Defense-in-depth starts with DNS

Guest Editorial: It's become painfully clear to that DNS can no longer be a fire hose that just pierces the firewall. Here are some simple action items that can be implemented on just about every network out there...
Written by Ryan Naraine, Contributor

* Ryan Naraine is on vacation. 

Guest Editorial by David Ulevitch

Defense-in-depth starts with DNS
How do you stop computers on your network from becoming a part of massive botnets? Maybe you just trust that your desktop anti-virus definitions are up-to-date. When was the last time you looked at the DNS traffic patterns on your network? Perhaps you just break out WireShark from time to time to debug problems. Do you block outbound requests to external DNS servers on your firewall? If you're anything like the IT folks I talk to, you don't block DNS, nor do you pay any special attention to it. The general sentiment from the people I talk with is that "as long as my DNS works, it's fine."

That needs to change. DNS needs to be considered a critical layer in practicing defense-in-depth security.

Hopefully defense-in-depth isn’t a new concept to you, but if it is, here’s a quick intro: Information Assurance (IA) experts preach about practicing security as a process and not a task. And when implementing the process, the experts promote a defense-in-depth methodology. Defense-in-depth is a security approach where multiple layers of security solutions exist throughout the computing and networking environment, complementing each other to create a layered defense infrastructure. The argument being that a layered approach to security makes it harder for attackers to find a weak link in an infrastructure (among other benefits).

[ SEE: Storm Worm botnet could be world’s most powerful supercomputer ]

Having spent the last six years working with DNS, it's become painfully clear to me that DNS can no longer be a fire hose that just pierces the firewall. Zombie'd machines often use DNS to find their master and become part of a larger botnet. Compromised desktops use obscene amounts of DNS when they start large spam runs. Many forms of social engineering attacks involve using DNS to trick unsuspecting users into giving up personal information. And more and more pieces of malware are setting desktops to use rogue external DNS servers to resolve domain names to malicious hosts.

So what can you do? There’s a few simple action items that can be implemented on just about every network out there.

First: All outbound DNS requests coming from inside your network should be forwarded to bastion host or another trusted DNS server. This should be ensured by either transparently proxying all DNS requests to these trusted DNS servers or blocking DNS requests destined for any server other than the trusted ones. This ensures that if a host on your network is compromised, it can’t start using a rogue DNS server on the Internet to hand out answers or collect internal DNS requests.

Second: Find a way to track the DNS traffic patterns on your network. The DNS can be extremely helpful in debugging larger network issues when you have insight into the nature of your DNS traffic. When a user calls the helpdesk complaining of a slow machine and you’re able to see they it’s making 100,000 DNS requests a day instead of the typical 1,000, you can start to dive in and understand the problem. The same goes for bosses who want to know which domains are being looked-up most often on their network. Having the tools to block these hosts is even better.

Third: Have the tools to block domains on your DNS server . This one is the most challenging, but extremely important. Many firewalls (even the really expensive ones) let you block by hostname, however, they simply do a DNS lookup for the host when loading their rules. That is not sufficient and creates a false sense of security. Lots of big sites on the Internet use many IP addresses to load balance, and change IPs frequently.

The DNS is a fundamental piece of any Internet-connected network and it's time that it evolved to meet the demands of today's Internet. That change starts at the edge, on your network, where you can make a difference both to protect your own users and to be a better Internet citizen at the same time.

* David Ulevitch is founder/CEO of OpenDNS. He also runs the EveryDNS service.

Editorial standards