Security Experts:

Why DNS Firewalls Should Become the Next Hot Thing in Enterprise Security

Hackers are well aware that holes exists in the security of the Internet’s infrastructure. It’s time for the industry to protect the DNS layer.

The cornerstone of most enterprise computer security starts by building up protection around the perimeter of an organization, usually in the form of the firewall and intrusion detection/intrusion protection systems (IDS/IPS). Their use has been accepted to the point where they have become "check-list" items on any security audit and even your grandmother probably has an idea of what a firewall is — even if she learned about it from some Hollywood thriller. Most any industry expert will tell you that enterprise firewalls are at least a requirement, if not wholly sufficient, to protect computer systems. Others will tell you that those who ignore a firewall’s obvious benefits are either uninformed or incompetent.

DNS FirewallUnfortunately, with today’s threats, the traditional firewall is not the silver bullet to secure an enterprise. In fact, just the opposite: it typically leaves a huge pathway into your enterprise completely unprotected. And that pathway, which is populated by unfettered domain name system (DNS) information, has become a conduit of choice for cyber criminals looking to infiltrate your network.

In short, you need another firewall.

Introducing the DNS Firewall

Much as firewalls and IDS/IPS solutions have become critical — and expected —pieces of an enterprise’s security infrastructure, attention must now turn to DNS resolvers as an essential strategic security asset. Secure DNS resolvers function as a firewall for DNS, adding a vital layer of defense to combat the deluge of advanced persistent threats (APT) and other malware that circumvent traditional perimeter defenses.

Despite extensive use of network security measures, the reported number of successful breaches has been growing alarmingly in recent years. One primary reason is that attackers have recognized and are exploiting the largely unprotected DNS-based Internet infrastructure to remain undetected while they infiltrate networks and exfiltrate valuable information. Reports suggest that much of the Fortune 2000 and numerous governmental agencies have fallen prey to spear-phishing and related exploits. Yet DNS firewalls likely would have prevented the success of more than 80 percent of these attacks.

80 percent you ask? That’s based on our informal surveys of various companies, security experts and our own observations of how malware communicates. Overwhelmingly, malware uses the DNS system for rendezvous, updates, downloads, and/or command & control (C&C). It’s staggering to consider the number of KNOWN malicious connections that could be trivially detected and blocked.

What is a DNS Firewall?

A DNS firewall is another way of saying a secure DNS resolver. It prevents enterprise employee and system connections to known malicious Internet locations, and can provide immediate feedback to enterprise security teams about potential compromises like botnets and APTs on their networks. All it takes to create one is a list of malicious domains or hostnames, which can be added easily to the configuration of the DNS resolver server to automatically block access to those locations. By utilizing this secure DNS gateway, an enterprise can ensure its employees and IT systems are not routed to destinations that could jeopardize communications, proprietary information, customers’ private data and more.

Another major advantage of a DNS firewall is that you already have the foundation you need in place with your current DNS resolver infrastructure. Thus there’s no hardware to install, major software upgrades, network reconfiguration projects, or other “show stopper” items that can bog down typical security solution deployments. In fact, a DNS firewall can be deployed in days or even hours via either vendor solutions, or with a few scripts, some good data sources, and a talk with the DNS administrator for the network. The trick is of course in how comprehensive, timely, and accurate your threat data is and how sure you are of your implementation. So for most enterprises, a tested vendor solution is nearly always going to be the preferred choice, as they can provide fresh threat data and/or forwarded DNS resolution services directly to your enterprise network rather seamlessly.

Why a DNS Firewall is so Important

Protecting the Enterprise With DNSBasic DNS resolvers act as gateways between an enterprise and the “outside world.” If that resolver connects a user to a malicious location, then communications, proprietary information, customers’ private data and more could be jeopardized. Despite these dangers, the typical DNS resolver in use by enterprises today is not only susceptible to various direct attacks, but also lacks a built-in security layer necessary to identify malicious locations and protect enterprise users. It’s like having an Internet gateway with no security at all, instead of one protected by a firewall.

Why do we have such a situation? Since its inception, DNS has been treated as an irrefutable “pure” protocol that cannot be questioned and must, in fact, be followed correctly no matter what. It’s the “Internet Phonebook” for goodness sakes! While noble, this attitude has blinded the typical network operator to the practical need to filter or even re-direct public DNS responses in order to protect their own enterprises. “My network, my rules” is a mantra that is somehow forgotten when it comes to resolving external DNS responses.

