What is Secure DNS and Why Do I Need it?
What is Secure DNS and Why Do I Need it?
Secure DNS infrastructure is an essential component of any cybersecurity program. Unfortunately, DNS exploits get far less media attention than other attacks, so many organizations don’t fully appreciate the threat they pose.
Research by Cisco indicates more than 91% of malware attacks use DNS exploits in one way or another. Despite this, many organizations don’t monitor traffic, leaving them vulnerable to malware, ransomware, and data exfiltration attacks. To explain why those exploits pose such a huge security risk and what your organization can do to prevent them, we need to start at the beginning.
What is DNS?
DNS stands for Domain Name Services. It exists for two reasons.
First, Humans find IP addresses hard to remember but can easily recall domain names and asset names. For example, www.link11.com or Server1 is much easier to remember than an IP address like 192.168.1.1
Second, Human-readable domain and asset names are meaningless to computers. Computers need an exact IP address before they can retrieve a user’s desired content or make a connection.
DNS solves this problem by mapping domain and asset names to IP addresses. This enables a user or administrator to search using a name that’s easy to remember but still get the results they want. To understand how this works, we need to look at two different types of requests: Internal and external.
An internal request is a request to connect to something within the same network as the user. The process is simple:
- A user (usually an administrator) sends a connection request within their network to a named asset, for example, Server1.
- Their local DNS server looks up the asset name in its host table and finds the appropriate IP address.
- The server returns the IP address to the user, and the connection is made.
An external request is a request to connect to something over the Internet. This process is slightly more complicated:
- A user types a domain name into their browser’s address bar—for example, www.link11.com.
- Their local DNS server looks up the address in its host tables and tries to find the IP address.
- If the server successfully finds the appropriate IP address, it routes the user’s request to the desired website or service, and the connection is made.
- If the internal server doesn’t find the IP address (i.e., because that address isn’t in its host tables), it connects to a predetermined external DNS server to find the address. Usually, the first port of call is the server operated by the organization’s ISP.
- If that server still doesn’t have the address, the internal server tries another (and another) until it gets the IP address.
- Once all that is complete, the internal server returns the IP address to the user, and the connection is made.
While this process may still appear simple, there’s a bit more to it. Stay with us because all of this will be important later when we discuss security issues (and how to prevent them).
Recursive vs. Iterative DNS
As you’ve probably gathered, your organization’s DNS server only has records for your network plus a few common websites that have been stored via DNS caching when another user connected to them.
Often, the first external server contacted won’t have the records needed to give the querying user (or, more accurately, their device) the IP address they need to reach their desired content. To solve this problem, internal servers often communicate with multiple external servers to get the IP address.
There are two ways this happens:
- Iterative DNS — the internal server communicates directly with each external DNS server in turn until it gets the IP address.
- Recursive DNS — the internal server communicates with an external ‘recursive’ DNS server, which then communicates with several other servers simultaneously to retrieve the IP address.
Note that the user’s device always communicates with its internal server, which then communicates with external servers in an iterative or recursive manner.
The Role of DHCP
DNS is just one of the services needed within a standard TCP IP network. All it does is map domain and asset names to IP addresses. In addition to a DNS server, organizations also need a DHCP (Dynamic Host Control Protocol) server to dynamically assign IP addresses to new assets as they join the network.
When DNS and DHCP are combined, you get Dynamic DNS, an essential component of any modern business network. With Dynamic DNS, whenever the DHCP server assigns an IP address to a new asset (e.g., a server or endpoint), it also writes the IP address to the server’s host table so it can be mapped to the relevant asset.
Without this process, new assets would automatically be assigned an IP address on connection, but the server wouldn’t know they were there. As a result, an administrator trying to connect to the asset using its name (e.g., Server1) wouldn’t be able to because the server wouldn’t know where to route the request.
And it’s at this point we start to encounter security issues in the DNS protocol.
DNS may be simple conceptually, but it faces four major security issues:
- Inability to distinguish between good and bad requests.
Internal servers will return information to any device that asks for it. Remember how Dynamic DNS ensures your server host tables include IP information for every asset connected to your network? This makes them a good source of information for attackers when carrying out internal reconnaissance.
- DNS poisoning.
If an attacker can access your network’s internal server, they can ‘poison’ the host tables with malicious entries. Now, when a user tries to connect to a website or asset, their connection can be sent somewhere else entirely, such as a malicious online download or inappropriate website.
- DNS tunneling.
DNS tunneling is a common technique used to steal sensitive information from inside a compromised network. The process looks like this:
- An attacker gains access to your network, compromises a host, and finds the data they want to steal.
- The attacker sets up a DNS domain on the Internet and directs your internal DNS server to connect to it when it needs to lookup an IP address.
- On the compromised host, the attacker uses a program to break up the data to be stolen into small chunks and ‘hides’ them inside a series of lookups directed to the DNS server.
- The internal server receives these requests, sees that it doesn’t have the necessary IP addresses in its cache, and relays the requests to the malicious server.
- The attacker then runs another program to extract the stolen information from the lookups once they reach the malicious server and reassemble it into its original form.
That may seem like a lot of effort, but in reality, attackers can complete the process quickly using commodity malware and a cheap web host that doesn’t ask too many questions. Even worse, this technique can be (and is) used to steal vast amounts of sensitive information, and the victim organization often never finds out.
- DNS amplification attacks.
As we’ve already noted, DNS servers don’t verify incoming requests. This leaves them open to a common form of DDoS attack known as a DNS amplification attack. The attacker uses a botnet to send high volume requests and uses a ‘spoofed’ IP address, so the server’s responses go to the target victim. The objective is the same as any other DDoS attack—to overwhelm the target server so it can’t function properly.
To increase the attack’s magnitude, attackers use a technique called amplification, where requests ask for a lengthy response. The victim then receives a flood of long DNS responses that is more effective at disrupting or disabling their server.
Prevent Cyber Threats with Secure DNS
Since exploits are so common, DNS-layer security can block a very high proportion of malware and ransomware threats. Powerful security solutions can check requests in real-time to determine whether they are legitimate. These solutions check every request against data from billions of requests, WHOIS records, and Border Gateway Protocol (BGP) routing information to identify suspicious domains with a high degree of accuracy. Best of all, if a domain is associated with other domains, services, or servers known to be related to malicious or inappropriate content, the request can be blocked before any harm is done.
Protect against threats with Link11 Secure DNS
Link11’s protection solution resolves DNS requests using a global network of servers to maximize speed, availability, and reliability for your organization and its customers—with no additional hardware or software required. Your internal DNS server communicates directly with our recursive DNS server, which does the hard work of finding the correct IP address for each domain requested.
Critically, our solution includes the threat intelligence, hijacking prevention, and other security capabilities needed to identify and prevent all of the DNS threats explained above. Combined, these capabilities make the technology faster, more reliable, and much more secure than other options.
This process enables a host of security benefits, including:
- Blocking dangerous connections between users and malicious content.
- Stopping C2 connections and data exfiltration.
- Blocking malware and ransomware downloads.
- Preventing malicious cryptomining.
- Disarming security incidents and alerts before they happen.
- Preventing DNS-based DDoS attacks before they reach your servers.
Find out more about Link11’s protection solution.