DNS security awareness enriches cybersecurity

DNS security, often implemented as part of a DDI solution that wraps together secure DNS, DHCP, and IPAM (all of which will be explained) – is good news for networks and systems administrators. “DNS is a goldmine of information,” Chris Buijs of efficient iP told TechHQ. Domain name system (DNS) calls resolve domain names into IP addresses so that clients and servers can communicate back and forth over the internet. And having software that can delve into the packets, together with other metadata, to distinguish safe from malicious traffic, is mighty helpful when it comes to secure network management. To illustrate why, let’s flip things around and take DDI out of the equation, briefly.

Spreadsheets are useful tools, but they were never designed to keep networks safe. And that’s why using them to manage IP addresses – the location information that allows data to be sent between devices on a network – is a bad idea. “Every IP address has to be unique,” emphasizes Buijs. As the number of endpoints on the network grows, trying to get by with cobbled-together, static data gets trickier. The dynamics of even typical operations will require spreadsheet cells to be shifted around and updated, all without making an error.

IP addresses need to be managed seamlessly to handle business needs such as staff joining, employees leaving, as well as visitors, who will come and go more frequently. Portable devices will hop on and off company networks – for example, due to BYOD or work-from-home (WFH) policies, or both. There are printers to consider too. Also, firms such as manufacturers or those in other industrial sectors may install IoT configurations that could have huge numbers of nodes.

IPAM and more

If a security incident occurred, could you rely on a spreadsheet to be up to date, and would it contain all the information you needed? Probably not, which is why networks and systems administrators who don’t want to live their professional lives on the edge will put their trust in IP address management (IPAM) tools instead. IPAM software – either standalone or part of a DDI solution – gives administrators the ability to plan and track the management of IP address space. Critically, IPAM software provides an accurate real-time inventory of devices currently on the network and can include cloud instances too.

As well as helping with normal operations, IPAM feeds into DNS security. DNS, at the protocol level, does have some protection of its own, which was added around a decade ago. But benefiting from Domain Name System Security Extensions – to give DNSSEC its full title – requires some planning on the side of the website that’s being visited. “Not everybody signs their domains,” said Buijs. “DNSSEC needs to be switched on”. When activated, DNSSEC makes it harder for bad actors to launch a DNS spoofing attack –a campaign that redirects visitors to a malicious site, where they may be tricked into entering account details and passwords.

Thanks to the security extensions, the client requesting the DNS record can verify whether the information originated from an authoritative name server. But, as Buijs pointed out, not every site has DNSSEC enabled. DNSSEC adds an additional 14 steps compared with the conventional DNS request sequence – but it appears to be configuration hurdles rather than performance costs that are hampering its adoption, certainly lower down the domain. And this is where diving into the data with a DNS security tool can help to bolster defenses. “You can look at the packets to determine whether there’s malicious intent,” explains Buijs.

Bad actors may attempt to hammer a server with DNS responses to try and fool unsuspecting users, but DNS security will be able to work out that it’s unusual behavior. Employees may visit a website once an hour, for example, but they’re extremely unlikely to send hundreds of requests a second – even if the website has gone down and they are just madly clicking on their browser.

Don’t forget DNS security

“A DNS call is made before any network transactions occur, so it provides a good first line of defense,” said Buijs. “Malware and ransomware are dependent on DNS.” This means that even if malware has found its way onto a company network, DNS security can step in and stop the threat from communicating with the outside world. “You could block the call, or give it a fake answer,” comments Buijs, noting that failure to answer can sometimes cause the malware to start a stopwatch, which may turn ugly.

Other checks that can take place include reviewing whether the domain is more than 7 days old – a smart move given that bad actors have a tendency to use freshly minted websites to ensnare their victims. Further elements of the DDI solution can step in and add protection too – for example, the dynamic host configuration protocol (DHCP) engine that automatically assigns IP addresses, directed by IPAM, will know whether the device is a laptop or a printer, for example. And each device will have its own normal operating characteristics that can be referenced to determine unusual network activity.

To further enrich this data, a call could be made to Microsoft Active Directory to find out who’s logged into the device. Internet usage patterns will typically vary by job function and these signals can be added to the baseline to further refine network defenses. “Don’t forget DNS in your security plan,” concludes Buijs.