Network operators and IT departments constantly reassess their security exposure and evaluate the best methods for protecting their networks and end users. New security solutions are always emerging to help them and one that’s starting to receive a lot of attention is the DNS. That’s raising an obvious question: “how in the world does the DNS become a security platform?”.
It’s actually a straightforward proposition: make caching DNS servers smarter so they can identify malicious Internet destinations. Dynamically updating caching servers with the latest threat information from “reputation lists” makes them more intelligent. When an Intelligent DNS server sees a request for a web destination that matches a cached malicious destination it can provide a safer more “intelligent” answer based on policies set by a network operator. For instance depending on the type of threat the server could:
- Log the request if the threat is not serious or not well understood (to capture data for further analysis), or
- Provide the IP address of a “safe” website when a user requests a malicious destination, this website could offer specific guidance on the threat and link to other resources
- Provide the IP address of a sinkhole where traffic can be analyzed, or a blackhole where it is dropped
Other policies are possible based on a network operators needs.
Providing an intelligent answer to a DNS query does not require any additional processing of the query. The server does exactly the same amount of work whether an answer is “intelligent” or not. It just does a normal look-up on the domain name and pulls whatever answer is cached in memory. Performance (queries per second) and latency (the time to respond to a query) of the server are not affected. There is a small amount of work to receive and load reputation list updates, but this can be performed when the server is not responding to queries, so it does not affect the primary function of the server.
Making DNS servers more intelligent can enable a new layer of highly agile security defenses. A familiar, proven system can be inducted into the security battle and have a substantial impact no significant overhead.