WHITE PAPER
Designing a Secure
DNS Architecture
In today’s networking landscape, it is no longer adequate
to have a DNS infrastructure that simply responds to queries.
What is needed is an integrated secure DNS architecture
that also enables smart growth.
Introduction
DNS is an essential part of any modern-day organization. DNS, or Domain Name System, is the protocol used for converting fully qualified domain names (FQDNs) like www.google.com into machine-usable IP addresses that computers use to communicate with each other. Without a working DNS protocol, it would be almost impossible to have an Internet of Things that communicate with each other.
While there are multiple ways to classify a DNS server, one that is especially relevant to this paper is the difference between primary and secondary DNS servers. A primary DNS server can be defined as one that holds the master copy of a DNS zone; while a secondary server stores copies of the zone that it receives from the primary server. There could be many reasons for having a secondary DNS server, such as performance or a desire to hide your primary server.
Your customers use your DNS system to reach your website. Without a proper DNS infrastructure, your organization would not have a presence in cyberspace. eCommerce companies would not be able to sell their services. Even brick-and-mortar companies need DNS servers to advertise their products. In short, the Internet as we know it would not exist without DNS protocol.
Architecting Your DNS
As the demand for an organization’s services grows, so does the load on its DNS servers. At some point, whether it is due to legitimate traffic or a malicious distributed denial of service (DDoS) attack, the load on the DNS server exceeds the capacity of the server. At this point every organization looks for ways to increase DNS queries-per-second (QPS) capacity.
One approach to this problem is to augment the primary DNS server with a faster, secondary DNS server. This approach works more efficiently if the two servers are integrated and use the same database and interfaces. Using two separate DNS servers here can introduce some interoperability issues in basic features like backup and restore, reporting, and management in general. A unified interface is also an important consideration here and can ensure preservation of your investment, and lower total cost of ownership (TCO).
Another solution here is to deploy several DNS servers behind a load balancer. This approach works best if the DNS servers are unified to ensure ease of management and deployment consistency to all servers.
When designing a DNS infrastructure, it is important to build an environment that is not only sufficient for current needs, but also provides room for future growth. In addition, while architecting your DNS, it is also important to understand the security threats the DNS might be vulnerable to. We will discuss these next.
Securing the DNS Platform
Hacking of DNS servers is becoming more prevalent every day. Conventional DNS servers have multiple attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. Hackers can use these ports to access the operating system (OS) and hack your servers. If your DNS servers don’t support tiered security privileges, any user could potentially gain access to OS-level account privileges and cause configuration changes that could make your servers vulnerable to hacks. Moreover, updates to conventional DNS servers often require time-consuming manual processes.
Defending against DNS Attacks
Another consideration is protection of your DNS infrastructure from external attacks. Authoritative DNS servers are reachable from the Internet. This makes them potentially vulnerable to attacks such as DNS flood and amplification, which can effectively stop your DNS server from responding. It is also important to prevent these servers from becoming a tool to attack other servers (DNS reflection attack). Reflection attacks can damage your company’s reputation and cost money in the long run.
Even though your authoritative server sits behind a firewall, most of these attacks cannot be mitigated by typical firewalls. Firewalls are ill-prepared to protect you against application-layer attacks. The ones that do, the so-called NextGen firewalls, tend to have very little coverage for DNS protocols. These solutions typically spread their security policies across a large number of protocols and sacrifice depth for breadth of coverage.
Load balancers offer some basic level of protection against DNS floods like
NXDOMAIN DDoS attacks. However, there is a whole suite of DNS-based attacks that can target your external authoritative DNS servers, and the mitigation capabilities of load balancers fall short when it comes to addressing all of them. For example, load balancers cannot protect against bad or malformed DNS queries. Load balancers respond to DDoS attacks at the DNS security perimeter by scaling performance and spreading the load across multiple devices using IP Anycast. Merely adding more load balancers to the environment can prove to be an inefficient and costly method of handling attacks.
Regardless of the protection technique that you use, it is important to stay one step ahead of the attackers. Keeping protection up-to-date is key as the DNS threat landscape continuously evolves, and attacks change form. It is also essential to ensure that the update of protection rules is done automatically. With the new level of sophistication that we are seeing in modern-day attacks, it is not possible to manually create and add detection rules to your DNS. Enterprises need specialized and automated DNS protection.
Volumetric Attacks
These attacks, sometimes referred to as DoS or DDoS, rely on exhausting a device’s resources. A typical DNS DDoS sends 10s or 100s of thousands of queries per second to a DNS server in order to exhaust the resources on the DNS server and cause a service outage.
The historical approach to a DNS DDoS attack has been to increase your capacity by either placing your DNS infrastructure behind a load balancer or to use a faster secondary DNS server to augment your primary server. The problem with this approach is that it is a temporary patch. According to Arbor Networks, 2013 included several DNS DDoS attacks of 100 Gbps or more. With DNS-based volumetric attacks making 10% of overall volumetric attacks and growing, we can only expect this number to grow. Putting a load balancer or a faster secondary server in front of the DNS server is not a cost-effective approach to DDoS protection. This amounts to a temporary patch and requires the organization to ramp up its infrastructure every time the bad guys catch up to them. You need intelligent DNS DDoS protection that does not respond to queries indiscriminately but distinguishes legitimate traffic from attack traffic.
