The UK’s prestigious National Cyber Security Centre (NCSC) has issued important recommendations for private companies and government agencies to use Protective DNS (PDNS) to secure and protect information technology assets and networks. PDNS provides key defense against malicious cyber threats and can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking access to known malicious domains. PDNS also provides very substantial utility for organizations which can use DNS query logs as an authoritative source of data for incident response and threat hunting activities. While NCSC provides their own PDNS service for government organizations and emergency services in the UK, they also recommend private companies to select a PDNS provider that has experience in cybersecurity and DNS.
The NCSC is the UK’s technical authority for cyber threats. The NCSC was formed in 2016 to provide a unified national response to cyber threats. The NCSC monitors incidents, provides early warnings, disseminates information, conducts cyber threat assessments and provides general technical support to competent authorities. The NCSC also acts as a bridge between the UK’s industry and government, providing a unified source of advice, guidance, and support on cybersecurity, including the management of cybersecurity incidents.
NCSC’s role in responding to cyber threats is substantial and often involves coordination with the cybersecurity and intelligence agencies in the United States, New Zealand, Australia, Canada, and many countries within Europe. In Europe, the NCSC remains in close coordination and information sharing with the European Union Agency for Network and Information Security (ENISA), the EU CSIRTs Network, the European Government CERTs (EGC) group, and the TF-CSIRT task force. The NCSC has strong technical expertise and can leverage the brightest and best cyber defense minds within the UK and partner organizations.
During the same time period, The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) released a Joint Cybersecurity Information (CSI) brief which contained similar strong guidance on the importance of selecting a protective Domain Name System (PDNS). The NCSC’s most recent guidance is in complete alignment with the NSA/CISA CSI technical recommendations, both of which stress the criticality and urgency of implementing a PDNS solution.
NCSC Guidance—Why Use Protective DNS
Protective DNS was designed to stop the use of DNS by threat actors in support of malware distribution and operation. Protective DNS works by making your networks use a given DNS resolver, or set of resolvers. These resolvers, run by the protective DNS provider, base their responses to queries on a set of policies which determine which queries will be allowed and which will be blocked.
Typically, both the domain name being requested, and the IP address returned from a query will be checked against a Block List and access is prevented if there is a match. Additionally, some protective DNS providers will attempt to block visits to websites with programmatically generated domain names, which are used by malware to circumvent Block Lists.
Protective DNS prevents access to a range of malicious sites including domains distributing malware, command, and control domains used to control malware, and domains used in phishing attacks, including those used for fraud.
Preventing access to these domains should protect your organization against malicious actors, making it harder for them to compromise your networks, and harder to exploit any compromises.
A secondary benefit from protective DNS is the ability to analyze, and potentially be alerted to, DNS requests made to blocked domains. This information should be incorporated into a Security Information and Event Management (SIEM) model, allowing for effective investigation of incidents. Organizations should have DNS logging in place—this is an important and integral part of the monitoring process.
In the UK, the NCSC has arranged for a PDNS to be available for use immediately by central government, local authorities, devolved administrations, emergency services, NHS organizations, and the Ministry of Defense. The NCSC has provided private enterprise with recommendations and technical guidance to acquire the necessary PDNS functionality from vendor sources.
Selecting a PDNS Provider
The NCSC recommends the acquisition of services from trusted providers. Per the NCSC’s recommendations, trusted providers demonstrate experience and technical expertise in cybersecurity and DNS. Trusted providers should show that they can protect against threats that can, in turn, be blocked by protective DNS. Trust providers should keep their technical expertise up to date. Most importantly, trusted providers should ensure that their policies and block lists are regularly updated by effective intelligence feeds. These intelligence feeds should be regularly reviewed to ensure that they are most effective.
Agencies within other countries are issuing similar recommendations, such as the US’ NSA who published the previously referenced guidance on selecting a Protective DNS service, including a comparison of the capabilities of different providers.
No Surprise – Most Malware Leverages DNS in the Attack Chain
The recommendations for the implementation of a PDNS follow in the wake of a common thread used by many threat actors to exploit and leverage DNS. DNS is continually used to set up and execute attack chains. Sooner or later malware must reach back to command & control, and DNS is used as a covert communication channel for this purpose. The attack may involve DNS queries when the victim’s system is compromised and infected. DNS is almost always used when an infected system communicates with the command and control (C&C) servers.
PDNS can help reduce the risk of the successful exploitation of your DNS infrastructure. A review of MITRE ATT&CK shows that threat actors leverage a multitude of techniques to directly exploit and utilize DNS.
| MITRE ATT&CK TACTICS USED BY ATTACKERS TO LEVERAGE DNS | ||
| TACTIC | TECHNIQUES | SUB-TECHNIQUES |
| Reconnaissance | T1590 Gather Victim Network Information | .001 Domain Properties
.002 DNS .004 Network Topology .005 IP Addresses |
| T1598 Phishing for Information | .003 Spearphishing Link | |
| Resource Development | T1583 Acquire Infrastructure | .001 Domains
.002 DNS Server |
| T1584 State Capabilities | .002 Upload Tool | |
| Initial Access | T1189 Drive-by Compromise | |
| T1190 Exploit Public-Facing Application | ||
| T1566 Phishing | .002 Spearphishing Link | |
| Execution | T1204 User Execution | .001 Malicious Link |
| Credential Access | T1557 Adversary-in-the-Middle | |
| T1040 Network Sniffing | ||
| Command & Control | T1071 Application Layer Protocol | .004 DNS |
| T1132 Data Encoding | ||
| T1568 Dynamic Resolution | ||
| T1573 Encrypted Channel | ||
| T1008 Fallback Channels | ||
| T1105 Ingress Tool Transfer | ||
| T1572 Protocol Tunneling | ||
| T1090 Proxy | .001 Internal Proxy
.002 External Proxy |
|
| Exfiltration | T1030 Data Transfer Size Limit | |
| T1048 Exfiltration Over Alternative Protocol | .001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
.002 Exfiltration Over Asymmetric Non-C2 Protocol .003 Exfiltration Over Unencrypted Obfuscated Non-C2 Protocol |
|
Infoblox Support for PDNS Solutions
Infoblox BloxOne™ Threat Defense provides protective DNS capabilities to defend against today’s sophisticated threats, and brings extensive threat intelligence from multiple sources. BloxOne provides the most current, comprehensive, and accurate set of malicious hostnames, domains, IP addresses, and other relevant threat indicators. This enables DNS servers to detect and block activity such as command and control (C&C) communications to malicious destinations. Advanced behavioral analytics, machine learning and other advanced techniques applied to real-time DNS queries can rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and more.
Infoblox’s DDI (DNS, DHCP, IPAM database) data can further provide invaluable information about related devices and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can provide essential visibility into ongoing attacks and for remediation strategy.
Also, critically important is that the integration of data with SIEM and SOAR infrastructure can provide significant reductions in time for the detection of threats and the automation of incident response. When Infoblox detects something malicious, a new device, or virtual workload on the network, it automatically shares that event information and context with existing security infrastructures like endpoint EDR, SIEM, SOAR, and other solutions. This data can trigger the security tools to prevent access to the network or scan for vulnerabilities until it is deemed compliant with policy.
For more information:
- Learn more about BloxOne Threat Defense
- Learn more about protective DNS and DNS security here:
- If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form/.
- Also refer to this recent Gartner report, which recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, including malicious cyber activity against the U.S. homeland, in response to the unprecedented economic sanctions imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.
