Why DNS Firewalls Should Become the Next Hot Thing in Enterprise Security

By Rod Rasmussen on October 12, 2011

Tweet

Hackers are well aware that holes exists in the security of the Internets infrastructure.
Its time for the industry to protect the DNS layer.

The cornerstone of most enterprise computer security starts by building up protection around the
perimeter of an organization, usually in the form of the firewall and intrusion detection/intrusion
protection systems (IDS/IPS). Their use has been accepted to the point where they have become
"check-list" items on any security audit and even your grandmother probably has an idea of what
a firewall is even if she learned about it from some Hollywood thriller. Most any industry expert
will tell you that enterprise firewalls are at least a requirement, if not wholly sufficient, to protect
computer systems. Others will tell you that those who ignore a firewalls obvious benefits are
either uninformed or incompetent.

Unfortunately, with todays threats, the

traditional firewall is not the silver bullet to secure an enterprise. In fact, just the opposite: it
typically leaves a huge pathway into your enterprise completely unprotected. And that pathway,
which is populated by unfettered domain name system (DNS) information, has become a conduit
of choice for cyber criminals looking to infiltrate your network.

In short, you need another firewall.

Introducing the DNS Firewall

Much as firewalls and IDS/IPS solutions have become critical and expected pieces of an
enterprises security infrastructure, attention must now turn to DNS resolvers as an essential
strategic security asset. Secure DNS resolvers function as a firewall for DNS, adding a vital layer of
defense to combat the deluge of advanced persistent threats (APT) and other malware that
circumvent traditional perimeter defenses.

Despite extensive use of network security measures, the reported number of successful breaches
has been growing alarmingly in recent years. One primary reason is that attackers have
recognized and are exploiting the largely unprotected DNS-based Internet infrastructure to remain
undetected while they infiltrate networks and exfiltrate valuable information. Reports suggest that
much of the Fortune 2000 and numerous governmental agencies have fallen prey to spear-
phishing and related exploits. Yet DNS firewalls likely would have prevented the success of more
than 80 percent of these attacks.

80 percent you ask? Thats based on our informal surveys of various companies, security experts
and our own observations of how malware communicates. Overwhelmingly, malware uses the DNS
system for rendezvous, updates, downloads, and/or command & control (C&C). Its staggering to
consider the number of KNOWN malicious connections that could be trivially detected and blocked.

What is a DNS Firewall?

A DNS firewall is another way of saying a secure DNS resolver. It prevents enterprise employee
and system connections to known malicious Internet locations, and can provide immediate
feedback to enterprise security teams about potential compromises like botnets and APTs on their
networks. All it takes to create one is a list of malicious domains or hostnames, which can be
added easily to the configuration of the DNS resolver server to automatically block access to those
locations. By utilizing this secure DNS gateway, an enterprise can ensure its employees and IT
systems are not routed to destinations that could jeopardize communications, proprietary
information, customers private data and more.

Another major advantage of a DNS firewall is that you already have the foundation you need in
place with your current DNS resolver infrastructure. Thus theres no hardware to install, major
software upgrades, network reconfiguration projects, or other show stopper items that can bog
down typical security solution deployments. In fact, a DNS firewall can be deployed in days or
even hours via either vendor solutions, or with a few scripts, some good data sources, and a talk
with the DNS administrator for the network. The trick is of course in how comprehensive, timely,
and accurate your threat data is and how sure you are of your implementation. So for most
enterprises, a tested vendor solution is nearly always going to be the preferred choice, as they can
provide fresh threat data and/or forwarded DNS resolution services directly to your enterprise
network rather seamlessly.

Why a DNS Firewall is so Important

Basic DNS resolvers act as gateways between an enterprise

and the outside world. If that resolver connects a user to a malicious location, then
communications, proprietary information, customers private data and more could be jeopardized.
Despite these dangers, the typical DNS resolver in use by enterprises today is not only susceptible
to various direct attacks, but also lacks a built-in security layer necessary to identify malicious
locations and protect enterprise users. Its like having an Internet gateway with no security at all,
instead of one protected by a firewall.

