DNS is a veritable gateway for malware. In fact, 91% of malware uses DNS to gain command and control, exfiltrate data, or redirect web traffic. This can have disastrous consequences for both network owners and users, but in the same way that DNS can lead cyber attackers to your network as if it’s printed out MapQuest directions to your home, it can also block them out before they ever dare to knock on your door. Enter: DNS-layer security.
DNS is a hidden goldmine of data, which makes it valuable to hackers and IT security agents alike. Because of this, it needs to be mined, cross-referenced and monitored against threats. Luckily, the sheer volume of data within the DNS layer makes it easier to identify the bad guys (i.e. bad domains) before there’s an actual breach.
Detecting threats at the DNS layer is integral to the early detection of compromised systems and, as a result, strengthening network security. It’s a vital proactive strategy, and here’s why.
What is DNS?
DNS, or domain name system, is the internet protocol that transforms the names of web addresses (like cisco.com, techcrunch.com, or any other human-comprehensible name) into a language understood by machines. Once translated, these names are known as IP addresses. This lets users connect their computer to their destination’s web server.
This process is incredibly swift, and there are billions of DNS requests daily. Most websites have their own server that handles the connections, but this layer has very specific vulnerabilities. For example, DDoS (distributed denial of service) attacks are increasingly popular among hackers looking to blackmail websites. During a DDoS attack, a hacker will take over hundreds or thousands of computers and use them to briefly connect to a target site, effectively flooding the DNS server so it can’t process legitimate users. The website is then rendered useless until the attack is over, the website can find additional servers, or the hacker is found and prevented from attacking the site.
This is where DNS-layer security comes in. It prevents a problem before you have to scramble to find the source of a cyberattack.
How DNS-layer security works
The hallmark of DNS-layer security is the idea that cybersecurity attacks originate from somewhere. There is a scene of the crime, and you just have to find it before the crime takes place. That may sound complicated, but it’s actually surprisingly simple. Think of it as having a screen door open in the middle of a rainstorm. It will, metaphorically, hold an umbrella so that the rain can’t seep through, but those who are invited can still open the screen and come inside.
In reality, DNS-layer security works by preemptively blocking all requests over any port or protocol to any seemingly suspicious location. This happens before having to identify the nature of an attack like traditional security applications. It simply recognizes that a bad domain is bad, which enables it to block:
- Malicious crypto mining
- Command-and-control exfiltration
DNS-layer security is particularly effective because it hinges on the predictive identification of malicious hosts. With DNS-related data — like tens of billions of daily DNS requests, WHOIS records, and Border Gateway Protocol routing information — suspicious domains are identified with a high level of accuracy and swiftly blocked. Think of it as an internet no-fly list.
DNS-layer security is the first line of defense
With traditional security methods, malware has to reach the parameter or endpoint before it can be stopped. This means that it’s already partially worked its way into your network. In other words, the attack is in progress.
Think of it this way: if you have a mice infestation on your property, it’s only a matter of time before they find their way into your home and start chewing on wires, right? Going with this metaphor, cloud-based DNS-layer security would stop the mice before they ever step foot on your property in the first place.
In particular, cloud-based DNS-layer security — which uses a third-party service that’s not attached to your local DNS server — offers a number of benefits:
- All the dirty work (i.e. blocking malicious downloads or destination requests) takes place outside of your network.
- Attacks are proactively blocked before a connection is even established.
- With some services, protection extends to every device connected to the corporate network — yes, even including the IoT (Internet of Things).
For example, that DDoS mentioned above would be thwarted well before it crashed your server and, likely, well before a single hijacked computer could make a bad-faith connection.
DNS-layer security strategies can improve user experience
DNS-layer security isn’t just a first line of defense against cybersecurity attacks. It can actually have a huge impact on user experience, particularly if you’re using a cloud-based solution. Flatly put, it takes a lot of CPU to decrypt and encrypt web traffic. If this takes place on your own server, it can slow things down for your users, which can be detrimental to a business that relies on web traffic.
Google has found that as page load time increases from one to five seconds, there’s a 90% probability that a user will bounce. Luckily, cloud-based DNS-layer security pushes the CPU processing burden on your cloud provider rather than your own network. Most cloud servers are built to process large amounts of traffic requests from multiple websites, so a sudden burst in traffic is less likely to crash yours.
A DNS breach can obliterate your search engine ranking
Most modern websites rely on ad revenue to sustain themselves, but this is highly dependent on traffic. The more traffic a website gets, the more people who may click on an advertisement and the more they can charge for campaigns. Organic search traffic is a big piece of this puzzle, but it’s highly dependent on search engine ranking. Unfortunately, a DNS breach can tank your rank.
If your website is the source of a cyberattack, Google may mark your website as a source of malware, which directly drops your rank and puts you on a veritable blacklist. Recovering your website is an arduous process, but DNS can help prevent it from happening to begin with.
DNS-layer security is surprisingly easy to deploy
Implementing a traditional appliance across a whole network can be a long process, especially when you’re installing hardware, but a cloud-based DNS-layer solution is surprisingly speedy. In minutes, you can reroute your DNS requests to a designated IP that will filter them. This works cross-device, regardless of the operating system.
Beyond that, cloud-based DNS-layer security is instantly scalable. You’re not bound by the traditional limits of hardware appliances, which are built to handle a certain level of traffic. You don’t have to purchase additional units and can add more devices to your plan at will. Remember: service providers are working behind the scenes to meet your website’s demands. Sudden success? No problem. You’re not even bound by location, and your DNS-layer protection will work wherever your devices are, which streamlines things for companies with multiple headquarters.
DNS-layer security out-performs antivirus and anti-malware software
Today, hackers are more creative than they were in the ‘90s when they thrived on users who accidentally downloaded suspicious attachments. Overall, antivirus and anti-malware is effective at scanning files for malicious code, but today, hacking goes so much further. Phishing scams regularly use fake web pages to trick users into logging in with legitimate domain credentials. Anti-malware and antivirus software are none the wiser.
DNS-layer security helps thwart these kinds of attacks by using algorithms to quickly identify malicious redirects and block access. If a new fake site pops up, DNS blocks access. It doesn’t, for example, try to secure your metaphorical home after you’ve already been robbed.
DNS-layer security is mobile
We no longer live in a world where most people are surfing the web on their desktops. The line between work computer, personal computer, and cellphone has been deeply blurred. In fact, according to the Pew Research Center, 85% of Americans own smartphones, which are increasingly vulnerable to cyber-attacks.
DNS filtering is a cross-device security solution. It can be applied to mobile devices, so those accessing confidential information on the go don’t have to worry about passwords and key-identifying information being stolen. This is particularly important for networks dealing with financial information or data that could leave users subject to identity theft.
Monitoring DNS is integral to catching threats others miss
Most malware uses DNS in attacks, but 68% of organizations don’t monitor their DNS. They leave it up to their ISP, but that also makes them vulnerable. Today, many organizations are adopting direct internet connections and users are bypassing the VPNs companies use as an added layer of protection. This leaves DNS blind spots, but monitoring DNS requests can help mitigate these problem areas.
DNS-layer security blocks requests before the IP connection (i.e. the phase at which machines can start to exchange information). As a result, DNS resolvers can log requested domains regardless of the protocol or port. This makes it easier to collect high-quality data that leads to better accuracy when detecting threats and better detection of compromised systems overall.
As it stands, one in three breaches could have been controlled by DNS, but companies that monitor DNS — and the IP connections that follow — have fewer vulnerabilities. DNS-layer security can block threats that others miss.