Embed Size (px)
Citation preview
WHITEPAPER
Designing a Secure DNS Architecture
Designing a Secure DNS Architecture 1
Table of Contents
Designing a Secure DNS Architecture 2
Introduction 2
Architecting Your DNS 2
Securing the DNS Platform 3
Defending against DNS Attacks 3
Volumetric Attacks 4
DNS-specific Attacks 4
Preventing Malware from Using DNS 5
Advanced DNS Protection and DNS Firewall 5
Infoblox Purpose-built Appliance and OS 5
Advanced DNS Protection 6
Infoblox DNS Firewall 7
Reporting 9
Conclusion 9
Designing a Secure DNS Architecture 2
Designing a Secure DNS Architecture
In today’s networking landscape, it is no longer adequate to have a DNS infrastructure that simply responds to
queries. What is needed is an integrated and highly secure DNS architecture that also enables smart growth.
Introduction
DNS is an essential part of any modern-day organization. DNS, or Domain Name System, is the protocol used
for converting fully qualified domain names (FQDNs) like www.google. com into machine-usable IP addresses
that computers use to communicate with each other.
Without a working DNS protocol, it would be almost impossible to have an Internet of Things that communicate
with each other.
While there are multiple ways to classify a DNS server, one that is especially relevant to this paper is the
difference between primary and secondary DNS servers. A primary DNS server can be defined as one that
holds the master copy of a DNS zone; while a secondary server stores copies of the zone that it receives from
the primary server. There could be many reasons for having a secondary DNS server, such as performance or
a desire to hide your primary server.
Your customers use your DNS system to reach your website. Without a proper DNS infrastructure, your
organization would not have a presence in cyberspace. eCommerce companies would not be able to sell their
services. Even brick-and-mortar companies need DNS servers to advertise their products. In short, the Internet
as we know it would not exist without DNS protocol.
Architecting Your DNS
As the demand for an organization’s services grows, so does the load on its DNS servers. At some point,
whether it is due to legitimate traffic or a malicious distributed denial of service (DDoS) attack, the load on the
DNS server exceeds the capacity of the server. At this point every organization looks for ways to increase DNS
queries-per-second (QPS) capacity.
One approach to this problem is to augment the primary DNS server with a faster, secondary DNS server. This
approach works more efficiently if the two servers are integrated and use the same database and interfaces.
Using two separate DNS servers here can introduce some
interoperability issues in basic features like backup and restore, reporting, and management in general. A
unified interface is also an important consideration here and can ensure preservation of your investment, and
lower total cost of ownership (TCO). Another solution here is to deploy several DNS servers behind a load
balancer. This approach works best if the DNS servers are unified to ensure ease of management and
deployment consistency to all servers.
When designing a DNS infrastructure, it is important to build an environment that is not only sufficient for
current needs, but also provides room for future growth. In addition, while architecting your DNS, it is also
important to understand the security threats the DNS might be vulnerable to. We will discuss these next.
Designing a Secure DNS Architecture 3
Securing the DNS Platform
Hacking of DNS servers is becoming more prevalent every day. Conventional DNS servers have multiple
attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. Hackers can use
these ports to access the operating system (OS) and hack your servers. If your DNS servers don’t support
tiered security privileges, any user could potentially gain access to OS-level account privileges and cause
configuration changes that could make your servers vulnerable to hacks. Moreover, updates to conventional
DNS servers often require time- consuming manual processes.
Defending against DNS Attacks
Another consideration is protection of your DNS infrastructure from external attacks. Authoritative DNS servers
are reachable from the Internet. This makes them potentially vulnerable to attacks such as DNS flood and
amplification, DNS hijacking, exploits, etc., which can effectively stop your DNS server from responding or
compromise the integrity of your DNS services. It is also important to prevent these servers from becoming a
tool to attack other servers (DNS reflection attack). Reflection attacks can damage your company’s reputation and
cost money in the long run.
Even though your authoritative server sits behind a firewall, most of these attacks cannot be mitigated by
typical firewalls. Firewalls are ill-prepared to protect you against application-layer attacks. The ones that do, the
so-called NextGen firewalls, tend to have very little coverage for DNS protocols. These solutions typically
spread their security policies across a large number of protocols and sacrifice depth for breadth of coverage.
Load balancers offer some basic level of protection against DNS floods. However, there is a whole suite of
DNS-based attacks that can target your external authoritative DNS servers, and the mitigation capabilities of
load balancers fall short when it comes to addressing all of them. For example, load balancers cannot protect
against bad or malformed DNS queries. Load balancers respond to DDoS attacks at the DNS security
perimeter by scaling performance and spreading the load across multiple devices using IP Anycast. Merely
adding more load balancers to the environment can prove to be an inefficient and costly method of handling
attacks.
Another dangerous category of attacks that can affect your internal recursive servers as well as external
servers includes NXDOMAIN attacks and other stealthier DDoS attacks, which are less understood than the
typical volumetric attacks. This type of attack causes resource exhaustion and slow performance on your
caching servers, and DDoS on their target domain. More often than not, they remain under the radar. Highly
sophisticated DDoS attacks involve botnets, chain reactions, and misbehaving domains.
Regardless of the protection technique that you use, it is important to stay one step ahead of the attackers.
Keeping protection up to date is key as the DNS threat landscape continuously evolves, and attacks change
form. It is also essential to ensure that the update of protection rules is done automatically. With the new level
of sophistication that we are seeing in modern-day attacks,
it is not possible to manually create and add detection rules to your DNS. Enterprises need specialized and
automated DNS protection.
Your DNS infrastructure should protect itself against inevitable DNS attacks on your organization. These
attacks can take one of two major forms: volumetric and DNS-specific attacks.
Designing a Secure DNS Architecture 4
Volumetric Attacks
These attacks, sometimes referred to as DoS or DDoS, rely on exhausting a device’s resources. A typical DNS
DDoS sends 10s or 100s of thousands of queries per second to a DNS server in order to exhaust the resources
on the DNS server and cause a service outage.
The historical approach to a DNS DDoS attack has been to increase your capacity by either placing your DNS
infrastructure behind a load balancer or to use a faster secondary DNS server to augment your primary server.
The problem with this approach is that it is a temporary patch. According to Arbor Networks, 2013 included
several DNS DDoS attacks of 100 Gbps or more.
With DNS-based volumetric attacks making 10% of overall volumetric attacks and growing, we can only expect
this number to grow. Putting a load balancer or a faster secondary server in front of the DNS server is not a
cost-effective approach to DDoS protection. This amounts to a temporary patch and requires the organization
to ramp up its infrastructure every time the bad guys catch up to them. You need intelligent DNS DDoS
protection that does not respond to queries indiscriminately but distinguishes legitimate traffic from attack
traffic.
DNS-specific Attacks
Another soft spot for a DNS infrastructure is the actual protocol. When DNS protocol was developed, few could
have envisioned a world where malicious agents or disgruntled workers could exploit or bring down your DNS
server. Today we realize that any DNS server can be the target of DNS-specific attacks. These take many
forms:
● DNS reflection
● DNS amplification
● DNS exploits
● DNS protocol anomalies
● DNS tunneling
● Cache poisoning
● DNS hijacking
● NXDOMAIN
The various intentions of these types of attacks are to:
● Congest outbound server bandwidth (in the case of amplification attacks), overwhelming network
components like firewalls in the path
● Flood the DNS server with traffic to slow it down and prevent it from responding to legitimate queries
● Cause the DNS server to crash by exploiting its vulnerabilities
A proper DNS infrastructure should protect your DNS server against these business- impacting attacks.
Designing a Secure DNS Architecture 5
Preventing Malware from Using DNS
Data breaches are growing at a staggering pace, and over 100,000 new malware samples are being
catalogued every day. According to the Cisco 2014 Security Report, 100% of business networks analyzed by
Cisco had traffic going to websites that host malware.