Why do we have such a situation? Since its inception, DNS has been treated as an irrefutable
pure protocol that cannot be questioned and must, in fact, be followed correctly no matter what.
Its the Internet Phonebook for goodness sakes! While noble, this attitude has blinded the typical
network operator to the practical need to filter or even re-direct public DNS responses in order to
protect their own enterprises. My network, my rules is a mantra that is somehow forgotten when
it comes to resolving external DNS responses.

As a result, the typical DNS resolution process doesnt prevent users from arriving at known
malicious locations. In fact, it actually enables malware infections to permeate an enterprise, and
communicate freely with controlling machines and the infiltrators themselves.

For example, in late 2009, a Google employee in China clicked on a malicious link in an instant
message. This set off a series of events that became known as Aurora which resulted in the
infiltration of Google's network for months and the theft of data from a variety of the search
engine giant's systems. When finally alerted, Google was able to determine the attacks scope and
reach within its network by examining log files from its DNS resolvers, where the attackers
movements were easily spotted. The same attack was perpetrated against dozens of other major
U.S. companies, and similar attacks are being discovered with alarming regularity. Had these
victim companies been using a secure DNS resolver that blocked connections to malicious
locations, these attacks would have been identified and mitigated in their earliest stages.

Spear phishing attacks that drop malware are highly effective since those attacks appear to come
from trusted sources. Inevitably, an employee or partner will fall for such a scam, supplying a
foothold for hackers. Once quietly inside the organization, these attacks can quickly spread,
putting an enterprises vital information at risk.

The malware delivered by spear phishing attacks usually circumvents traditional firewalls with
ease. Thats because most malware programs are now designed to leverage the DNS for managing
communications with their command and control servers. The malware uses hostnames, or an
algorithm for generating those hostnames on the fly, rather than hard-coded IP addresses when
determining where to find its C&C server. As a result, malware controllers can easily change the IP
addresses for their C&C servers at will, and some do so as often as every minute. There is little
chance that traditional firewall defenses can keep up with such tactics.

However, a properly maintained DNS firewall will block access to the DNS information for those
malicious hostnames, preventing the connection and/or diverting traffic from any infected
computers to a safe server for inspection. By implementing this one simple layer of defense,
enterprises can stymie over 80 percent of todays malware and commensurately reduce their risk
of information loss. While not a silver bullet, this approach is certainly going to be highly effective
and should be considered an essential layer in any enterprises security posture.

Whether its malicious, coordinated assaults like Night Dragon, Shady Rat, Soysauce, Conficker,
Stuxnet, SpyEye and Zeus, or individual unnamed attacks, security companies know almost all
malware attacks by their DNS communications patterns. Yet a vast majority of enterprises dont
take steps to block such blatantly obvious communications. This is sheer folly and has to stop if
were going to make the bad guys even break a sweat to rob us all blind.

Driving DNS Firewall Adoption

You may have stopped short when you read above that I expect 80 percent of all spear phishing
and related malware attacks could be stopped by a DNS firewall. I stand behind that number
whole-heartedly. In fact, our research shows its quite conservative. Most of the major APT-style
breaches in the press of late have occurred using hostnames the security community was already
aware of or became aware of well before the companies hit by them found out via traditional
methods. Highly effective malware families domains are well known and well documented. With a
DNS firewall in place, that information could be translated into instant protection. At the very
least, you can take the persistent out of APT, since even if your network is compromised, youll
be blocking the exfiltration of information as soon as the security community identifies the threat.
Thats a powerful tool.

Despite these strong benefits, the concept of a DNS firewall seems to be a novel idea to most
CISOs weve spoken with. We find this surprising since this is not new technology, and several
companies have been offering clean DNS for quite a while, blocking known phishing and
pornography sites for example. However, these consumer-focused solutions are not widely
implemented, and often dont work well for an enterprise environment. The concept itself though
translates well, and is fairly painless to implement certainly without the major costs of hardware
and network changes youd find with traditional firewall or security product installations.

A quickly deployed solution with low pain and big benefits? Sounds like a winning proposition!

Criminals and hackers have become well aware that a major hole exists in the security of the
Internets infrastructure, and we are now seeing an endless series of exploits and scams that take
advantage of that hole. Its time for the industry to protect the DNS layer.

Traditional firewalls are great, but DNS firewalls are just as important.