By Peter Theobald | November 29, 2018
One very often overlooked component in the area of enterprise security is DNS Security. DNS is one of those everyday services that is usually taken for granted. You provide the URL to the service and it comes back with the IP address. How complex can that get and why is security needed for DNS?
The primary reason DNS attacks are flourishing is that the DNS-based Internet infrastructure is largely unprotected — and attackers know and exploit that fact. DNS is simply designed to resolve requests. It has no way to evaluate whether a website or other resource to which it connects the user or device is good or bad. Moreover, firewalls often do not inspect TCP port 53, which DNS servers use to listen for queries from DNS clients. All this creates a perfect environment for attackers to abuse the DNS System.
Another reason why DNS Security is needed is that attackers are using techniques such as Domain Generation Algorithms (DGA’s) and Fast Flux to avoid detection by conventional protection systems. DGA is used to create new domains on-demand or on-the-fly to evade detection by blacklists, signature filters, reputation systems, intrusion prevention systems, and other security gateways. These domains often do not live long enough to make it to any blacklist. In Fast Flux, attackers use a layer of constantly changing servers to provide a layer of redundancy in front of their actual Cnc servers. DNS Security is the only way to protect against such types of attacks.
So how does it work? It’s quite simple. All you have to do, is to change your DNS server to point to the one operated by us. So, all DNS requests come to us – but in addition to doing the actual resolution, we will also do a security check on the IP address that is being returned. If it is malicious, or a part of a DGA/Fast Flux scheme of things, it will simply not get resolved. A nice by product of this is, that since all this malicious traffic will never actually hit your network, the load on your perimeter security devices go down and they can handle more growth and traffic without needing an upgrade.
Implementing this additional layer of security is very simple since all it requires is a configuration change – no additional hardware or software is required. Doing a POC will also give you a validation of the effectiveness of your existing security technologies. If it finds lot of stuff that your existing solutions are missing, that is a cause for concern.
Finally, this solution also addresses the issue of data exfiltration. Attackers wanting to send data out of an organization sometimes break it up into small chunks and send it out as a part of a DNS query to a rogue DNS server. The DNS security traffic can stop this data outflow. Additionally, even if you are attacked by an “Advanced Persistent Threat” or a Ransomware, these malwares will have to communicate with their Command and Control Servers (CnCs) for instructions on how to take the attack further. This communication can be blocked by the DNS Security solution, thus stopping the attack in its tracks.
To summarize, DNS Security provides an additional layer of security to any enterprise. Easy to implement, it can provide a significant value-add to the security posture of the organization. Do get in touch with us, if you would like to evaluate the same.