Several high-profile DNS security incidents have made headlines recently, a reminder that this integral part of the internet must not be taken for granted. Unlike enterprise assets – endpoints, networks, data centers – DNS is public infrastructure, so many businesses rely on registrars and ISPs to protect it. In light of recent events, it’s a good time to rethink your strategy for DNS security.
Understanding the risks
There are three points at which the DNS lookup can be hijacked. The first is on a user’s endpoint, which can be infected with malware that overrides the devices’ DNS configuration. The second is through public Wi-Fi, where a session can easily be hijacked. The third threat to DNS is to the records themselves. By stealing credentials, attackers can access specific DNS accounts and redirect traffic to a site they control. Or on a larger scale, they can attack the DNS registrars and change multiple records.
These techniques can be deployed for a number of purposes. They can be used to send a user to a “bad” site that downloads malware or steals credentials. They can be used against a SaaS application – for example a CRM program – in order to exfiltrate data. And, they can be used in a targeted attack against a specific organization to gain access to company emails or private network resources.
Putting together a solution
Is there a solution? In short, yes – but as usual, it isn’t one-size-fits-all. Each organization needs to prioritize, determine the level of security they need, and implement one or more products accordingly.
To protect users from reaching malicious domains, businesses can use a DNS security solution that checks DNS reputation, blocks access to known bad domains and proxies access to suspicious domains. To make this effective on laptops outside of the LAN, you will need to deploy an endpoint agent, in addition to your existing Endpoint Protection Platform. This approach will usually prevent users from going to a bad or “imposter” site in cases where the DNS lookup or DNS record has been compromised.
When it comes to protecting your applications from a targeted DNS attack, the first line of defense is to use a secure, managed DNS registration service like Cloudflare or NS1. In addition to taking measures to protect their registries from hijacking, they offer DNSSEC, an extension to the standard that cryptographically signs DNS records to verify their authenticity.
There are still some operational issues with this standard, but as adoption increases, they should improve. However, while they significantly reduce the risk, they do not protect against all forms of attacks.
What about traditional VPN?
One question worth asking is whether a private application should be exposed to the internet at all, especially now, when DNS is being targeted. If an application is for internal use only, limiting access to a VPN side-steps the DNS security issues mentioned above. This approach was fairly common when most access took place on the office LAN, and remote access needs were limited.
Today, a number of factors – including the increasing number of remote workers and cloud migration – has led to more enterprise applications being exposed to the internet. Employees do not like using VPNs and IT professionals do not like implementing, maintaining and supporting them — and for good reason. But the security risk is significant. In addition to DNS security, applications that are exposed to the internet are at risk of DDoS attacks, API attacks, client-side attacks, etc.
The next generation, a managed VPN alternative
Fortunately, there is a way to isolate enterprise applications from the internet, while addressing the security and operational issues of a conventional VPN. Software-defined perimeters (SDPs) are an always-on VPN alternative, delivered as-a-service, from the cloud to provide micro-segmented, secure access and cloud-delivered web security, in addition to a management-friendly experience.
Rather than the old approach of connecting users to the network, SDPs connect them to specific applications or network resources such as servers. Everything else is invisible to the user, and therefore isolated from threats on the endpoint. This zero-trust approach on the one hand isolates enterprise applications from the internet, and on the other hand, limits the network attack surface.
Advanced SDP solutions provide always-on security so that when you are in a coffee shop or the airport, you first connect and from there, access both enterprise applications and the internet. This approach protects you from all three of the DNS risks discussed above:
- Sessions cannot be hijacked and sent to a rogue DNS server.
- Enterprise applications are only accessible over the SDP – there are no public DNS records that can be targeted and manipulated.
- All internet access is handled by a curated, secure DNS server, along with feeds from a DNS reputation service to guarantee authenticity as well as block malicious domains. Additionally, Secure Web Gateway and Web Isolation services can be activated on demand, based on a multitude of risk factors.
As always with security, there is a tradeoff between the level of protection and the resources required to implement it. The best thing about advanced SDP solutions is that they are delivered as a service – and DNS security is built-in. The always-on VPN technology means that users have secure access to both enterprise applications and the internet at all times, regardless of where they are located. The IT team benefits from three types of DNS security as an integral part of the solution.