Malware and Content Filtering Using DNS

John Baldock

The Domain Name System (DNS) has gone through many changes over the years since its birth around 1985. But even before this, in the very early days of computer networking, it became a necessity to map the computerised machine addresses of computer and network entities to more human friendly names.

DNS is a key component of the Internet, but is also heavily integrated into corporate networking as well.  Microsoft’s Active Directory is heavily reliant on DNS.  It is impossible to avoid.

The abundance of DNS in computer networking is such that it has always been part of our security concerns, and there have been countless examples of DNS related exploits and vulnerabilities over the years – NS Cache Poisoning and Spoofing, DNS amplification, Fast-flux DNS, NXDOMAIN flood, DNS hijacking to name but a few.

Help or Hindrance?

While often considered an attack vector, DNS done right can provide a huge boost to network security.  After all, 90% of malware uses some form of DNS in attacks.

Configuring your network to use trusted, external servers as DNS forwarders is often the first step in using DNS for security.  These servers are run by experts and provide a level of reliability and speed surpassing that of generic DNS services provided by ISPs, which can be slow to resolve or frequently fail.

Moving Forward

Moving forward, there are a number of public DNS providers who integrate security directly into the lookup.  A great example is OpenDNS which came about in 2005.

A tech savvy parent can use the OpenDNS DNS addresses on their home router (or an individual machine) and instantly take advantage of child friendly web browsing. This is brilliantly simple, and clearly worked well with end user, serving around 85 million users and 100 billion DNS queries daily.

For the business environment, there are DNS security solutions from vendors such as Cisco, Webroot, and Radware to name a few that go well beyond simple content filtering.  These products hook into a wealth of information from sources such as Cisco’s TALOS group and Threatfeed and block DNS requests for URLs associated with hosts serving malicious software or engaged in criminal activity.

They also provide comprehensive reporting and investigation capabilities allowing IT managers to gain insight into threats that have been blocked, where the request originated and provides knowledge to develop effective policies that allow the business to function on the Internet while limiting risk.

DNS and BYOD

With the adoption of BYOD, security in the workplace has a plethora of challenges to overcome, and products offering DNS security should certainly be a vital layer in any organization’s IT security considerations. Threats such as phishing and malware can certainly be significantly decreased, and also productivity concerns by filtering content that is not appropriate for the workplace.

It’s More Than Just Theory

A real-world example of DNS security in use was a malware infection found on the laptop of one of our clients during a DNS security trial.  The laptop was connected to the corporate network and the DNS queries made by the malware have been blocked, flagged, and reported.

One Piece of The Puzzle

Of course, while DNS Security products should be considered a first line of defense, they complement other security solutions and should not be deployed alone.  Traditional security services such as perimeter firewalls, EDR products and effective security policies are still required to maintain a secure network.

Find out how activereach can help secure DNS on your network, contact us or call us on 0845 625 9025.