The Domain Name System (DNS) is a central point in every network, and is essential for internet communication. For a long time now, cyber criminals have identified DNS as a weak point for attacks. However, it is better to use the system as an active defence than simply making the DNS secure against attacks! The aim of proactive DNS-level security – for example, using DNS data to contain threats that are missed by network-based controls – is to block threats before they can reach the corporate network or endpoints. In this blog post, we will show you exactly how to do this and what you should look for to help you choose the right solution.
The Domain Name System (DNS) translates IP addresses into domain names and vice versa. When users enter a specific URL into the browser, the DNS adds the corresponding IP address of the server. In order to recognise the host name, the server must start a DNS query. The reverse lookup refers to the client’s IP address. Hence, the DNS is regarded as a kind of “phone book” for the internet. The DNS was developed in the 1980s; it has no security function whatsoever, and is based on the assumption that people and companies actually are who they say they are. At that time, it could not have been foreseen that the Internet’s evolution into the central pivot of our daily lives would also be the basis for various criminal schemes. The real problem is the open, distributed architecture of the DNS.
Today, cyber criminals are abusing this time-honoured system, using it as a loophole for their activities. Whether hackers are tapping confidential company data (data exfiltration), infiltrating malware in chunked packets (data infiltration) or building tunnels to transport data without authorisation, they have discovered that the DNS can be used to penetrate other people’s systems, encrypt data and steal information – and even destroy data. Attacks are becoming more and more frequent and organisations are increasingly dispersed, so organisations face the challenge of protecting their networks and data at the same time as they are modernising their technology stack. This means that DNS-level security controls are an important aspect of the security strategy.
Next-generation firewalls, email security, endpoint security and web gateways are important defence in depth tools to protect against multiple threat vectors. However, there are still gaps and open doors that allow attackers to penetrate networks, to spread laterally and steal data. The Domain Name System is a critical network infrastructure which is required for online connectivity. Most malware, including ransomware, relies on DNS to connect to their command and control (C2) servers and download encryption software and other malicious tools to the compromised device. It is an unfortunate fact that many security tools do not check DNS, and this gives attackers a “free pass” to bypass existing security measures and carry out cyber-attacks.
DNS can also be misused to infiltrate malware or for the exfiltration of data. This exfiltration of data via DNS (or DNS tunnelling) can be done by breaking sensitive data into small pieces and embedding them in DNS traffic to the internet. OilRig is an example of a threat group that has used DNS tunnelling extensively. In the SUNBURST supply chain attack, the malware uses DNS as a means of exfiltration of data about the victim.
Providing DNS servers with threat intelligence on known C2 and other malicious targets can close the back channel used by malware. This makes your DNS the first line of defence against malware. Servers do not resolve search queries to these malicious websites, so users are prevented from accessing a malicious website, and communication with C2 servers from compromised devices is blocked. By coupling threat intelligence with DNS query analysis, another layer of defence is provided by detecting zero-day threats on a DNS basis.
Many companies have already identified this DNS vulnerability, and they are trying to close this gap with dedicated DNS servers, regular scans and vulnerability software. Yet beyond pure security hygiene, more and more companies are recognising DNS’ value as an active line of defence embedded in a deep, comprehensive security concept. This makes sense, because the DNS is a component of each network connection – be it a malicious or a harmless one. The DNS is uniquely positioned in the network to act as a central control point for deciding whether a benign or malicious request has been received.
A DNS-based security strategy prioritises preventive protection. A secure DNS security service, acting as a link between users, browsers and web content, can enforce security policies and block suspicious connections. For example, content such as pornography, gambling and what are known as hate sites can be filtered out.
The DNS, as the middleman in any network connection, is an omniscient source of information about tens of millions of internet domain names and billions and billions of active IP addresses. These can be matched against hackers and cyber criminals TTPs (tactics, techniques and procedures). DNS Threat Intelligence can be integrated with other open source and other threat intelligence feeds, as well as with analytics systems such as EDR (Endpoint Detection and Response) and SIEM (Security Information and Event Management), and thus deliver a comprehensive, situation-oriented picture of the security position. At the same time, DNS security services assist with the coordination of incident response by sharing IOCs (Indicators of Compromise) as well as IOAs (Indicators of Attacks) with other security technologies like firewalls, network proxies, endpoint security, NACs (Network Access Controls) and vulnerability scanners, giving them a wealth of contextual information.
Transparency is the first step to protecting the network and what is on it. In today’s world of physical data centres, multi-cloud deployments, direct-to-internet branch offices and IT/OT systems, complete transparency seems like almost a utopian concept. However, there is a network resource that you already have that largely enables you to have this complete transparency: DNS, together with the DHCP and IP Address Management (IPAM). Together they are referred to as DDI, and they form the basis of the core network services which is what, in the first place, enables all communication over an IP-based network.
The DHCP server is able to identify system characteristics like device type and operating system version, while the IPAM metadata provides information about the network location and username (when it is integrated with Active Directory). This is critical information for investigating incidents, as you then have all the forensic information needed to rapidly understand how serious and extensive the incident is. In addition, DNS also offers a valuable audit trail which tells you exactly which resources have been accessed by a specific asset, and which resources have been accessed by a specific facility at a specific time. Therefore, using DDI enables you to identify in real time.
It is important to have the ability to detect and block malicious domains, URLs and IP addresses in real time. Integrations with DNS firewalls, DNS threat intelligence services and the other security infrastructure need to be included in the package. Using behavioural analysis, DNS packets are closely examined for size, time, type of encryption and other discrepancies. This is the only way to prevent misuse of the DNS for tapping data. A hybrid architecture consisting of on-premises appliances and cloud-based components provides optimal security for subsidiaries, and working from home or on the move.
The central management of all DNS traffic is another fundamental component. Only by means of management functions for policies, configurations and reporting can security teams have an overview of all alerts, the status of logged-in devices and potential threats.
Last but not least, you should choose a manufacturer that can offer integrations and alliances with other security manufacturers. In the widely branching security landscape, integration is the future. Security can be guaranteed in real time only if there is interoperability between different components and everyone has access to the relevant information. Security teams are only too aware that they do not need yet another isolated tool in their networks that does not exchange data and is not interoperable. Integrating security and network tools provides a way of sharing data and accelerating response times. Since DNS, DHCP and IPAM are a treasure trove of forensic (and contextual) information, integrating SIEM and SOAR tools (security orchestration, automation and response) into the DDI platform can assist security operations.
Infoblox is the leading manufacturer for DNS, DHCP and IPAM solutions. The solution brings together the power of local application-based services with advanced decentralised database technology. This ensures consistent management with optimum availability, control and transparency. Would you like to know more about Infoblox and its benefits? We would be happy to show you Infoblox’s capabilities in detail and support you with all your cyber security needs. Do you have any questions?
You can be hit by a security incident, even despite all the security measures, so it is crucial to be prepared for such an incident in order for rapid, professional action to be taken. Our Incident Response Retainer is the optimal, most effective solution. In a shared onboarding workshop, we prepare you for an emergency. Should one occur, our CSIRT (Computer Security Incident Response Team) can react correctly together with you – quickly, competently and with a lot of experience – 24/7. You can find out more about our Incident Response Retainer here: