Keep DNS in mind when planning your office re-opening

It's hard enough dealing with the possibility that during weekends members of your network user community use their devices to browse the Internet off-network then return to office to reconnect to your enterprise network with devices unwittingly infected with malware. With many localities operating under extended stay-at-home mandates in place to support flattening the COVID-19 infection curve, the threat of malware infestation is exacerbated, not only by the lengthy duration but as users adapt and become comfortable with work-at-home routines, they may become overly casual and less vigilant to threats.

The AV-Test Institute, an independent IT security research institute, has identified over one billion malware programs in existence. And when it comes to malware, ransomware, and other undesirable software programs potentially impacting the security of your network and your users, there’s good news and there’s bad news. The good news is that most of these programs are identifiable and can be mitigated with currency of anti-virus software and firewalls within your network. So it’s imperative that you keep anti-virus software and firewall software up-to-date.

Now for the bad news: the AV-Test Institute also claims to register over 350,000 new malicious programs, or malware, and potentially unwanted applications per day. With such a vigorous rate of productivity, it is exceptionally challenging for anti-virus and firewall software vendors to remain current in order to detect and mitigate all new malware.

While no one or even two point solutions like anti-virus and firewalls offer a perfect defense, the use of several solutions, each perhaps examining different aspects of the cyber kill chain, the way malware infests, communicates and spreads, can in combination offer a less imperfect defense. This is the premise of a defense in depth strategy where the whole solution truly is greater than the sum of its constituent solution parts. So what additional controls can you add to anti-virus and firewalls to more effectively detect and prevent malware infestation?

Training end users is certainly a key ingredient in your defensive strategy against malware penetration, as many forms of malware infiltrate your network through clicked links, opened attachments, software downloads and related user-triggered means. This is equally true whether working from the office or from home. But from a technology perspective, there is one additional major defensive layer you can implement rather easily to improve your chances of detecting new malware and stopping it from spreading or damaging your network and computing infrastructure. And that is to arm your DNS or domain name servers with firewall capability.

Everyone uses DNS and every network has DNS servers. DNS is a critical component of Internet infrastructure that frankly makes the Internet usable for you and me. That’s because we find it easier to remember names of websites, not numbers, so DNS provides this convenient lookup and translation feature so we can connect to sites by name while our computers can connect by numerical addresses.

When we connect on the Internet, we type or click a name on our device, then our device initiates this first step and looks up the name in DNS. As the second step, our device takes the answer from DNS and attempts to connect to the corresponding address typically through an enterprise firewall. The third step entails our device receiving the response over the connection and presenting it to the user.

If we consider how most malware adapts to the environment into which it has installed itself, the malicious software will often attempt to communicate with the malware author over the Internet, to the author’s website or file server. Like your devices, the first step for malware typically entails a DNS lookup to translate the malware author’s website address into its corresponding IP address that it uses to communicate over the Internet. Then the malware can make the connection to the IP address returned from DNS, download new software, upload stolen information, or otherwise receive nefarious instructions over that connection.

Most enterprises only address steps two and three in this Internet connection process. Network firewalls provide protection during step two to examine and filter connection traffic to detect and potentially block suspected malware traffic. Anti-virus software can be used in step three to scan received content for malicious software and take appropriate actions. But many enterprises miss an important detection point at step one, at the DNS layer.

With the implementation of a DNS firewall, you can detect malware domain lookups and stop malware before it progresses to the connection and data transfer phases. A DNS firewall can examine not only the name being looked up, but also the answer received, the answering DNS server address or name, and more. Based on the examination of the query and response, DNS firewall policies can be defined to dictate whether to drop the response, respond with “not found,” or provide an alternative response answer to redirect the querier to a mitigation server for example.

And DNS firewall functionality is natively supported by many reference implementations including those from ISC/BIND, PowerDNS, KnotDNS and many vendor products such as Diamond IP. Microsoft Windows Server 2016 and 2019 requires installation of a separate utility. Several service providers including Diamond IP also offer DNS firewall feeds which use standard DNS protocol provide real time updates of blocklists and whitelists for domains and related information. So if the DNS servers in your network already support DNS firewall functionality, there’s no need to purchase new hardware; all you have to do is subscribe to a DNS firewall service to enable your DNS firewall and receive timely updates.

The type of blocking information you receive from a DNS firewall service is different from that received for your in-band data firewalls. And that’s a good thing because it widens your malware-snagging net so to speak, by looking at more criteria for a given connection in order to better ascertain a given connection attempt as malicious or not based on DNS, in-band data, and device level controls. A DNS firewall is a simple, affordable solution to increasing the layers of your overall defense in depth strategy to improve your chances of detecting and mitigating malware in your environment, in the face of 350,000 malware updates per day.

As we look forward to the loosening of social distancing guidelines, let us look forward with hope while retaining vigilance upon the safety and health of our communities and each other. And as we map out plans to re-open our offices to workers, many of whom have been working from home for an extended period, let us also retain vigilance upon the protection of our networks. Consider deepening your malware threat defenses with a DNS firewall implementation. As always please contact me if you have any questions or to learn more.

Comments

Popular posts from this blog

Handy AAAA filter in BIND 9.8

Inglorious DDI

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?