Investing in next-generation firewalls or intrusion prevention systems (IPSs) can stop some malware and APTs
from entering the network, but not all. Trends like bring your own device (BYOD) complicate the situation
further and provide new avenues for malware to enter and go undetected for longer periods of time.
Malware is increasingly becoming more sophisticated and is circumventing traditional defenses. Detecting
malware activity in a large network is nearly impossible. Fast flux, Proxy C&C networks, anonymous TOR, and
other advanced techniques can easily bypass the perimeter. Once inside the network, malware uses DNS to
find and communicate with botnets and command-and- control servers. Botnets and command-and-control
servers hide behind constantly changing combinations of domains and IP addresses. Once internal machines
connect to these devices, additional malicious software is downloaded or sensitive company data is exfiltrated.
Sometimes malware remains hidden or disguised by external attacks on networks. During an external attack, IT
staff are distracted in protecting the network, and might miss alerts or warning logs about malware activity
within the network. This practice is called smoke screening and has become a standard method of distracting
security teams while exfiltrating data through the back door. By having a single integrated and centrally
managed DNS infrastructure (external and internal) with visibility into both external attacks and malware
activity, IT will be able to comprehend the totality of events and take appropriate action.
Advanced DNS Protection and DNS Firewall
Infoblox Purpose-built Appliance and OS
Infoblox provides hardened, purpose-built DNS appliances with minimized attack surfaces with:
● No extra or unused ports open to access the servers
● No root login access with the OS
● Role-based access to maintain overall control
All access methods are secured:
● Two-factor authentication for login access
● Web access using HTTPS for encryption
● SSL encryption for appliance interaction via API
The DNS appliances are Common Criteria EAL2 certified, which covers verification of hardware, software, and
manufacturing processes. In addition, OS and application updates happen through a single centralized process,
allowing for simple and centralized management and control.
All of the above secures the DNS platform and helps protect DNS services from various hacks.
Designing a Secure DNS Architecture 6
Advanced DNS Protection
Infoblox’s Advanced DNS Protection solves the problem of external attacks that target your DNS. It provides
built-in, intelligent attack protection that keeps track of source IPs of the DNS requests as well as the DNS
records requested. It can be used to intelligently drop excessive DNS DDoS requests from the same IP
address, therefore saving resources to respond to legitimate requests. It also maintains DNS integrity that can
otherwise it compromised by attacks like DNS hijacking. In addition, it morphs its protection with DNS
configuration changes to ensure that the right protection rules are always enabled.
The figure below shows Advanced DNS Protection under attack, and its response to good DNS queries. While
the attacks were being launched (red line graph), Advanced DNS Protection also received 50k good DNS
queries per second, all of which it responded to (blue line graph), even as the attacks peaked. The test was
done using an independent third-party security and performance-testing platform.
0 25 50 75 100 125 150 175 200 225 250 275 300
Figure 1. Infoblox Advanced DNS Protection response rate under attack
550
500
450
400
350
300
250
200
150
100
50
Timestamp (Seconds)
Response to good queries
Attacks
DN
S Q
ueri
es p
er
Seco
nd
Designing a Secure DNS Architecture 7
It is important to understand the difference between this technology and BIND’s response rate limiting (RRL).
With BIND, requests are received and processed, and only responses are rate limited. This is not an efficient
approach since it uses valuable CPU and memory resources to process requests that the DNS server should
never respond to. This makes it more likely for the DNS server to exhaust its resources and crash—which is
the aim of a DDoS attack to begin with. With Infoblox’s technology, bad requests are dropped before they reach
the central processing unit. Hence, it is a much more efficient approach. This technology is available out of the
box.
