You Should Ignore DNS: Really You Should, At Least Until the Next Catastrophe
As I sat down for dinner on Mother’s Day, my phone rang. Guess what? WannaCry had just hit the news and our team was trying to reach me on what it means to our customers and how our security software responded to such threats. This is not the first time I’ve received such a phone call. In fact we went through a similar exercise with Petya / NotPetya. As part of my job at Infoblox, I get a real-time view of what’s happening in the cyberspace, especially cyberattacks such as Dyn, WannaCry, Jaff, Petya, NotPetya and more.
As we try to educate our customers on the causes of these threats and how they can protect against them by securing their DNS, it occurred to me that DNS is like air. The clean, fresh air we breathe and we take it for granted. Most likely the clean air will remain clean assuming your environment is clean. However, the clean air can get corrupted and you get a rude jolt of reality when suddenly you no longer can breathe.
As I recall the frantic efforts of my team on the day WannaCry erupted, I can see very much how DNS is like the air we breathe. But every time there is a truck that is bellowing smoke or, worse still, a thick layer of smog, we pay attention. The same thing happens with DNS. No one thinks about DNS until something goes wrong.
In the case of DNS, the problem is even worse. DNS is the blood of every network and it has developed the dubious distinction of being the most exploited threat vector. DNS is often not considered when organizations are transforming their networks, virtualizing their data centers, adopting a cloud first approach and in the realm of security it comes after other security infrastructure like web security, e-mail security, and firewalls. While DNS has traditionally been the domain of the networking team, securing DNS falls into somewhere between the network and security teams. The networking team is responsible for the integrity of the infrastructure while the security team is responsible for identifying whether it is being exploited for stealing data, spreading malware or is the source of threat intelligence. As we all know aligning different groups is challenging, sharing data between systems is not easy and that is never a good situation when you need to detect and resolve issues rapidly.
But, let us get back to ignoring the existence of DNS and the reasons why it is a good idea:
- It just works and is always available, open and ubiquitous: The beauty of the original design of DNS coupled with the maturity of DNS products from certain vendors makes network engineers very happy. DNS just works, so why worry about “right” architecture and redundancy until you have witnessed an outage. Be like others, why should you be any different. It is never blocked by a firewall and available in some form on every network.
- It is hidden and not sexy: DNS, DHCP and IPAM infrastructure (DDI) lives in the bowels of the network. When someone connects a device to a network, they just expect it to work. If someone wants to connect to an application, the domain gets resolved to the right IP address. The process by which it happens is certainly not important to the customer. It is not something that the network engineer thinks about, much less any executive. They are involved in the latest initiative to migrate the data center to the cloud, install the next hypervisor or implement a cloud first strategy.
- There is a free option and it must be good enough: Individual platforms sometimes give away DNS for free, but the DDI capability from one platform is not effective in managing a platform from another vendor. These issues compound when your company starts migrating to the cloud. In that case there is not a single interface to manage all DDI or get visibility into the network, where your applications are running and devices are connecting.
- Maybe my manual processes are even better than free: I have managed my processes with a spreadsheet and it works, at least to an extent. As our environment gets complex we become better at using spreadsheets and I can put more people to managing the processes. I really do not need visibility into my virtual workloads that spin up and down multiple times a day and the public cloud just manages itself.
- Malicious actors know that it DNS is always available open and ubiquitous: So what if it is the most exploited protocol used to steal corporate data, bring down network infrastructure and enable malware to communicate with the command and control (C&C) servers.
You can follow the advice above but it could leave your organization vulnerable. For example, you could experience an outage because someone mistyped an IP address or allocated an IP address to an application, creating conflicts and rendering your most valuable customer application inaccessible. Or worse still, a piece of malware couldtunnel through DNS to steal data from your organization. Yes, DNS can have such an impact.
Now let us see why you should ignore that advice and work to ensure the oxygen (DNS) keeps flowing to all parts of your body (network) instead. Here are four things I would recommend thinking about:
- The right architecture: DNS is critical to everything: your data center, your Private Cloud, your Public Cloud, your Microsoft environment. It sits in the center of the network. Which also means that when you want to scale your network, guarantee 24x7x365 accessibility of your devices and applications, ensure multi-site DNS redundancy, and support IoT, you need a scalable, redundant and robust DDI infrastructure. Waiting to witness a failure before you think about the right instrumentation is counter to my advice, but probably the right thing to do.
- Unified visibility: As your infrastructure becomes more complex, you have virtual workloads spinning up and down across multiple cloud platforms, and knowing what is on your network is critical so you can provide business continuity. Visibility is key to security, because you cannot protect what you cannot see. But that is just part of it, the “unified” piece is just as relevant. Make sure that you share the benefit of the visibility your DDI infrastructure has with the security solutions you already have in place. Most customers I talk to have between 20 to 50 different security vendors on their network that often exist in silos.
- Secure DNS and use the data everywhere: Most, if not all, malicious activity involves some type of DNS communication in multiple stages of the cyber security kill chain. You can use that fact to stop the spread of malware. DNS is used for C&C communication and to steal data, so just like you secure your e-mail and web communication, invest in securing DNS. DNS has rich data every device on the network that is critical to developing context required to resolve and prioritize threats. DNS can also be a rich source of intelligence that every part of your security infrastructure needs to be more effective.
- It is ignored because of its own success
If you are ready to ignore the advice I cited above, it would be great to have a chat with you. Take a look at how we at Infoblox think about this critical issue and reach out to me for a conversation.