DNS is a Unique (and Necessary) Security Control

Like many other security professionals, you have been reviewing your security stack, reading up on the latest security trends, and have perhaps recently attended Info-Sec, RSA, Black Hat or some other relevant conference. Along the way, you may have seen messaging for recursive DNS (rDNS) as a security layer. However, it’s hard for you to believe DNS is an effective security control, as you know it is a lookup service used to translate hostnames into IP addresses. I have news for you – it truly can be an effective and highly manipulative entry point to infiltrate your users and valued data stores and unfortunately, it’s very hard to detect when it is compromised! Below are some points to show why rDNS security is a unique control plane and how it is difficult to manage by traditional security mechanisms.

First, why is rDNS left unprotected in the first place? I often hear from organizations that their main use for rDNS is to ensure users can stay online constantly to do their work without issue. They think that is all it can be used for, warranting no concern. As a result, this component of networking or connectivity is often outsourced to an Internet service provider, or even managed by resources who are not responsible for any part of the security landscape. Any corporate testing is usually limited to setting up Internet connectivity and accessing common websites. Also, it is often assumed to be protected by end-point security, next-generation firewalls, or secure web/internet gateway solutions to broadly cover this area. As a result, far too often, this plane is not being specifically examined.

Then, there are the users themselves who need to work with both internal and external workloads, such as navigating to their company’s internal Oracle instance or checking their stock tickers. The users probably don’t consider how clicking on a fraudulent or harmful link (accidentally or not) can lead to having malware directly inserted into their laptop, as most users have been trained to rely on anti-virus or endpoint software for protection. Unfortunately, these protection schemes are designed to identify local virus transfer or look specifically for abnormal TCP/HTTP(S). Techniques like Fast Flux algorithms are meant to smoothly glide by these groups of client software and wreak havoc. Again, there is usually not a solution specifically addressing these use cases or focusing on providing security intelligence for the DNS architecture.

Now, from a networking point of view, let’s consider how to protect corporate users that leverage split VPN to enter into the network. If you are doing this today, it’s likely your network will bypass the Internet controls inside the corporate network – which adds complexity. You can use non-split VPN, but this requires that all of the user’s network traffic go to the corporate datacenter before it goes to the Internet – slowing down Internet browsing, which can slow productivity and operations. With a cloud-based DNS security control, malware protection is available in whatever location the employee happens to be in. This increases the user’s Internet performance, while at the same time allows the security manager to provide protection.  If your VPN concentrators or gateway dies – or if the user simply disconnects their VPN, you lose any of the datacenter controls, and the user can access the Internet directly. This may not seem like a big deal, but that user could pick up malware off the network, and then when back inside the network, allow for it to proliferate.

Inside their internal networks, companies also have many unmanaged computer stacks – think IoT, printers, or dormant machines. These can all be excellent targets for Command & Control distribution. In the case of IoT, you usually cannot stick a client on items like a refrigerator, a thermostat, or an Amazon Alexa. These use cases need a governing mode that is going to target a common protocol that just about all common technology uses today – DNS. When you consider how many organizations are now adopting a policy around bring your own device (BYOD)/guest devices, they are now introducing unmarked, untracked devices in a network that have no governing body. I have seen time and again how segregating those users on a separate guest Wi-Fi network can lead to many performance problems that render common platforms unusable. A cloud-based DNS security perimeter can easily solve this problem with little to no overhead and a drastic reduction in maintenance.

Going back to endpoint protection, it is far from perfect – no service deployment has 100% coverage for all malware variants. Antivirus technology licensing in particular is very expensive. This requires the need for security professionals to deploy several different clients to produce a multi-layered approach. Similar to an onion – each layer on its own is not particularly strong, but penetrating all layers is much more difficult. Additionally, computers often are not patched one time, so when zero-day vulnerabilities come into play, security professionals are often left with several machines behind a latest update, which creates exposure. A cloud-based architecture does not suffer from this problem and can share regional threat discoveries quickly to a global user base. Akamai, in particular, at the time of this publication, sees over 50% of the world’s total recursive DNS traffic between the AnswerX and the Nominum Carrier-grade networks. The analytics from a large user base isn’t a new thing, but the ability to add blocking for all global users very rapidly is.

Ultimately, DNS security can significantly reduce risk, even for computers with endpoint security, but that is not to say that DNS Security intelligence is meant to solve all of your security needs. It is meant to be an instrumental layer. Having network and end-point security, along with SIEM systems complement each other and addresses different types of attacks, when a network or a specific device can be compromised, and various attack vectors, both internal or external.

A cloud DNS-based security solution is a lot less expensive and needed for compute resources than that of an Analog-to-digital convertor (ADC) or a Secure Internet Gateway (SIG) to analyze the traffic in real-time.

DNS Security is the earliest possible point in the kill-chain to block a request, right before or at the Infect stage. Before the DNS request can even make it to a root server, it can be blocked automatically, before having a request returned to the user, and the user acquiring HTTP objects, possibly causing issues with the end point. DNS resolution is almost always used by attackers at every step of the kill chain. Being able to raise detail and block attack escalation across this plane will help you drastically, and allow you to manage your end users in a much simpler way!

Learn more about DNS as a security control, and discover an endpoint solution that can protect your business at

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Randy D'Souza. Read the original post at: