DNS—the Domain Name System protocol—is known as the phone book for the internet. It’s what enables a person to type a familiar website address, such as zscaler.com, into a browser and have it translated into an IP address that servers will recognize. As important as DNS is to the interchange of web traffic, it is one of the least-supervised protocols.
Users don’t tend to be aware of how this translation occurs or who’s responsible for it. The only important outcome is that the name is converted correctly and in a reasonable amount of time. In most cases, the default ISP is responsible and, though dedicated DNS services are available that can improve performance, few users subscribe to such services.
Unfortunately, the same is true in the business world, where poorly controlled and unsupervised DNS traffic can impact performance and security on a far greater scale and with major business implications.
Many international companies rely on a central DNS for their name resolution, rather than a local DNS; centralisation allows internal names to be resolved (translated) without having to manage an array of local servers. Unfortunately, this configuration means that when employees request resources from a content delivery network (CDN), they will be directed to the point of presence (POP) nearest their head office, and not necessarily where they are actually connecting.
This centralisation can lead to performance degradation, particularly for latency-sensitive applications like Skype for Business and other collaboration platforms. To achieve the required performance, you must be able to rewrite the name resolution based on the actual geographic location of the user—a task that is much more easily accomplished in the cloud than with a multitude of local DNS servers to manage.
DNS has an essential role in enterprise productivity and security. It is through DNS that employees are directed to the websites they request. Therefore, an attacker who takes control of the organization’s DNS would be able to carry out large-scale attacks. One popular method is DNS spoofing, also known as DNS cache poisoning, in which corrupt data is introduced so that the server returns an incorrect IP address, diverting traffic to phishing pages, malicious sites, or the attackers’ servers.
DNS may be compromised in a variety of other ways as well. For example, malware is increasingly using DNS to extract data in TXT fields, taking advantage of the fact that this protocol is rarely inspected, let alone filtered. According to the IDC 2019 Global DNS Threat Report, 82 percent of companies experienced a DNS attack, and yet only 64 percent of companies consider DNS security to be critical.
DNS tunneling is another form of attack often used for stealing data. Adding to the confusion, some antivirus systems themselves use the DNS tunneling technique to ensure their basic signature updates, even if they are blocked by a firewall. In these circumstances, it may be difficult to distinguish between legitimate and malicious traffic. Therefore, companies must look into the security of their DNS servers and start inspecting these streams to prevent unwanted surprises. Unfortunately, this inspection is not trivial, and it may be advantageous to apply artificial intelligence techniques on a large volume of queries to detect anomalies that may pass under the radar. Here, too, the cloud is a helpful tool for conducting this type of analysis.
To protect against DNS attacks, you can deploy technologies like DNS Security Extensions (DNSSEC), which certifies DNS records, enabling users to trust that the DNS resolution they receive will be what the domain owner intended it to be. According to a Network World article, ICANN Urges Adopting DNSSEC Now, “DNSSEC technologies have been around since about 2010 but are not widely deployed, with less than 20 percent of the world’s DNS registrars having deployed it...”
Companies pay a lot of attention to their web traffic. It’s time to do the same for DNS, and the cloud can help. Using the cloud, you can protect web traffic through centralisation, almost infinite analysis capabilities, and the abstraction of your local infrastructure.
Resources: Watch an on-demand webcast on DNS security by Zscaler CIO Patrick Foxhoven.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Yogi Chandiramani is VP of Sales Engineering for Zscaler EMEA