To start with, DNS servers occupy a strategic vantage point with tremendous visibility into what’s happening on networks. Every end user, device, and IP application uses the DNS to locate resources; legitimate applications like web browsers, VoIP, and email use it, and malicious applications use it too. DNS queries for malicious destinations – malware sites with “drive-by” downloads, phishing sites that harvest valuable confidential information, botnet command and control, and many other things – are a telltale sign of security exposure. They’re a clear indication an end user intends to navigate to a dangerous place, or may already be infected with malware.
In the security world early detection is highly desirable. The sooner a threat can be detected, the less damage it can do, and the fewer resources it consumes. A DNS query is a great leading indicator of security exposure because it precedes all other tasks for most of the interactions that take place on a network. For instance, when someone clicks on a malicious web link the first thing their browser does is initiate a DNS query. Similarly when a bot is activated it sends a DNS query to find its command and control server. Even Advanced Persistent Threats signal their presence with DNS queries.
Although there are other methods of detecting these kinds of threats DNS servers are the best early warning system because they see potential security threats before anything else in the network. It’s even possible to move from a reactive, to a proactive, security model where end users are prevented from going to malicious destinations altogether so their machines don’t get infected in the first place. Contrast this with today when users get infected, and then rely on client software to discover the infection, hopefully before any real damage is done.
There’s a great opportunity to leverage the strategic vantage point of the DNS and introduce a layer of security in networks that is a far better match for today’s dynamic threats.