Ignore DNS at your peril 

Businesses have to pay close attention to their web traffic, especially when migrating business applications to the cloud. Obviously, web traffic is vital to any organization. And, the perception of internal and external users regarding the security and performance of business applications or e-commerce can also have a significant impact on business or productivity.

One important protocol that permits the operation of web traffic is Domain Name System (DNS). However, it is also one of the least supervised protocols. An often-used analogy to explain DNS is that it serves as the phone book for the internet by translating human-friendly computer hostnames into IP addresses.

For just about all users, the most important outcome is that this name resolution is converted correctly, regardless of who completes the action or even how long it takes. However, most end users don’t know, and don’t care, who completes this name resolution, which in most cases is their default ISP. And even fewer users have taken the trouble to subscribe to a dedicated DNS service.

Unfortunately, the same is true in the business world. Yet the impact of poorly controlled and unsupervised DNS traffic can be felt in terms of performance and security.

Improvement in performance…

Many international companies rely on a central DNS for their name resolution, rather than a local DNS. This facilitates the resolution of internal names without having to manage a multitude of local servers. Unfortunately, this configuration means that when employees request resources from a Content Delivery Network (CDN), they will be directed to the nearest point of presence at their head office, and not necessarily where they actually are. This can lead to performance degradation, especially in the cases of IP telephony or video conferencing, as described by Microsoft as part of the official Skype documentation.

To achieve the required performance, it is necessary to be able to rewrite the name resolution based on the actual geographic location of the user, which is much easier to do in the cloud than with a multitude of local DNS servers to manage.

…and security!

The essential role of the DNS in the security of the company is evident. It is through the DNS that employees are directed to the websites they request. Therefore, an attacker who takes control of the DNS would be able to carry out perfect and large-scale phishing attacks via usurping, as well through external destinations on the web and internal applications. To protect against those potential attacks, it may be useful to deploy such technologies as DNS Security Extensions (DNSSEC), which signs DNS records to certify the data, or DNS over TLS, which encrypts DNS traffic to preserve query confidentiality. However, these approaches are rarely implemented in enterprise networks, because they introduce more complexity into a simple system that has been functioning on its own for a long time. This is a dangerous attitude that could leave the organization vulnerable to phishing and other attacks.

The DNS may be compromised in many other ways. For example, more malware is increasingly using DNS to extract data in TXT fields, taking advantage of the fact that this protocol is rarely inspected, let alone filtered. According to a survey conducted by EfficientIP, in 2018, 91 percent of malware used a DNS resolution to contact its command and control server. And yet, only 38 percent of companies consider protecting their DNS as a priority.

Adding to the confusion, some antiviruses themselves exploit the DNS tunnelling technique to ensure their basic signature updates, even if they are blocked by a firewall. In these circumstances, it may be difficult to distinguish between legitimate and malicious traffic. Therefore, companies must look into the security of their DNS servers and start inspecting these streams to prevent unwanted surprises. Unfortunately, this inspection is not trivial, and it may be advantageous to apply artificial intelligence techniques on a large volume of queries to detect anomalies that may pass under the radar. Here, too, the cloud is a helpful tool for conducting this type of analysis.

DNS should not be ignored as it is the very first transaction that occurs when you connect an internet-based resource. Including DNS controls to the rest of the security capabilities is required. Leveraging a cloud that natively provides a proxy-based architecture provides not only security but also optimised user experience.

This is a submission from Yogi Chandiramani, VP of Systems Engineering, Zscaler. Through this link you can find more information about the possibilities of the company.