Today’s hackers are all about money, they constantly change the face of their exploits to maximize their returns. These agile attacks require agile defenses. Moving security protections into the network is essential to enabling more reliable updates of threat information; aggregation also provides significant scaling and manageability benefits. DNS-based security protections improve agility because DNS queries are a leading indicator of security exposure; from a strategic vantage point the DNS participates in web transactions that provide visibility into the presence of security threats.
A major advantage of the DNS is it works in the control plane – helping set up IP transactions by providing applications with the location or identity of resources. It does not participate in any of the subsequent protocol interactions – to connect to a server and download or exchange data such as web pages, video, email etc. Yet a single, short, DNS query can reveal a potential security threat like a malicious web site, or a bot trying to reach its command and control. It’s an extremely effective and lightweight method of identifying existing and potential threats that does not add any overhead to DNS query processing. There is also no additional equipment or processing required in the network.
All other network-based security solutions work in the data-plane: specialized equipment such as Deep Packet Inspection (DPI) boxes are placed in a network to observe data traffic between client devices and servers. High performance hardware promiscuously scans every packet on a network link looking for malicious activity. Network operators configure filters based on information contained in reputation lists or signature updates. When a packet matches a filter it triggers additional actions to capture data such as the destination of the packet. Interestingly the presence of such traffic is an indication that an exploit is at least partially successful.
There is another limitation of data-plane based filtering. In most cases it’s necessary to filter based on IP addresses rather than domain names. Although for some purposes filtering in IP addresses is adequate it is often ineffective, especially for dynamic threats where attackers change the IP address continuously to avoid detection. Filtering based on domain names is more effective because dynamic threats can be captured. But data plane based equipment is typically not situated in the right place in the network to take full advantage of domain-based filtering because it will not see all the DNS traffic (best case it will only see recursive requests from a caching server), and client level IP visibility is lost (recursive requests will always use the caching server IP). It is certainly possible to situate DPI equipment in front of the DNS and set up filters to trigger on domain names but this justifies and strengthens the case for native use of the DNS for security!
The other disadvantage of data-plane based filtering is it raises privacy concerns. End users are increasingly aware of the implications of Deep Packet Inspection and wary of its presence. The notion of a network operator looking at all the data traffic on a network has raised objections from privacy advocates and makes mainstream users extremely nervous. By contrast, DNS-based solutions only resolve requests for web sites; it is impossible to derive any insight into what someone does at a website when they visit.