Photo by Abbas Tehrani on Unsplash

Photo by Abbas Tehrani on Unsplash

Employing DNS in network security

Revealing Traces

Article from ADMIN 70/2022
By
A holistic approach to designing network architecture and cybersecurity uses DNS for cyber defense to detect attacks at an early stage and fend them off before major damage takes place.

The corporate network has long ceased to be a single perimeter with branch offices connected to the outside world by the Internet. In the growing network jungle, however, an overall perspective is often difficult to maintain, which is why dividing the network into individual silos to give it structure seems tempting at first glance. This approach would definitely be wrong, because thinking in silos causes problems. Most important is the often missing ability to communicate between isolated solutions because a wide variety of security tools are implemented in the silos – and usually more than one.

Next-generation firewalls, web gateways, email security, endpoint security – the security solutions in the individual sectors are often piled up on top of one another. The unintended consequence of this strategy is that communication between the individual systems is poor, and often even incorrect. For example, if interfaces are not configured correctly, the security tools can trigger false or duplicate alerts among themselves, overwhelming what are already overburdened security teams. However, the tool for achieving a unified, comprehensive view of your network already exists – the Domain Name System (DNS). After all, as the hub of communications on the Internet, DNS can be the heart of integrated network management and security.

More Is Not Always Better

In IT departments, when workflows are not fully covered by just one security tool, communication interfaces need to be kept as up-to-date as possible at all times, and employees need to be constantly trained in the use of the many tools. These resources could be put to better use elsewhere. This problem is even more pronounced in large enterprises, which can be geographically widespread and might be working on restructuring such as mobile use, a multicloud rollout, or software-as-a-service (SaaS) and software-defined (SD)-WAN implementations. According to a Ponemon study sponsored by IBM [1], it still takes more than 280 days on average for a security breach to be detected, but containing a breach in under 200 days would save $1 million in costs.

Vulnerable Without Safeguards

Without DNS, any activity on the web would be messy because DNS converts the input from URLs into the significantly more difficult to remember IP addresses, helping users access the desired websites. As convenient as DNS is for users, it can also be dangerous if it is not secured properly, because attackers use DNS to communicate with their targets and for data exfiltration. Whether the attack is meant to steal confidential company data (exfiltration), infiltrate with malware in small data packets (infiltration), or create separate communication tunnels to make transferring data even more convenient, hackers use DNS as an access vector into networks.

To understand how DNS can help you comprehensively secure your own networks, you need to look back to the early 2000s when DNS security tended to be a minor concern. At the time, the Berkeley Internet name domain (BIND) servers – still an important standard in DNS today – had only two security features: They did not accept responses from IP addresses they had not queried (also known as Mars responses), and they inserted a random 16-bit number into outgoing requests and checked that the number came back in the responses. Only later did analysts discover that this test number was not really random. Little wonder, then, that DNS servers have long been a worthwhile target for attacks, such as the Li0n worm, which exploited a vulnerability in BIND. Moreover, DNS servers of all kinds are often used as amplifiers in distributed denial of service (DDoS) attacks and are still the target of such attacks to this day.

That said, over time, the security of DNS servers and DNS itself has improved. BIND has been optimized to support access control lists for almost everything: queries, recursive queries, zone transfers, and dynamic updates. The DNS community started to operate DNS servers in chrooted environments according to the principle of least privilege. Additionally, transaction signatures (TSIGs) and DNS security enhancements (DNSSEC) were introduced to further protect DNS. Even if DNS itself is not attacked, though, it remains the communication highway that hackers still use for their attacks.

DNS as the First Line of Defense

Cyberattacks are as varied as the attack vectors available to hackers, but almost all of them have one thing in common: They depend on DNS for almost all communication on the network. For example, more than 90 percent of malware uses DNS to exfiltrate data, redirect traffic, or communicate with the attacker in some other way. Conversely, DNS contains all the data you need to detect an attack. Defenders who keep an eye on their DNS at all times can take advantage of this fact, quickly detect unexpected atypical communications, and take countermeasures. Without question, this task is mammoth. Artificial intelligence helps keep track and automatically filter out harmful communication requests.

The potential of DNS as a security tool in its own right has only recently been recognized. The advent of response policy zones (RPZs) in 2008, meant that DNS servers could be leveraged to issue "benevolent lies" when they received an information request whose response could be damaging to the querying entity. At least as important was the ability to detect when a DNS server was queried for data known to be corrupted. Since then, companies have appeared that prepare DNS threat data in the form of RPZs and offer their customers this data commercially. Organizations can incorporate a variety of RPZ feeds into their DNS infrastructure and enable their DNS servers to protect users and systems against known malware propagation sites, command-and-control infrastructures, and much more.

RPZs are also helpful in centrally monitoring network health, such as detecting infections and security breaches across the board. A laptop that sends a query to a domain name that is clearly used by a certain type of malware is almost certainly infected with that malware. Armed with this knowledge, important measures can be taken quickly and efficiently without the need for one of the many other security tools to sound the alarm first. The benefits of central DNS as a security layer go even further: Organizations that archive all of their DNS query logs have an important tool at hand in the event of an infection. Even if the attacker is not immediately detected, these logs can be used to trace which other systems the hacker accessed and how they moved around the network. In this way, the attack can be reconstructed and retraced holistically.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Malware analysis in the sandbox
    In malware analysis, a sandbox can provide insight into the software and its run-time environment. While a sandbox can prevent the execution of malicious code with built-in detection mechanisms, malware developers can use countermeasures to take advantage of those same detection mechanisms.
  • Open source forensics for adaptive detection of threats on CRITIS networks
    The open source tool Velociraptor is at the heart of a solution that automatically detects cyber threats in industrial environments, offering a defensive strategy and protecting critical infrastructures.
  • Diving into infrastructure security
    How to deal with threat intelligence on the corporate network when the existing security tools are not effective.
  • DNS name resolution with HTTPS
    Now that web content is encrypted by HTTPS, the underlying name resolution is often unprotected. We look at the classic DNS protocol and investigate whether DNS over HTTPS could be the solution to ensure the confidentiality of DNS requests.
  • Security analysis with Microsoft Advanced Threat Analytics
    Classic security safeguards, like antivirus and firewall products, are imperative for system protection. To search proactively for network intruders, as well, Microsoft offers Advanced Threat Analytics – a tool that will help even less experienced admins.
comments powered by Disqus