If you’re like most people, you probably don’t pay much attention to the domain name system (DNS) or worry about investing in DNS-layer security. After all, the hallmark of well-functioning DNS servers is their invisibility – their ability to connect users to websites or internet-enabled applications correctly and without delay. But this invisibility comes with a catch. Since most organizations don’t bother to secure the DNS layer, bad actors frequently use it to stage cyberattacks.
In today’s article, we’re taking a deep dive into the domain name system – what it is, how it works, and how investing in DNS-layer security can help transform your network security for the better. And once you’ve got a handle on the basics of secure DNS, see what we’ve discussed in action by watching our on-demand demo of Cisco Umbrella DNS-layer security.
The Basics of DNS
Before jumping into DNS-layer security, it’s important to understand the fundamentals of the domain name system. People often refer to DNS as the, “phone book of the Internet.” That’s because every device on the Internet – from your personal computer to the servers hosting websites – has an Internet Protocol (IP) address that consists of a unique series of numbers. Connecting to another device requires knowing its associated IP address, much like connecting to another phone requires knowing its associated phone number.
If you happen to have the information off-hand, you can type an IP address directly into a browser. For example, if you know that the IP address for the Cisco Umbrella website is 67.215.70.40, you could use that address to connect directly to our site. But you’d probably find it much simpler to type in umbrella.cisco.com.
The domain name system was invented so that people wouldn’t have to remember long IP addresses. Instead, they could visit websites using human-friendly names like umbrella.cisco.com. And since there are too many websites on the Internet for a computer to store a comprehensive list of corresponding domain names and IP addresses, this task is outsourced to designated DNS servers. You probably use DNS thousands of times a day without knowing it – every time you connect to a website, open a mobile phone app, or update software, your device queries DNS servers to find the IP address associated with the domain. That’s why we often refer to DNS as the foundation of the internet.
Recursive and Authoritative DNS Servers
Research DNS-layer security solutions and you’ll quickly find that they come in two varieties: recursive DNS security and authoritative DNS security. Understanding the difference between these two options requires knowing a bit more about how the domain name system works.
Let’s go back to our phone book analogy for a moment. Imagine you sit down at your computer and type umbrella.cisco.com into your browser. Your browser needs a copy of the phone book in order to find the corresponding IP address for that domain, so:
- Your computer connects to a recursive DNS server (sometimes called a DNS resolver). There are thousands of recursive DNS servers across the world, and most users rely on the resolvers provided by their ISP or cellular provider.
- Your computer asks the recursive DNS server, “What’s the IP address assigned to umbrella.cisco.com?”
- The recursive DNS server connects to an authoritative DNS server that holds a copy of the phone book matching the IP address of the Cisco Umbrella website with its associated domain name.
- The authoritative DNS server sends the right IP address to the recursive DNS server, which sends the information back to the computer (and browser) that requested it.
- Your computer connects to the Cisco Umbrella server using the IP address, allowing the website to load.
Whew, that was easy! Well, it was easy for the computer and DNS servers at least – this whole process usually happens so quickly that users don’t notice it happening unless something goes wrong. But plenty can go wrong – a DNS server outage will prevent users from connecting to websites, while slow DNS servers will bring website load times to a crawl. And that’s not even accounting for DNS security compromises.
Are DNS Servers Secure?
You’d think that a system which functions as the bedrock of internet connectivity would be designed with cybersecurity in mind. Unfortunately, that’s just not the case. In fact, unless you’ve invested in DNS-layer security, odds are that none of the solutions in your security stack even inspect DNS activity. In most instances, DNS packets – which normally contain IP address information – enter networks through unblocked ports without first being inspected by security protocols. Furthermore, DNS activity in a network is almost never monitored. This makes the DNS layer into the perfect blind spot for cybercriminals to exploit.
Many of today’s sophisticated attacks rely on DNS activity. Malware, ransomware, phishing, and other scams often use DNS to stage the internet infrastructure used to support each stage of their attacks. For example:
- DNS tunneling is often used to deliver payloads encoded in DNS queries and responses, exfiltrate data from compromised networks, and execute command and control attacks
- DNS beaconing is often used to establish communication with a command and control server using only DNS, which is almost always allowed in a network
These tactics, techniques, and procedures (TTPs) often play a prominent role in modern cyberattacks. Many high-profile ransomware attacks featured DNS beaconing, the supply-chain attack SUNBURST leveraged DNS tunneling during post-exploitation, and the APT group OilRig frequently uses DNS tunneling for data exfiltration. So, what can you do to secure DNS activity on your network?
How DNS-Layer Security Helps Stop Cyberattacks
Since all internet activity is enabled by DNS, something as simple as monitoring DNS requests – as well as their subsequent IP connections – can go a long way when it comes to securing your network. Ensuring you have security protocols in place to flag anomalous DNS activity can provide better accuracy and detection of malicious activity and compromised systems, improve security visibility, and enhance network protection.
