-filtering potentially malicious traffic before the firewall has to process it (at a higher cost in Gbps).

It should be noted that malicious activity associated with DNS is often not blocked by traditional security measures and even newer approaches, such as NGFWs. This is because the malicious activity is contained within otherwise normal DNS queries, raising the risk that the firewall might view the suspicious activity as legitimate traffic. So, while the comparison between the cost of security measures is valid in a discussion of risk vs. cost, securing DNS is necessary regardless.

One cost benefit that is gained by securing DNS is the reduction in security incidents from other systems. For instance, it is less costly to deal with blocking a link in a phishing email via DNS than in dealing with the consequences of a user being able to follow the link.

In summary, the cost benefit analysis of implementing a DNS security solution shows that it is not only a much less expensive first line of defense against malware, but it also provides protection that other traditional tools do not. Learn more about Infoblox’s DNS security solutions here.

Sources:

  1. Webinar: “Playing Offense with the Domain Name System: A Conversation with Dr. Paul Mockapetris and Farsight Security CEO Dr. Paul Vixie”; February 28, 2018.

Labels:

Jim Mozley

Staff Threat Intelligence Analyst, DNS Security at Infoblox

Jim Mozley has worked for Infoblox since July 2006. He has safely migrated many large customers from their existing DNS and DHCP services to Infoblox. He also led the EMEA professional services team as it has grown up, mentoring new staff members along the way. Jim has worked as a consultant for Infoblox customers, bringing the best of breed design, architecture and integration to some of EMEA’s largest enterprises. He now works as a Threat Researcher within Infoblox’s Cyber Intelligence Unit. Prior to Infoblox Jim has spent of a lot of time being the “systems guy” in networking teams. This has included work with the type of network services found at ISPs such as DNS, mail transfer agents, RADIUS, etc. and extensive work on network management systems. He has also developed workflow tools and databases in the areas of fault management, network topology and gluing systems together. Jim has held both engineering and management roles, so has an appreciation of the challenges involved in both. He has come into the technology industry through a service desk and then systems administration route, but that was a long time ago when he had more hair.

View All Posts
×