As a result, the typical DNS resolution process doesn’t prevent users from arriving at known malicious locations. In fact, it actually enables malware infections to permeate an enterprise, and communicate freely with controlling machines and the infiltrators themselves.

For example, in late 2009, a Google employee in China clicked on a malicious link in an instant message. This set off a series of events that became known as “Aurora” which resulted in the infiltration of Google's network for months and the theft of data from a variety of the search engine giant's systems. When finally alerted, Google was able to determine the attack’s scope and reach within its network by examining log files from its DNS resolvers, where the attackers’ movements were easily spotted. The same attack was perpetrated against dozens of other major U.S. companies, and similar attacks are being discovered with alarming regularity. Had these victim companies been using a secure DNS resolver that blocked connections to malicious locations, these attacks would have been identified and mitigated in their earliest stages.

Spear phishing attacks that drop malware are highly effective since those attacks appear to come from trusted sources. Inevitably, an employee or partner will fall for such a scam, supplying a foothold for hackers. Once quietly inside the organization, these attacks can quickly spread, putting an enterprise’s vital information at risk.

The malware delivered by spear phishing attacks usually circumvents traditional firewalls with ease. That’s because most malware programs are now designed to leverage the DNS for managing communications with their command and control servers. The malware uses hostnames, or an algorithm for generating those hostnames on the fly, rather than hard-coded IP addresses when determining where to find its C&C server. As a result, malware controllers can easily change the IP addresses for their C&C servers at will, and some do so as often as every minute. There is little chance that traditional firewall defenses can keep up with such tactics.

However, a properly maintained DNS firewall will block access to the DNS information for those malicious hostnames, preventing the connection and/or diverting traffic from any infected computers to a safe server for inspection. By implementing this one simple layer of defense, enterprises can stymie over 80 percent of today’s malware and commensurately reduce their risk of information loss. While not a silver bullet, this approach is certainly going to be highly effective and should be considered an essential layer in any enterprise’s security posture.

Whether it’s malicious, coordinated assaults like Night Dragon, Shady Rat, Soysauce, Conficker, Stuxnet, SpyEye and Zeus, or individual unnamed attacks, security companies know almost all malware attacks by their DNS communications patterns. Yet a vast majority of enterprises don’t take steps to block such blatantly obvious communications. This is sheer folly and has to stop if we’re going to make the bad guys even break a sweat to rob us all blind.

Driving DNS Firewall Adoption

You may have stopped short when you read above that I expect 80 percent of all spear phishing and related malware attacks could be stopped by a DNS firewall. I stand behind that number whole-heartedly. In fact, our research shows it’s quite conservative. Most of the major APT-style breaches in the press of late have occurred using hostnames the security community was already aware of or became aware of well before the companies hit by them found out via traditional methods. Highly effective malware families’ domains are well known and well documented. With a DNS firewall in place, that information could be translated into instant protection. At the very least, you can take the “persistent” out of APT, since even if your network is compromised, you’ll be blocking the exfiltration of information as soon as the security community identifies the threat. That’s a powerful tool.

Despite these strong benefits, the concept of a DNS firewall seems to be a novel idea to most CISO’s we’ve spoken with. We find this surprising since this is not new technology, and several companies have been offering “clean” DNS for quite a while, blocking known phishing and pornography sites for example. However, these consumer-focused solutions are not widely implemented, and often don’t work well for an enterprise environment. The concept itself though translates well, and is fairly painless to implement — certainly without the major costs of hardware and network changes you’d find with traditional firewall or security product installations.

A quickly deployed solution with low pain and big benefits? Sounds like a winning proposition!

Criminals and hackers have become well aware that a major hole exists in the security of the Internet’s infrastructure, and we are now seeing an endless series of exploits and scams that take advantage of that hole. It’s time for the industry to protect the DNS layer.

Traditional firewalls are great, but DNS firewalls are just as important.

Rod Rasmussen co-founded Internet Identity and serves as its lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system. Rasmussen is co-chair of the Anti-Phishing Working Group’s Internet Policy Committee and serves as the APWG’s Industry Liaison, representing and speaking on behalf of the organization at events around the world and works closely with ICANN. He also is a member of the Online Trust Alliance’s (OTA) Steering Committee and an active member of the Digital PhishNet and is an active participant in the Messaging Anti-Abuse Working Group. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor’s degrees, in Economics and Computer Science, from the University of Rochester.