In part 1, I talked about some of the risks associated with BYOD. But there are actions you can take to greatly reduce this risk. One effective method for limiting the risk of BYOD is to employ DNS-based security intelligence techniques. DNS-based security intelligence makes use of an enterprise’s caching DNS server to monitor and block DNS queries to known botnet command and control (C&C) domains. These domains are the domain names of the servers that are in the control of the bot master for purposes of botnet command and control. Bots will perform a DNS query for one or more of these domains in an attempt to connect to these servers in order to receive their instructions. By monitoring queries to these domains, all infected clients, including BYOD, can be identified on the network. Moreover, by subsequently blocking access to the domains, malware responsible for the bot infection is denied the critical instructions it needs to function.
There was an intriguingly named vulnerability revealed this week: Ghost Domains. A paper describing it can be found here. A team of researchers in China discovered a way to allow a domain to remain reachable in the DNS even after it has been revoked from a TLD. It looks like they expended a lot of energy testing their new idea and discovered there are several caching DNS software releases that are vulnerable.
The DNS has played an essential role since the earliest days of the Internet, resolving an IP address when given a domain name. Now it’s being considered for security applications. There are many fundamental reasons why it makes sense:
Network operators and IT departments constantly reassess their security exposure and evaluate the best methods for protecting their networks and end users. New security solutions are always emerging to help them and one that’s starting to receive a lot of attention is the DNS. That’s raising an obvious question: “how in the world does the DNS become a security platform?”.
Just as it’s important for service providers and enterprises to maximize the performance and availability of their caching DNS servers, it’s important for brand owners and IT departments to ensure the robustness of their Authoritative DNS. Some of the issues are similar, but ensuring security of Authoritative data also has to be considered.
An earlier post talked about how important it is to maximize the responsiveness and availability of caching DNS in order to maintain a good user experience. It focused on the benefits of using Anycast. There are several other things worth considering for caching DNS as covered below:
For network operators, recursive (caching) DNS is a critical service. Without good, fast DNS service, the Internet service appears slow and unresponsive. Caching DNS systems must also be capable of absorbing “spikes” in traffic which can occur for a multitude of reasons – peak loads, Internet events, DoS etc.