When people talk network design, or even security for that matter, few really focus on the DNS portion of it more than the technology that will provide the service. Normally, circa 1990, this would have been sufficient; however, it’s not 1990, and this isn’t your granddad’s network.
Today, DNS is basically the front line of attack for many malware
infusion mechanisms. However, before we
get all Steven King on you about this, let’s all catch up on the role of
DNS.
DNS is simply a database that links meaningful names such as
http://www.microsoft.com, to a specific IP address, such as 192.168.124.1.
Simply linking addresses to names is just the beginning, though, because DNS has
many more features in addition to host-name-to-address mapping.
The key features of host name to IP mapping are as follows:
- Mappings of addresses to names and vice versa (known as records) are stored in a database.
- The DNS database is distributed.
- A DNS database also stores additional records.
In short,
DNS is a distributed database system, each of its server contains only a small
portion of the host name to IP address mappings also known as a namespace. It performs a lookup for records it doesn't
have in its portion of the DNS database.
In addition to the basic
IP-address-to-host-name mapping records stored by the DNS database, records are
also maintained by DNS for other purposes. DNS contains a number of record
types that facilitate other applications. The Mail Exchanger (MX) record, for
example, provides mail servers with the information required to forward e-mail
messages to the recipient's e-mail server. Another type of record, the service
(SVC) record, is used by Microsoft Active Directory to locate network services.
DNS Vulnerabilities
Now to avoid being overly histrionic, we could follow the formulaic Public Service Announcement tactic of listing a litany of vulnerabilities associated with the system, communications, caching mechanisms, user configuration errors, etc. However, as with every other PSA, this would be ignored.
So
let’s get to the point, DNS is the
most ubiquitous protocol on the Internet, but it’s also probably the most
ignored. Even security technology has done a fly by on DNS. Data Leak Protection (DLP) systems that check
protocols used by email, web browsers, peer-to-peer software and even Tor,
often neglect DNS. “Nobody looks much at DNS packets, even though DNS underlies
everything,” says Cloudmark CTO Neil Cook. “There’s a lot of DLP done on web
and email but DNS is sitting there, wide open.” Cook points out some unexpected though
legitimate uses; “Sophos uses DNS tunneling
to get signatures; we even use it for licensing.”
Virtually Invisible
Few businesses do any monitoring of their DNS traffic even though it’s been proven over and over again that DNS is a common attack venue. Just ask Home Depot and Target, recent victims of subverted DNS tunneling.
In
a recent Vanson Bourne study of U.S. and U.K. businesses, 75 percent said
they’d suffered a DNS attack (including denial of service and DNS hijacking as
well as data theft through DNS), with 49 percent having experienced an attack
during 2014. Worryingly, 44 percent said it was hard to justify investments in
DNS security because senior management didn’t recognize the issue.
That’s because they think of DNS as a utility, suggests Nominet CTO Simon McCalla. “For most CIOs, DNS is something that happens in the background and isn’t a high priority for them. As long as it works, they’re happy. However, what most of them don’t realize is that there is a wealth of information inside their DNS that tells them what is going on within their network internally.”
DNS
is the most ubiquitous command and control channel for malware, as well as
being used to get data stolen by malware from your business. Malware frequently
use DNS to tunnel out this traffic is because it's so poorly monitored, most
people have no idea what kind of queries are going over their DNS
infrastructure.”
There’s
also the problem of people using DNS to bypass network security controls; that
might be employees avoiding network restrictions, security policies or content
filtering, or it might be attackers avoiding detection.
Securing DNS
Monitoring
DNS can also give you a lot of information about what’s going on across your
business far beyond the network.
“We live in a world where the network perimeter is becoming ephemeral and where services are easy to adopt,” Ulevitch points out. “A marketing executive can sign up to Salesforce; if you're looking at the DNS you can see that. You can see how many employees are using Facebook. You can see devices showing up in your network, whether it’s because they’re checking a license or doing data ex filtration. If you have a hundred offices, you can still see who is connecting devices.”That’s not just PCs either, he points out; printers and televisions and IoT devices are increasingly connecting to your business network. “Do I want my TVs phoning home? If you look at the Samsung privacy policy, it says the TV has a microphone that might be listening at any time; do I really want that in the corporate boardroom? Maybe I want to apply DNS policies so my TVs can't phone home.”
“We live in a world where the network perimeter is becoming ephemeral and where services are easy to adopt,” Ulevitch points out. “A marketing executive can sign up to Salesforce; if you're looking at the DNS you can see that. You can see how many employees are using Facebook. You can see devices showing up in your network, whether it’s because they’re checking a license or doing data ex filtration. If you have a hundred offices, you can still see who is connecting devices.”That’s not just PCs either, he points out; printers and televisions and IoT devices are increasingly connecting to your business network. “Do I want my TVs phoning home? If you look at the Samsung privacy policy, it says the TV has a microphone that might be listening at any time; do I really want that in the corporate boardroom? Maybe I want to apply DNS policies so my TVs can't phone home.”
Monitoring
it isn’t disruptive, Ulevitch points out. “Usually in security, the reason most
things aren't used is the effort needed to make sure they don’t have a
detrimental effect on user performance.”
In
fact, you need a good reason ’not’ to be doing this, he says. “There are
fundamental best practices in security and one of them is network visibility.
Not being able to see the traffic on your network means you're flying blind.
Finding a way to inspect DNS traffic is a fundamental requirement of a strong
security posture. To not know what's happening on your network is borderline
derelict.”
Source:
- http://www.cio.com/article/2948378/security/why-you-need-to-care-more-about-dns.html
So “Once more unto the breach, dear friends, once more;”
____________________________________________________________
About Rick Ricker
An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff