What Is DNS Security?
To understand DNS security defenses, it’s important to look at the way in which DNS is vulnerable to attack. Most DNS attacks occur by getting users to think they are going somewhere safe on the internet so that they enter their credentials.
For example, let’s say a user wants to access a commonly used website. That person would type the website address into the browser bar. A malicious actor could poison the cache of the DNS server where the user’s browser is connecting. The user’s browser bar would say the correct website, but he or she would actually be connected to a malicious site that delivers malicious content or harvests credentials. This is known as cache poisoning or DNS spoofing.
Another attack type is DNS hijacking, in which the attacker makes changes to the client DNS server settings and the domain registrar to take a user’s traffic away from the intended server and toward a new, malicious destination. That website will likely be a fake version of a real website that can be used to harvest user credentials.
Other attacks involve the use of command and control servers that activate a malicious payload, such as ransomware, on a user’s device. This is often accomplished by getting a user to click on an email or a link. However, users are not yet doomed in these cases, since their devices need to communicate out to these command and control servers for keys that will lock up their data.
Traditionally, agencies have invested a lot of time and money in their firewalls and perimeter defenses, so users know that when they go into their offices, they are operating in a secure environment.
However, firewalls alone won’t protect users from being redirected to malicious destinations on the internet. Moreover, with many federal workers working remotely, they are not behind their enterprise firewalls in the way they were at the office, making them more vulnerable to attacks. Many security measures that agencies and users took for granted pre-pandemic need to be re-evaluated.
There are many DNS security solutions for federal agencies to consider, including Cisco Umbrella, Palo Alto Networks DNS Security and Infoblox Advanced DNS Protection. Such solutions, Cisco’s and Infoblox’s in particular, can leverage threat intelligence feeds to block outbound DNS calls and effectively put them in a black hole, so users are prevented from going to bad websites.
Such solutions aren’t absolutely required to prevent cache poisoning but having them helps automate the process.
Considerations for Deploying DNS Security Tools
DNS security tools are not as widely deployed in the federal government as other cybersecurity solutions, but there is definitely awareness and use of them. Prior to the pandemic, they were easy to deploy; often, within a day or two of an agency signing a purchase order for such a tool, agencies could redirect their enterprise DNS servers to connect to the internet through the new security tool.
Some solutions, such as Cisco Umbrella, have an agent that can go on users’ endpoints, pushing the security controls down to the device. Agents can report back on traffic and behavior, so depending on the maturity of an agency’s IT security team, they can appropriately analyze such data and put together a holistic picture of their remote workforce.
There is no reason an agency should avoid deploying DNS security tools. Currently, they seem to be more popular in the defense realm than civilian agencies, in part because of architectural requirements for Defense Department networks.
IT security leaders should consider whether DNS security tools can be deployed remotely onto users’ devices and whether or not they support agents. Some technologies operate well in centralized environments but not when they are pushed down to endpoints.
DNS security should be considered when IT leaders are thinking through endpoint security. Most endpoints need to have something bad to happen on them before they are triggered to stop that activity, so DNS security solutions can help enhance protection by blocking users from malicious content in the first place. IT leaders should also ensure their DNS security tools work with solutions they already have protecting their networks.
At a time when so many users are working remotely, it’s time to think beyond the firewall for protection, and DNS security tools can help.