Three things NIST taught us about DNS security

In this webinar, BlueCat turned to NIST computer scientist Scott Rose for advice on how network admins can harness the power of DNS to secure their systems.

The Domain Name System is as old as the internet itself. Using DNS for network security, however, is a relatively new concept. As network administrators begin to harness the power of DNS to secure their systems, we turned to an expert for some advice on how to approach this issue.

BlueCat recently hosted a webinar featuring Scott Rose, a computer scientist at the National Institute for Standards and Technology (NIST). Rose is the co-author of NIST Special Publication 800-81, the Secure Domain Name System Deployment Guide, and an expert on DNS security in the U.S. federal government.

Rose painted a picture of DNS as a piece of critical network infrastructure that can be used for good or for evil. On the positive side, DNS facilitates legitimate network traffic through address translation, domain-based authentication, load balancing, and even security through DNSSEC signed zones. At the same time, DNS can be used by malicious actors for denial of service attacks, malware command and control, data exfiltration, and DNS tunneling.

It’s as if DNS has multiple personas. We’ve started to use the word “naïve” to characterize DNS – as it can take on any number of tasks (good, evil, or both) based on the commands it is given. Rose pointed out that understanding and leveraging this naïveté is critical for IT security personnel, just as it is critical for those who seek to compromise IT security.

If DNS is so naïve, should it be trusted? Rose pointed out that most network administrators and end users don’t have a choice. DNS is the standard pathway for any internet communications, for better or for worse. The best that any IT staff can do is control the context that DNS operates in, harnessing its naïveté to enforce security policies rather than succumb to outside influence.

As Rose noted, losing control of your DNS architecture can lead to severely negative consequences. From spoofed email exchanges to amplified DDoS attacks to DNS hijacking, malicious actors have many ways to infiltrate and exploit this core network system. It’s no wonder that an estimated 91% of malware uses DNS to infiltrate and exploit its targets.

What is to be done? How can network administrators ensure that their DNS architecture remains in the hands of the good guys? BlueCat Senior Director for Cybersecurity Scott Penney laid out three key principles for DNS-based network security.

1. Know thy network

First and foremost, network administrators and security personnel need to know what’s on their networks. That means logging DNS data, analyzing patterns, and recognizing anomalies. This shouldn’t just happen at the boundary between internal networks and the outside internet. It should happen everywhere – even on east-west traffic within the network.

2. Detection is critical

Second, administrators need the capability to detect the source of network issues. With a DNS security system that sits at the client level, administrators can pinpoint the origin of malware queries and identify their intent as they attempt to spread throughout the system.

3. Take action

Finally, administrators need the ability to take action. Once a threat is identified, policy needs to be set through the core DNS infrastructure to isolate and eliminate malicious activity. Efficiency comes as a side benefit of these policies – the rest of the system continues to hum even as DNS blocks attacks at their source points.

Because naive DNS can so easily be recruited for good or bad cyber behavior, it’s vital to the stability of your IT infrastructure to defend your network. Use the power of DNS for visibility and detection for better network security.

Published in:

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more