Every action on the Internet relies on the Domain Name System (DNS), which lists, tracks, and matches domain names to machine-readable IP addresses to make sure traffic gets where it's meant to go. Because it's such a basic part of the Internet, many organizations take it for granted—and that's made the world's 30 to 50 million DNS servers an increasingly popular cyber attack vector.
A recursive DNS server’s only function is to resolve user requests. It has no way of knowing whether the connection it enables is good or bad. At many enterprises, firewalls do not inspect the port that DNS servers use to listen for queries. Often, the default firewall configuration is to allow inbound DNS requests from the public Internet so that a DNS service can respond.
This openness and lack of protection makes DNS an ideal target for malware, ransomware, and phishing attacks. These targeted threats then connect an infected endpoint with a command and control (CnC) server controlled by a cybercriminal, and spread malware to other endpoints on the network. Once a machine is compromised, the attacker can steal personally identifiable information, intellectual property, or other sensitive company and customer data by encrypting, compressing, and chopping it into packets that are small enough to fit into a DNS query. These are then easily transmitted outside of the network.
Yet the same ubiquity that makes DNS an attractive target for attack also provides an opportunity to bolster network security. Because every web request from the enterprise begins with DNS, it’s the perfect proactive control point to secure companywide visibility into web requests and apply security policy.
A DNS-based approach to security checks all domain requests against real-time risk scoring threat intelligence, blocking access to malicious domains and services before the IP connection and allowing other traffic to pass through without slowing down connectivity. It also calls for regular monitoring of DNS logs to identify irregular traffic patterns and suspicious queries, including queries made outside of business hours, queries that use non-standard domain naming conventions, and queries made to domain names that have only been registered for a brief time and were accessed soon after registration.
This approach works best when used in conjunction with other enterprise threat protection systems and policies. For example, you should prevent employees from connecting to malicious sites through implementation of a comprehensive Acceptable Use Policy and lock down employee systems to prevent them from changing DNS settings or installing third-party VPNs to bypass security solutions. You should also set your edge firewall to block outbound traffic on DNS port 53 unless it's from a known and trusted source to a trusted destination, as well as block all entry nodes for the anonymous Tor network.
Finally, DNS-based security works best when you separate outbound traffic from data center traffic and screen DNS traffic from the data center to ensure none of it is being directed to a suspicious domain.
A layered defense is only as secure as its weakest link. Understand the innate vulnerabilities of recursive DNS and proactively implement the appropriate protection, instead of dealing with the costly consequences of an attack.
For more information, visit Akamai