Debunking the myths of DNS security
For years, we’ve been pioneering the use of DNS to enforce security. We recognized that DNS was often a blind spot for organizations and that using DNS to enforce security was both practical and effective. Why? Because DNS isn’t optional. It’s foundational to how the internet works and and is used by every single device that connects to the network. If you’re considering using DNS for security, it’s important to understand the facts so you can combat the fiction.
Myth: DNS can only provide limited insights for threat intelligence
Thanks to DNS, we have a view of the internet that is unlike any other security provider. Using a combination of historical and live data from over 140B+ daily requests across 90 million daily users, we apply multiple statistical and machine-learning models. We then derive meaningful insights from this diverse data set, which allows us to:
- Associate attacks with specific domains, IPs, ASNs, file hashes, and email addresses in order to map out attacker infrastructure.
- Use WHOIS record data to see domain ownership and uncover other malicious domains registered with the same contact information
- See suspicious spikes in global DNS requests to a specific domain.
- Predict where future attacks might be staged by identifying related domains and IPs that are associated with malware.
- Detect fast flux domains and domains created by Domain Generation Algorithms.
- Access a massive passive DNS database to see historical data about domains.
We’ve resolved 175,427,918,134,461 (and counting!) DNS requests since 2006 –– ask other security providers if their data for threat intelligence can match this scale. You can learn more about our intelligence here: umbrella.cisco.com/products/our-intel
Myth: A DNS security provider is vulnerable to things like DNS hijacking, DNS cache poisoning, DDoS attacks, and DNS tunneling services
While it’s true that DNS providers, their infrastructure or their products can be impacted by various threats, those aren’t things that keep our customers up at night.
That’s because we’ve taken numerous steps to ensure our infrastructure and products are protected, including:
- Designing our global network using best practices and resilient architectures to withstand larger attacks without users experiencing any performance degradation.
- Overprovisioning machine resources for each resolver at each site to be an order of magnitude over target capacity. We use a BGP and IP Anycast infrastructure to distribute the effects of DDoS attacks globally over our data centers with public resolvers.
Umbrella also has several features that minimizes the effects from malicious clients sending DNS traffic through our infrastructure, including:
- Rate-limiting DNS queries for ‘ANY’ records
- Rate-limiting DNS responses with extremely long ‘TXT’ records
- Rate-limiting duplicate DNS queries that exceed a threshold
- Blacklisting domain names with hundreds of ‘A’ records
- Monitors which client IPs send the most queries and using the most bandwidth
To protect against poisoned DNS caches, Umbrella adds entropy to nameserver requests using several methods, including:
- Using new random source ports for each upstream query
- Using random DNS transaction IDs for each upstream query
- Shuffling the order of authoritative nameservers used for each upstream query
For DNS tunneling services:
We have a security category within Umbrella specifically designed to block DNS tunnelling services. If your organization is concerned about users leveraging DNS tunnelling, simply enable the category within the policy wizard. This will prevent users from accessing a number of DNS Tunneling services.
To learn more about the DNS tunneling VPN category, read our blog post.
Myth: DNS security alone is enough to protect an organization
Actually, this statement is a myth! Relying solely on DNS for your security is not enough — some sites require deeper inspection. For Umbrella, we use DNS as a starting point to get traffic to our cloud platform and enforce security. With DNS, we can route safe requests and block malicious domains — unlike other proxies that have to intercept every single request. Risky domains (domains that we can’t classify as safe or malicious) require us to go beyond DNS. Using our cloud-based intelligent proxy, we leverage Cisco Talos threat intelligence and other third-party feeds to determine if a URL is malicious as well as check file signatures and reputation. Using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP), we’re able to inspect files attempted to be downloaded from risky sites. DNS resolver services and the intelligent proxy are just two components of Umbrella, our secure internet gateway.
Here at Cisco, we’ll continue to uncover the truth and ensure that our users can connect with confidence, anywhere they work. If you’re interested in seeing how your organization can start using DNS (and more!) for security, visit signup.umbrella.com to start a free trial of Umbrella.