DNS Security

We don’t know yet how is going to be the next years after the pandemic. It seems there will be lots of remote users working from home. There will be lots of people working out of the office. As a result, there will be more and more services published on the Internet instead of the Intranet because remote users have to access to these services for their daily working. In addition, these remote users are out of the scope of the security perimeter. Therefore, they are going to have, from time to time, direct access to the Internet.

One of the services which is mandatory required to published on the Internet is the DNS service because remote users have to resolve domain names to IP addresses for working from home. This new requirement is dangerous for DNS servers because they are going to be the target of all types of DNS-based attacks, from stealth to volumetric attacks, including cache poisoning, DDoS attacks, DNS tunneling, DGA malware and UDP flood. Consequently, DNS servers have to be protected with a DNS Guardian.

DNS Guardian

On the other hand, remote users are mainly working from home and, therefore, they are going to have direct access to the Internet. This decentralization has security challenges for the IT security team such as visibility, complexity and security. Companies want security protection on and off network for employees as well as rapid deployment and flexible enforcement levels for all ports and protocols. These security challenges can be achieved with a DNS-layer security, a secure web gateway, a security broker and a firewall.

DNS-layer Security

The DNS-layer security should be the first line of defense against threats because DNS resolution is the first step in Internet access. The aim is blocking requests to malicious and unwanted destinations before a connection is established. In addition, most IT security teams like visibility and statistics to know the DNS activity. However, most DNS-layer security tools require an agent installed on the computer where we are going to enforce the categories allowed and denied. What’s more, central management and visibility is always required when we have to manage lots of computers.

DNS Filter

I would like to highlight two useful technologies for companies who don’t want to install an agent on users’ computers for blocking requests to malicious sites. DNS over HTTPS (DoH) and DNS over TLS (DoT). Both technologies are security protocols designed to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via MITM. These protocols are supported by most operating systems and browsers, as a result, we can easily configure DNS servers and proxy servers to resolve the remote users’ DNS request and thus protect users from malicious sites.

DoH - DNS query and response transported over a secure HTTPS stream

To sum up, I think the DNS layer is increasingly important for the endpoint protection because it is the first step in Internet access but we should take into account that both, servers and clients, should be protected from malicious attacks.

Have a nice day! Are your clients and DNS servers secure?