In the earlier days of the internet, we all believed that protecting our system was just a firewall. You would set up a Nokia box or a Cisco PIX, apply a few rules, and walk away, and you were with the thought that your servers and services were protected. But the world has now entirely changed, and despite the hard work of the firewall vendors, the threat landscape has evolved even faster.
Back in those earlier days, common Internet ports like FTP, SMTP, HTTP and HTTPS was the only thing we all worried about. You’d keep the required ports open, and the remaining blocked, filtering the traffic on allowed services. But today’s attackers spread globally, using traditional DNS to unobtrusively exfiltrate data from your networks.
If you are using a traditional DNS, then you are under the risk of any techniques used to exfiltrate data over DNS queries, or using it as a command and control channel for malware in your network. DNS attacks are not just a novel way of extracting stolen data from a network, they are also a growing DDOS threat, as exemplified by the Mirai botnet.
So what will you do if your firewalls do not protect your DNS? You need to go on a different approach.
Risks of the old, traditional firewalls
If you’re using a traditional firewall to secure DNS, alongside log-file analysis tools, then for sure you are putting your services and your data in danger.
- There are more false positives, locking users and customers out of your systems because log analysis tools are not real-time. More dangerously there is also the issue that after the incident analysis may not pinpoint breaches, putting you at significant risk.
- A massive attack can overwhelm systems quickly based around traditional firewalls, especially when it is combined with attack magnification as a result of retries by legitimate users. As these systems come down when they fall in risk.
- A new class of attacks on DNS servers are slow and can easily be unshown to legitimate traffic, making them very hard to identify and defend against.
- Some important techniques used by attackers, like DNS exfiltration and DNS tunneling tools, are now used commonly and have been as a toolkit for the attackers. They may not be as fast as extracting data over HTTP or FTP, but since they’re not tracked by most DLP tooling, they’re insufficient to spot even after your data has been stolen.
- Most of these class DNS attacks are new; and as a result, are more likely to be based around zero-days. That means it’s hard to get fixes and updates rolled out to firewalls in time to avoid compromises.
In today’s environment protecting DNS is difficult, but without specialized tools, you are just increasing your chances of either a damaging DDoS or a breach. How should you protect your DNS?
Armor up with a modern DNS server
Modern DNS servers take a very different way to deliver a secure DNS. Instead of spending your time on external firewalls and out-of- band log file analysis, they build the tools you need into the heart of the DNS server itself. That’s on top of delivering a quick, high-performance DNS server that can handle the high volume of queries that a DDoS attack will deliver.
That means they are both query-aware and transaction-aware, techniques that quickly unveil the tool attackers being used. By being query-aware they are able to spot and block malicious queries before they are delivered to the DNS engine, protecting it from attacks like DNS water torture. Transaction awareness is also a key, as by using DNS Transaction Inspection (DTI) to assess the validity and correctness of DNS traffic, in the specific context of each client, a DNS server is able to spot exfiltration.
Using a modern DNS server you keep your network secured in an unimaginable way. Though your data is highly protected there might be some flaws which may be invisible to us. So don’t stay blindfolded even after protection, switch over to Dima Warrior.
So, what else! It’s time for the industry to go along with Dima Warrior.