Of course, an attack on a mid-sized organization would not have the same characteristic of one against a large
enterprise. While Infoblox is responsible for creating and maintaining protection rules with Advanced DNS
Protection, users can tune the parameters associated with each rule and customize them for their
environments. These new adjustments are entered through a graphical user interface (GUI) but verified before
they are applied to the rule engine, ensuring that the system operates at peak performance. A typical load
balancer does not provide this level of customization. Some vendors might provide a scripting language that
enables users and consultants to create their own rules. These vendors do not maintain these rules, and users
are ultimately applying them at their own risk. This can cause confusion and compatibility problems every time
that a change is made in the product line.
As mentioned earlier, another attack vector that could be used against a DNS server is protocol- based attacks.
These include DNS amplification, reflection, and cache poisoning. Advanced DNS Protection provides prebuilt
rules to protect DNS servers against these and similar attacks. Infoblox actively monitors the latest DNS-based
vulnerabilities and ensures that it provides protection against these attacks out of the box.
Another advantage of Infoblox’s rule set is that it is automatically applied to DNS servers. It does not require
manual intervention, either through writing scripts or applying them. This automatic deployment of protection
rules can save precious time during an attack.
Infoblox DNS Firewall
Infoblox DNS Firewall addresses the problem of malware using DNS to communicate with botnets and
command-and-control servers to exfiltrate data. It detects and mitigates communication attempts by malware to
malicious hostnames by:
● Enforcing response policies on traffic to suspicious hostnames, such as blocking it, re-directing
users, or allowing the traffic to pass through, so that administrators can decide what to do when a
client tries to connect with a suspicious hostname
● Leveraging the automated, up-to-date Infoblox Threat Intelligence Feed on known malicious
hostnames
● Providing timely and contextual reporting on malicious DNS queries, delivering insight into threat
severity and impact, and pinpointing infected devices that are making the queries
● Providing alerts to network administrators when incidents occur
● Query monitoring and logging for suspect endpoints
Designing a Secure DNS Architecture 8
Figure 2. Secure DNS Deployment
Flexibility and Ease of Use
Regardless of what technology is used to protect an organization against external attacks, it is important to
consider soft benefits of the technology. After all, the best technical solution might become shelfware if it is
unrealistically difficult and cumbersome to implement. Most of today’s technologies rely heavily on command-
line interfaces (CLIs) and scripting languages. While these technologies look promising in architecture
diagrams, the implementation phase for them is too expensive and they are too hard to maintain, resulting in
enterprises never implementing the full solution.
Infoblox offers its patented Infoblox Grid™ technology. Important features like high availability, disaster recovery,
maintenance and configuration, and backup and recovery have been built into the Grid. A network
administrator can manage and configure just about everything related to DNS from the GUI, without having to
get into a CLI or having to script. This significantly reduces the possibility of mistyping commands and
configurations and enables the routine day-to-day activities to be delegated to junior admins. Ultimately, this
helps save organizations money and enables them to provide better service to their customers.
Designing a Secure DNS Architecture 9
Reporting
An often-overlooked aspect of DNS architecture is reporting. A modern DNS architecture should include a
reporting technology that provides centralized visibility and allows users to evaluate the load on the system,
diagnose problems, and be alerted when the system is under attack.
Conclusion
Designing a scalable and secure DNS architecture requires more than increased bandwidth and QPS. What
looks simple in a small test lab tends to become very complex in a larger deployment. Infoblox Secure DNS
Architecture, combined with Infoblox Grid technology, provides a comprehensive, secure, and scalable DNS
solution that not only provides low latency and high throughput, but also ensures availability of essential
infrastructure to enable your organization to both grow and stay protected without the need for frequent
infrastructure upgrades.
3
Infoblox is the leader in modern, cloud-first networking and security services. Through extensive integrations, its solutions empower
organizations to realize the full advantages of cloud networking today, while maximizing their existing infrastructure investments.
Infoblox has over 12,000 customers, including 70 percent of the Fortune 500.
Corporate Headquarters | 2390 Mission College Boulevard, Ste. 501 | Santa Clara, CA | 95054
+1.408.986.4000 | [email protected] | www.infoblox.com
© 2020 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All o ther marks
are the property of their respective owner(s).
