How many times have you heard the popular information security joke: â€œIt’s still DNSâ€? This means that whenever there is an issue that you cannot figure out, you will dig until you come to the conclusion that it is still DNS. But DNS is also where many problems can be caught early on, and it should be exploited more than ever, especially by those working on their zero trust journey. DNS can be part of better threat detection – let’s see how it works.
What are DNS and Zero Trust?
Let’s unpack this for a minute. DNS is the Internet telephone directory. It translates domain names into numbers that computers can then route. Specifically, “the domain name system is the hierarchical, decentralized naming system used to identify computers, services, and other resources accessible through the Internet or other Internet Protocol networks.” As such, DNS is also one of the few application protocols allowed to cross organizational network perimeters.
Zero Trust is a framework that assumes that the security of a complex network is always threatened by external and internal threats. It helps organize and strategize to counter these threats.
Where do these two meet?
Zero trust is about performing continuous risk assessments and audits, a principle that also requires examining traffic entering and leaving organizational networks. You might agree that pretty much everything that happens on connected devices is evident somewhere in DNS traffic. This is especially true since DNS can go anywhere, and this is where attackers want to go.
Unfortunately, many security professionals mistakenly think of DNS as just a domain block list and don’t see its power as a discovery tool or a source of data to be analyzed under Zero architectures. Trust. But they should. DNS is where security teams can find forensic markers, automatic domain categorization data, suspicious patterns of behavior, and potential / confirmed maliciousness.
DNS security is a perfect match for zero trust for two reasons. First, DNS is fundamental to any network infrastructure, making it an excellent policy enforcement point for any zero-trust architectures, regardless of other controls involved. Since almost every network connection has a query Corresponding DNS, we can take advantage of this advantage in risk assessments.
Second, any new or unknown domain that appears in secure environments can trigger a validation process because DNS security, like zero trust, also assumes a violation. This plays directly into the continuous verification state that zero confidence aims to achieve.
Look beyond the basics
If it’s so great, why aren’t so many organizations using DNS to their advantage?
DNS traffic sent over UDP was previously in clear text and therefore transparent to security administrators. However, to keep DNS queries private, this data is now encrypted with DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). As a result, administrators no longer see the same data from queries and lost the visibility they had on the network. From a security perspective, in the case of DoT, admins can at least perform some blocks, but DoH mixes with the rest of the HTTPS traffic, making it impossible to block without broader implications. That said, DNS should not be abandoned as a place to detect malicious activity. Attackers are definitely using it to their advantage all the time with DNS tunneling attacks that conceal covert communications and exfiltrated data.
Although the visibility has changed, one can still detect connections that do not have matching DNS queries and associate them to detect the use of unauthorized encrypted DNS services. No one will blindly block unreleased domains just because they are considered riskier. But blocking them with more context can provide an additional factor in zero-trust risk assessments.
For starters, correctly determining the uniqueness of domains is a critical step in your risk assessment. Only broad visibility over a full global DNS can effectively validate this analysis. For example, the visibility that IBM security teams get from Quad9 can tell us whether a given domain is unique in the company or unique in the world.
So other than blockage, how do you deal with newly observed areas? The response again refers to continuous verification. There are various DNS scans that we can rely on to analyze new domains and their potential for risk. Think of the domain names generated by DGAs, typo squatting, fast flux networks and DNS tunneling. Analyzes that can provide this kind of context are a powerful way to reveal the true intentions of those who registered domains and help security administrators trigger the right mitigation actions in time.
DNS security contributes to better cyber hygiene in your environment and enables continuous risk assessment and validation. Without DNS security, it becomes more difficult to gain early visibility into potential threats, even when working under zero trust principles. It also means that security administrators should put more effort into data collection and policy enforcement. Therefore, DNS security is not only essential, but also a handy fruit in any zero trust architecture.
Learn more about DNS scanning in this IBM Security article.
IBM Security X-Force recommends that every organization begin to use DNS providers with integrated security. For example, Quad9 reduces the complexity of security operations at no cost.
Quad9 is also a trustworthy DNS provider that supports encryption, as malware / botnet will not use Quad9 for many good reasons. Additionally, through a partnership with IBM X-Force, Quad9 recovers every newly observed domain to help Quad9 users stay ahead of threats.
Join the X-Force Exchange Threat Intelligence Sharing by visiting: exchange.xforce.ibmcloud.com
To read emerging blogs on X-Force threat intelligence, visit: securityintelligence.com/category/x-force