If you want to go a step further, you can partner with a secure DNS vendor that will allow computers on your network to use proprietary recursive DNS servers. Your vendor will configure these servers to identify dangerous DNS activity and implement security protocols that block harmful DNS connections. Nothing stops attacks earlier than DNS-layer security. After all, DNS is the first step in making a connection on the Internet. If a dangerous connection is blocked at the DNS layer, the attack stops there.
In the figure above, you can see how DNS-layer security identifies where malicious domains and other dangerous internet infrastructures are staged. Secure DNS servers then block requests coming from these staging sites over any port or protocol, preventing both infiltration and exfiltration attempts. DNS-layer security stops malware earlier and prevents callbacks to attackers if infected machines connect to your network.
Why Cisco Umbrella for DNS-Layer Security?
The Cisco Umbrella team – formerly known as OpenDNS – got their start providing recursive DNS services to organizations looking for reliable, safe, smart, and fast internet connectivity. Because of this, the Cisco Umbrella recursive DNS network boasts incredible resilience and 100% uptime since 2006. Our 30+ worldwide data centers use Anycast routing, so DNS requests are transparently sent to the fastest available data center with automatic failover. But speedy and reliable internet connectivity isn’t the only thing Cisco Umbrella offers. In fact, our DNS-layer security is where we truly shine.
As a leading provider of network security and secure recursive DNS services, Cisco Umbrella provides the quickest, most effective way to improve your security stack. Whether you operate a small business without dedicated security professionals or a multinational enterprise with a complex environment, it only takes minutes to roll out our DNS-layer security solution. This means that in minutes, you can gain a new layer of breach protection and internet-wide visibility both on and off your network.
Here are three of the benefits you can enjoy by using Cisco Umbrella DNS-based security:
1. The Ability to Block Threats Before They Reach You
Traditional security appliances and agents must wait until malware reaches the perimeter or endpoint before they can detect or prevent it. However, by enforcing security at the DNS layer, Cisco Umbrella stops threats before they reach your network or endpoints.
Cisco Umbrella analyzes and learns from internet activity patterns, automatically uncovering attacker infrastructure staged for current and emerging threats. This enables our solution to proactively block requests to malicious destinations before a connection is even established or a malicious file is downloaded. Cisco Umbrella secure DNS can also stop compromised systems from exfiltrating data via command and control (C2) callbacks to the attacker’s botnet infrastructure, over any port or protocol.
Unlike appliances, our cloud security platform protects devices both on and off the corporate network. Unlike agents, the DNS-layer protection Cisco Umbrella offers extends to every device connected to the network – even IoT. Since all internet-connected devices use recursive DNS services, Cisco Umbrella can be deployed everywhere.
2. The Ability to Leverage the Power of Machine Learning
Cisco Umbrella uses machine learning to search for, identify, or even predict malicious domains. By learning from internet activity patterns, this DNS-layer security solution can automatically identify attacker infrastructure being staged for the next threat. These domains are then proactively blocked, protecting your network from potential compromise. We analyze terabytes of data in real time across all markets, geographies, and protocols. This diversity provides internet-wide visibility into:
- Where threats are coming from
- Who is launching them
- Where they call back to
- How widespread they are
- The first and last time they were seen
- …and much more
We combine human intelligence with 3-D visualizations to learn new patterns. Then, we apply statistical models to categorize these patterns, detect anomalies, and automatically identify known and emergent threats.
Our statistical models predict which domains and IPs will be malicious, often before any other security vendor. For example, one model uses natural language processing to detect domain names that spoof brand and tech terms in real time (cs.co/NLPRank). Another uses sound wave analysis concepts to detect domains that have spikes in their DNS request patterns (cs.co/SPRank).
3. The Ability to Power Up Your Incident Response and Investigations
Cisco Umbrella logs all DNS activity – both normal and malicious – to simplify investigations. Our secure DNS solution also reduces the number of infections and alerts you see from other security products by stopping threats at the earliest point. And Cisco Threat Response automates integrations across Cisco products for even quicker answers.
The Cisco Umbrella Investigate console and API provides real-time context on malware, phishing, botnets, and other threats. This enables faster incident investigation and response. Imagine having the strength of over 300 security researchers on your team – that’s what you get with Cisco Talos threat intelligence, which is built right into Cisco Umbrella. And we aren’t the only ones talking about the efficacy of our DNS-layer security – third-party AV-TEST research reveals Cisco Umbrella to be the industry-leader in secure DNS solutions.
Are You Ready to Secure Your DNS-Layer Activity?
If so, we’ve got good news – Cisco Umbrella is the simplest cloud security service you’ll ever deploy! Register for our on-demand demo today to see DNS-layer security in action. Or, if you’re ready to see what this solution can do for your network, sign up for our 14-day free trial.
