We all know what happens whenever anyone or anything tries to access a resource on the Internet. It all starts with a DNS request that translates a URL (www.akamai.com) into an IP address (188.8.131.52):
Now if we dive a little deeper into the DNS request flow we can see the requester make a request to the recursive DNS infrastructure of either their ISP or their enterprise. In other words recursive DNS infrastructure recurses the DNS hierarchy to return the proper IP address of the intended domain name to the requester.
Without getting into the DNS hierarchy the recursive DNS infrastructure ultimately gets its answer from the authoritative DNS infrastructure. Bottom line-authoritative DNS provides responses to recursive DNS with the IP resolution of the intended resource. Find out more about why authoritative DNS is critical for performance, availability and resiliency.
As far as this post is concerned recursive DNS sees all requests for resources on the Internet.
This obviously makes it a critical piece of enterprise and ISP infrastructure. It also makes recursive DNS the perfect control point to apply policy. All before IP connection and file download & execution.
Now why would I want to apply policy to recursive DNS requests? For that we need to look at the current threat landscape. As we also all know the volume of malware and its sophistication keep increasing. This deluge of advanced threats has lead to an unprecedented increase in the number of breaches over the last few years.
Advanced threats, such as malware and ransomware, frequently share common characteristics. These threats are often designed to bypass existing defenses using unique, sophisticated techniques to exploit vulnerabilities, and to use external command and control systems to control and monitor malware while potentially exfiltrating data.
As a whole, enterprises seem to struggle to effectively deal with the bombardment of advanced threats. Threats that are often built to bypass traditional defenses by using rapid evolution and using less protected threat vectors such as DNS. It is clear that most enterprises don't have an answer for these sophisticated threats that generally cost them 10's of millions of dollars to clean up. The fact that it still takes over six months for most orgs to identify a data breach speaks volumes.
As I covered earlier if we think about malware or ransomware or phishing or even accessing the Internet they generally start with the same thing: a DNS lookup. Whether that is to get an IP address for a malware's command and control infrastructure, or for exfiltrating data as part of the DNS request, or just an employee trying to access an app that he or she isn't supposed to. It all starts with a DNS lookup that goes to the enterprise's recursive DNS infrastructure.
Getting back to the point of why I would want to apply policy to recursive DNS requests, you can start to see how a proactive approach to defending against advanced threats using cloud-based recursive DNS and threat intelligence starts to make sense. It is early in the killchain which makes near instant global policy pushes combined with always up to date threat intelligence even more effective.
It all starts with visibility. Since all external enterprise DNS lookups pass through the enterprise's recursive DNS resolvers, the enterprise can get visibility into all external Internet traffic destinations to figure out for example what SaaS apps or unmanaged IoT devices someone in the enterprise is using.
It is also about control. The enterprise has the visibility; now they can also add controls such as applying an acceptable Internet usage policy, whether that's for guest wifi or to stop employees accessing sites they aren't supposed to.
Lastly combining DNS visibility with threat intelligence can help proactively mitigate enterprise threats before they even reach the enterprise. This is done by stopping access to malicious malware and phishing domains, for example domains that are generated by an algorithm, or whose reputation isn't what it needs to be, because it is likely delivering malware or redirecting to an exploit kit.
We can also stop the malware communicating with its command and control infrastructure using recursive DNS combined with threat intelligence. Whether that's to receive instructions, or even DNS based data exfiltration where sensitive info is included in the domain request and captured by the attacker's DNS server.
Ultimately it is worth remembering that cloud-based recursive DNS combined with threat intelligence can provide an additional layer of visibility, control, and security to an enterprise.
Next time, I will go into how cloud-based recursive DNS combined with threat intelligence can help protect against some common approaches such as domain generation algorithms, fast flux, and DNS based data exfiltration.
In the meantime, visit https://www.akamai.com/dns for more information.