To better see the threats on your network, try DNS

On a scale of 1 to 10, how well do you know what’s happening on your network?

In a recent discussion that BlueCat had with a small group of IT professionals, the average response was 6.2. That’s troubling in a time of significant network changes and heightened network security requirements.

It’s tough to get a complete picture of vast, layered networks. But at the same time, it’s vital. To better protect our networks against the inevitable, you need three things:

1. visibility into what’s happening,
2. the ability to detect anomalies, and
3. ways to contain incidents when they arise.

And when it comes to the DNS layer of your network—after all, DNS is a vector used in a majority of attacks—the BlueCat platform offers ways to make a dent in all three.

Below, we’ll look at DNS query logging as crucial to visibility. Then, we’ll explore some approaches to anomaly detection, including setting policies. Finally, we’ll offer a quick demo of our integration with Cisco Umbrella to further help you detect and contain incidents.

The small group of IT professionals who discussed these ideas is part of BlueCat’s open DDI and DNS expert conversations. All are welcome to join Network VIP on Slack.

Query logging is key to DNS visibility

In short, query logging is an essential tool for knowing what’s happening on the DNS layer of your network.

Do you have your query logging turned on?

With a query log, you capture timestamps, source IP addresses, queries, and response codes. By viewing patterns in that activity, you can infer intent.

Where the logging is turned on is equally important. If logging occurs at the very next hop from the client, you can preserve the client source IP. But if it happens further downstream, you will only capture the IP from the last hop of the request, diminishing your visibility.

DNS response data can also help you uncover a wealth of intelligence about what’s happening on your network.

To be sure, query logging takes some resources. Customers have experienced CPU hits of up to 30%. And you need data storage for the logs themselves. But you cannot begin to glean intent without them. And the BlueCat platform makes it easy to do.

Using DNS to detect anomalies

So, query logging is turned on, but can you use that data to detect a problem?

Many customers send their DNS logs to a network Security Information and Event Management (SIEM) tool for correlation. For example, Splunk integrates seamlessly with BlueCat. But there are other options, too. Some customers cross-reference query data against cybersecurity firewalls like Palo Alto Networks.

Setting policies

Response policy zones (RPZs) can be a crucial tool by controlling DNS responses based on specific criteria. For example, if a query matches a particular known bad domain name or IP address, admins can generate a particular answer, like NXDOMAIN, instead of resolving it.

BlueCat’s platform gives you the ability to set informed and precise policies. You can monitor, set alerts for, or entirely block specific DNS servers with bad reputations. BlueCat can also help you identify and block specific types of malicious activity, like DNS tunneling or domain generation algorithms.

Further, policies can help limit your attack surface. Use them to restrict access to sensitive data and lock down critical systems such as point-of-sale terminals and IoT devices.

The limitations of volume

There is no silver bullet that can take mass quantities of security-related data from disparate sources, including DNS data, marry it all together, and automatically execute to stave off or contain network attacks happening in real-time. As one of our customers said:

“The volume of data, the value of different data points, and the integration with all of the other systems to actually get enough metadata to make it meet at that higher-level use case is a huge challenge. Because, for us, by the time we get all of those data points put together to do that, it’s usually way too late.”

Artificial intelligence (AI) and machine learning (ML) might help some, but human experts still have to do a lot of higher-level forensic work. One of our customers put it best:

“I haven’t seen a tool that does it. All the people whispering AI and ML and all of those elements forget that you still have to do all of the work to get to the point of being able to leverage those. And if you don’t do that work well, AI isn’t going to save you. ML isn’t going to save you. You still have to do the work. Now, hopefully, they will, at some point, allow us to do the work faster. But if you don’t do the work well, it’s not going to come to fruition.”

Still, setting policy can help cultivate a systematic rather than Whac-a-Mole approach to network anomalies. Outliers are easier to spot, and decisions on what to do about them happen automatically.

A way to contain: BlueCat and Cisco Umbrella

BlueCat’s integration with Cisco Umbrella can give you even more granular insight into DNS data to bolster your network security.

BlueCat sits at the first hop of any query, acting as the forwarder for both internal and external-bound traffic. It then sends Cisco Umbrella IP addresses used at the endpoint, along with other contextual data. Users get visibility into device-level infections through a simple interface.

Here’s a demo of how it works:

The BlueCat and Cisco Umbrella integration can help prevent and contain attacks. Combine it with using threat intelligence and SIEM tools to set and apply policies, and the fundamental step of query logging. And perhaps you can boost your score of how well you know what’s happening on your network.