Most network administrators, risk management teams, and cybersecurity professionals think of the Domain Name System (DNS) primarily as a utility service. While they aren’t wrong – DNS plays a critical role in connecting users to the Internet – the ubiquity of this system also means that investing in DNS-layer security can go a long way when it comes to improving a network’s overall security posture.
That’s precisely the argument made by the cybersecurity professionals at Gartner in their recent report Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?1 According to the report, “DNS presents security and risk management leaders with some excellent opportunities to anticipate, prevent, detect, and respond to prevailing threats.” The report then goes into detail, offering suggestions for ways in which organizations can secure DNS-layer activity in order to safeguard sensitive data.
At Cisco Umbrella, we’ve seen plenty of bad actors infiltrate vulnerable networks through DNS-layer activity. In fact, DNS-layer security remains a foundational part of our ever-expanding security stack. So, we encourage you to download the Gartner Quick Answer report to get a better idea of how you can configure your own DNS solution in order to create a safer network.
But, if this is the first time you’ve thought about securing DNS-layer activity, there are a few things you should know:
How does DNS work?
The domain name system forms a ubiquitous and invisible part of internet activity. The truth is that most of us don’t pay much attention to what’s happening at the DNS layer unless an outage suddenly cuts off our internet connection. So, if you aren’t entirely sure what DNS is, you aren’t alone – we even put together a blog post explaining how DNS works.
But for the sake of understanding Gartner’s DNS-layer security recommendations, here’s what you need to know:
- Every device connected to the internet – from your personal laptop to the servers that host websites or applications – has a unique IP address
- In order to connect to another device on the internet, your computer needs to know its IP address
- Authoritative DNS servers store a regional list of domain names and their associated IP addresses
- Recursive DNS servers – also called DNS resolvers – will query authoritative DNS servers in order to provide your computer with the correct IP address for the domain name you type into your browser
Every time a user accesses the internet, their computer sends a request to a recursive DNS server, which sends a request to authoritative DNS servers, which send the appropriate IP address to the original computer like so:
Most organizations – especially those that don’t secure DNS-layer activity – leave the operation of recursive DNS servers to their Internet Service Provider (ISP). Unfortunately, this can make a network vulnerable to a whole host of online threats.
DNS-layer activity is probably less secure than you think
Despite forming the bedrock of internet activity, DNS-layer activity doesn’t usually get a lot of attention from security teams. In fact, most cybersecurity solutions don’t inspect DNS packets or flag anomalous DNS-layer activity. And as you can imagine, this makes the DNS layer into the perfect venue for bad actors to use when infiltrating networks.
Many of today’s sophisticated cyberattacks – including the high-profile ransomware attacks that circulate each news cycle – gained a foothold because organizations lacked DNS-layer security. The stories are variations on a theme: a DNS resolver connects an unwitting user to a dangerous domain. There, they download a seemingly innocent file, which is transported to their computer through DNS-layer packets and prompts the installation of a malicious program. The program establishes DNS tunnels to an off-network threat actor for data exfiltration or callback activity. Then, the program establishes DNS tunnels to other devices on the network so that the malicious program can spread freely through uninspected, invisible DNS packets.
DNS-layer activity plays a critical role in the success of many cyberattacks because it enables almost every stage of the attack. Moving through the DNS-layer, a single attack can cripple an entire network in hours. And, because almost all of the activity occurs on the DNS layer, most network administrators or security teams don’t realize what’s happening until it’s too late.
DNS-layer security protocols help keep your network safe
No company wants to be the next 5 o’clock news headline for a recent cyberattack. So, making sure you add that addition layer of protection to your security stack to secure DNS-layer activity on your network is critical. The first step involves gaining control of your DNS resolvers.
Unsurprisingly, you can gather a lot of useful data from your recursive DNS servers. This includes information about the servers your network users are connecting to and information about anomalous DNS activity occurring in your network. Once you have this information, you can configure your recursive DNS servers to be more selective about the kinds of websites users can visit, the kinds of files they can download, or the kinds of on-network activity that gets permitted.
The Gartner Quick Answer report goes into detail on ways you can configure your recursive DNS resolvers to maximize security. These range from implementing protocols that help identify malicious domains to logging information that helps determine network risks.
Paid vs. prosumer DNS-layer security
When the time comes to integrate a secure DNS solution into your existing security stack, you’ll find you have several options available. Organizations that operate their own DNS resolvers – instead of relying on recursive DNS servers operated by ISPs – can always configure these servers to improve security posturing. Creating allow and deny lists for trusted and risky domains can prevent users from connecting to malicious domains. Additionally, monitoring DNS logs can enable a security team to spot active threats on a network.
Before going the prosumer route, however, you should be aware that configuring a thorough DNS-layer security solution for your network will require a significant investment of time and computing capacity. DNS logs, which will need to be stored for analysis, can be voluminous even for small organizations. And, accurately identifying risky domains can prove difficult without a robust threat intelligence database at your disposal.
This is why many organizations choose to partner with DNS-layer security providers. At Cisco Umbrella, we provide our clients with secure DNS solutions that are powerful, easy to deploy, and simple to manage. So, when you partner with us, you won’t need to worry about painstakingly configuring your DNS resolvers or combing through volumes of DNS logs. Instead, you can deploy our secure DNS system in minutes. After deployment, all outgoing and incoming DNS traffic will pass through our proprietary resolvers, which are already configured to flag and block risky domains or identify and isolate anomalous network activity. We strive to be as transparent as possible when it comes to sharing this data, presenting the criteria we used to block DNS connections in an easy-to-navigate dashboard.
What’s more, Cisco Umbrella DNS-layer security packages come backed by Cisco Talos Threat Intelligence, one of the largest commercial threat intelligence teams in the world. This means that our DNS resolvers can identify and block access to risky domains with more efficacy than the vast majority of paid and prosumer recursive DNS server options. In fact, a recent study conducted by AV-TEST rated Cisco Umbrella #1 in security efficacy.
Are you ready to secure your organization’s DNS-layer activity?
It’s time to protect your network from cyberattacks, starting at the DNS layer. To learn more about the benefits of DNS-layer security – and how you can configure your recursive DNS servers to improve your organization’s security stance – download the Gartner Quick Answer report today!
1Gartner, Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?. Craig Lawson, John Watts, 8 June 2021.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.