Infoblox is committed to AI to further develop DNS security

Get a free Techzine subscription!

Anyone who follows the developments around the Domain Name System (DNS) knows that the market is changing a lot. Not only have newer standards such as DNS over TLS (DoT) and DNS over HTTPS (DoH) been added to make DNS traffic safer, new players have joined, and older players have left. For Infoblox the developments have worked out well, it has been able to innovate itself to become one of the more important players in DNS. According to Infoblox, there is still enough to innovate in the near future to make its products better. Smart DNS should contribute to that, adding intelligence to the Infoblox portfolio.

Earlier this year, we visited Infoblox to find out how the company is positioning itself to be distinctive in the marketplace. In short, DNS services in combination with DHCP (Dynamic Host Configuration Protocol) and IPAM (IP Address Management) services, collectively also known as DDI, are the spearhead of Infoblox. It is a layered approach, where DNS and DHCP deal with assigning and resolving IP address issues and IPAM is the last layer of administration for managing IP addresses in the network.

However, there are enough interesting developments going on within DDI. For example, Infoblox is investing in smart DNS, something the company has been doing for a long time. To get more insight into this, we decided to talk to Krupa Srivatsan and Martin van Son of Infoblox.

Applying AI to DNS data

The theory used by Infoblox on making its DNS services smart comes in handy with DNS queries. In such queries, endpoints (the DNS client) submit a request to a DNS server. For example, a fairly simple DNS query relates to a laptop on which a user enters a domain name in his browser. A DNS server is then contacted, which pops up a database to look up the actual domain name (number instead of a simple written name). This is then fed back to the endpoint. The necessary data can be found in the traffic of this process. If you apply AI to it, technology can draw conclusions from it and then take action on it.

The scenarios to which AI can be applied ultimately vary. Especially because thousands of DNS queries are executed daily within enterprise organizations. Not only do DNS queries take place when visiting websites but a DNS server is also consulted for e-mail traffic. In addition, it is sometimes necessary to consult multiple servers when the first server does not have an immediate answer. The DDI approach also brings some extra data traffic into the approach, since a DHCP server is used to set up an IP configuration. All in all, there are quite a few components that ensure that the daily DNS traffic within organisations is considerable.

Smart DNS in practice

So Infoblox has been using machine learning to make DNS smart for some time now, making the Infoblox portfolio increasingly a first-line security solution. The DNS services are located close to the endpoint, which in practice allows them to pick up rogue signals sooner than other security solutions.

For example, it means that Infoblox can be used to detect DDoS attacks. Normally, such attacks are quite difficult to detect, as traffic in DDoS attacks is often identical to regular traffic. However, DNS services may find that the same DNS query is sent 20 times in a row. Previously Infoblox would handle all 20 requests without raising the alarm, but now smart technology concludes that the same request 20 times in a row is highly unlikely under normal circumstances. Infoblox will classify this as a DDoS attack and block it independently.

During our conversation it becomes clear that Infoblox applies this kind of technology in multiple ways. For example, machine learning is also used in DNS queries that should not be accepted because of a domain known as malicious. The DNS server then simply feedback that the domain shouldn’t be visited, and actually blocks it.

Giving context to tackle problems

After this machine-learning-based detection and blocking, Infoblox also gives the necessary context to the issues it identifies. The device on which a suspicious activity took place is mapped, as well as where the device is in the network and whose device it is. This information can be used by security professionals and network administrators to anticipate suspicious activity. They often have the last action, for example, because another security-tool has to be used to remove the threat from the network.

Infoblox really sees this last action as a distinguishing feature. It can hand over the information about the threat to a security solution where the action has to take place. For example, if the threat is at an endpoint, Carbon Black could be used to address the vulnerability. Infoblox then tells Carbon Black on which device the activity is taking place, Carbon Black technology is then used to find the executable who started the malicious activity.

Infoblox has built many such integrations, from a SIEM platform like LogRhythm to an IT Service Management platform like ServiceNow and from a log specialist like Splunk to a CASB player like McAfee. Infoblox wants to offer as many integrations as possible as standard so that it has a truly neutral look and feel. However, if your company uses a solution that Infoblox hasn’t built a connector for, you’ll still have to build something yourself. Open Application Programming Interfaces (APIs) are available for this, which should make it relatively easy to send the data to another platform.

Hybrid model supports future detections

In addition to its focus on integrating with existing solutions, Infoblox finds it important to underline its hybrid approach in this situation. This may sound crazy in today’s IT market because supporting a hybrid model is often a standard nowadays. However, according to Srivatsan and Van Son, there are several players in the field of DNS that only offer on-premise or in the cloud possibilities. Infoblox does have a hybrid approach. To support intelligence, this has the advantage that more advanced analyses can be applied to it. There are many more resources available in the cloud to do this. These analytics promise to improve detection quality, while detecting more rogue practices.

As we speak, Infoblox has not yet finished adding smart features to its DDI portfolio. Our conversation partners are committed to applying more advanced analytics features, such as the detection of suspicious activity in domains with very similar URL names. Additional applications can be created for Infoblox’s AI.

With smart DNS, Infoblox demonstrates its ability to harness artificial intelligence. It already applies the technology in a good way, and it sees a future where AI means even more. In conclusion, we’re looking forward to further developments from Infoblox in this area.