Why Protecting DNS Requires More Than Firewalls

(This week’s blog article was originally published in March 2017, but still rings true today).

Way back when, in the early days of the Internet, all we needed to protect our systems was a firewall. You’d set up a Nokia box or a Cisco PIX, enable a few rules, and walk away, safe in the knowledge that your servers and services were protected. But the world has changed, and despite the hard work of the firewall vendors, the threat landscape has changed even faster.

Back in those olden days, all you had to worry about were common Internet ports: FTP, SMTP, HTTP and HTTPS. You’d keep the ports you were using open, and block everything else, filtering the traffic on allowed services. But today’s attackers are more sophisticated, using previously safe technologies like DNS to unobtrusively exfiltrate data from your networks.

That change in the way networks are attacked is a problem, if like many companies, you protect your network using traditional firewalls. If you’re using a traditional DNS, then you’re likely to be at risk of any techniques used to exfiltrate data over DNS queries, or using it as a command and control channel for malware in your network. As these attacks use non-standard channels, they get around even next-generation firewalls and DLP systems. DNS attacks aren’t just a novel way of extracting stolen data from a network, they’re also a growing DDoS threat, as exemplified by the Mirai botnet.

So what do you do if your firewalls don’t protect your DNS? You need to take a different approach.

Risks of the old, traditional firewalls

If you’re using a traditional firewall to secure DNS, alongside log-file analysis tools, then you’re putting your services and your data in danger.

1. There’s a high chance of false positives, locking users and customers out of your systems because log analysis tools are not real-time. More dangerously there’s also the issue that after the incident analysis may not pinpoint breaches, putting you at significant risk.
2. A massive attack can quickly overwhelm systems based around traditional firewalls, especially when combined with attack magnification as a result of retries by legitimate users. As these systems are slow they can add risk.
3. A new class of attacks on DNS servers are slow and can easily be hidden in amongst legitimate traffic, making them very hard to identify and defend against. These attacks include DNS water torture, which uses subtly malformed queries and as a result is hard to spot using traditional tools.
4. Some techniques used by attackers, like DNS exfiltration and DNS tunneling tools, are now commonly used and have been added to the toolkits of attackers. They may not be as fast as extracting data over HTTP or FTP, but as they’re not tracked by most DLP tooling, they’re hard to spot until after your data has been stolen.
5. Much of these class DNS attacks are new; and as a result, are more likely to be based around zero-days. That means it’s hard to get fixes and updates rolled out to firewalls in time to avoid compromises.

In today’s threat environment protecting DNS is critical, but without specialized tools, you’re just increasing your chances of either a damaging DDoS or a breach. How should you protect your DNS?

Armor up with a modern DNS server

Luckily there is an answer to the question.

Modern DNS servers, like those from EfficientIP, take a very different route to delivering a secure DNS. Instead of relying on external firewalls and out-of- band log file analysis, they build the tools you need into the heart of the DNS server itself. That’s on top of delivering a fast, high-performance DNS server that can handle the high volume of queries that a DDoS attack will deliver.

That means they’re both query-aware and transaction-aware, techniques that quickly unveil the tools attackers are using. By being query-aware they’re able to spot and block malicious queries before they are delivered to the DNS engine, protecting it from attacks like DNS water torture. Transaction awareness is also key, as by using DNS Transaction Inspection (DTI) to assess the validity and correctness of DNS traffic, in the specific context of each client, a DNS server is able to spot exfiltration.

The result?

Using a modern DNS server gives you fast security that users don’t notice. Not only that, but there are as few false positives as possible, while your data stays protected. In a world where networks are increasingly complicated, and increasingly risky, a modern DNS not only simplifies things, it’s also its own police force- it protects and serves.