DNS-specific Attacks
Another soft spot for a DNS infrastructure is the actual protocol. When DNS protocol was developed, few could have envisioned a world where malicious agents or
disgruntled workers could exploit or bring down your DNS server. Today we realize that any DNS server can be the target of DNS-specific attacks. These take many forms:
• DNS reflection • DNS amplification • DNS exploits • DNS protocol anomalies • DNS tunneling • Cache poisoning
The various intentions of these types of attacks are to:
• Congest outbound server bandwidth (in the case of amplification attacks),
overwhelming network components like firewalls in the path
• Flood the DNS server with traffic to slow it down and prevent it from responding to
legitimate queries
• Cause the DNS server to crash by exploiting its vulnerabilities
A proper DNS infrastructure should protect your DNS server against these business-impacting attacks.
Preventing Malware and APTs from Using DNS
Data breaches are growing at a staggering pace, and over 100,000 new Malware samples are being catalogued every day. In 2013, there were 3,000 security incidents with a total of 822 million records exposed worldwide. Many of the breaches were driven by Malware and advanced persistent threats (APTs). Investing in next-generation firewalls or intrusion prevention systems (IPSs) can
Malware and APTs evade traditional security defenses by using DNS to find and communicate with botnets and command-and-control servers. Botnets and command-and-control servers hide behind constantly changing combinations of domains and IP addresses. Once internal machines connect to these devices, additional malicious software is downloaded or sensitive company data is exfiltrated. Sometimes Malware and APT attacks are hidden or disguised by external attacks on networks. During an external attack, IT staff are distracted in protecting the network, and might miss alerts or warning logs about Malware and APT activity within the network. By having a single integrated and centrally managed DNS infrastructure (external and internal) with visibility into both external attacks and Malware and APT activity, IT will be able to comprehend the totality of events and take appropriate action.
Infoblox Secure DNS
Infoblox Purpose-built Appliance and OS
Infoblox provides hardened, purpose-built DNS appliances with minimized attack surfaces with:
• No extra or unused ports open to access the servers • No root login access with the OS
• Role-based access to maintain overall control
All access methods are secured:
• Two-factor authentication for login access • Web access using HTTPS for encryption • SSL encryption for appliance interaction via API
The DNS appliances are Common Criteria EAL2 certified, which covers verification of hardware, software, and manufacturing processes. In addition, OS and application updates happen through a single centralized process, allowing for simple and centralized management and control.
All of the above secures the DNS platform and helps protect DNS services from various hacks.
Infoblox Advanced DNS Protection
Infoblox’s Advanced DNS Protection solves the problems of external attacks that target your DNS. Advanced DNS Protection provides built-in, intelligent attack protection that keeps track of source IPs of the DNS requests as well as the DNS records requested. It can be used to intelligently drop excessive DNS DDoS requests from the same IP, therefore saving resources to respond to legitimate requests.
Figure 1: Advanced DNS Protection response rate under attack
It is important to understand the difference between this technology and BIND’s response rate limiting (RRL). With BIND, requests are received and processed, and only responses are rate limited. This is not an efficient approach since it uses valuable CPU and memory resources to process requests that the DNS server should never respond to. This makes it more likely for the DNS server to exhaust its resources and crash—which is the aim of a DDoS attack to begin with. With Infoblox’s technology, bad requests are dropped before they reach the central processing unit. Hence, it is a much more efficient approach. This technology is available out of the box.
Of course, an attack on a mid-sized organization would not have the same characteristic of one against a large enterprise. While Infoblox is responsible for creating and maintaining protection rules with Advanced DNS Protection, users can tune the parameters associated with each rule and customize them for their environments. These new adjustments are entered through a graphical user interface (GUI) but verified before they are applied to the rule engine, ensuring that the system operates at peak performance. A typical load balancer does not provide this level of customization. Some vendors might provide a scripting language that enables users and consultants to create their own rules. These vendors do not maintain these rules, and users are ultimately applying them at their own risk. This can cause confusion and compatibility problems every time that a change is made in the product line. As mentioned earlier, another attack vector that could be used against a DNS server is protocol-based attacks. These include DNS amplification, reflection, and cache poisoning. Advanced DNS Protection provides prebuilt rules to protect DNS servers against these and similar attacks. Infoblox actively monitors the latest DNS-based vulnerabilities and ensures that it provides protection against these attacks out of the box.
Another advantage of Advanced DNS Protection’s rule set is that it is automatically applied to DNS servers. It does not require manual intervention, either through writing
DNS Quer
ies per Second
550 500 450 400 350 300 250 200 150 100 50 0 Timestamp (Seconds) 25 0 50 75 100 125 150 175 200 225 250 275 300 Attacks Response to good queries
Infoblox DNS Firewall
Infoblox DNS Firewall addresses the problem of Malware and APTs using DNS to communicate with botnets and command-and-control servers to exfiltrate data. It detects and mitigates communication attempts by Malware to malicious domains and networks by:
• Enforcing response policies on traffic to suspicious domains, such as blocking it, re-directing users, or allowing the traffic to pass through, so that administrators can decide what to do when a client tries to connect with a suspicious domain
• Leveraging up-to-date threat data both on known malicious domains and zero-day APTs
• Providing timely reporting on malicious DNS queries and pinpointing infected devices that are making the queries
DNS Tunn eling Legit imat e Tra ffic Cach e Po isonin g Legit imat e Tra ffic Malw are/ APT Internal attacks Malware/APT Endpoints
Infoblox DNS Caching Server Infoblox Advanced DNS Protection
Infoblox Advanced DNS Protection with DNS Firewall INTERNET DMZ INTRANET External attacks Block DNS attacks Automated Threat Update Service
Send data for reports Send data
for reports
DNS Query Rule updates for
DNS-based attacks
Updates for DNS-based attacks and Malware/APT
Reco nnais sanc e Legit imat e Tra ffic Explo its Legit imat e Tra ffic Refle ction /Am plific ation
Flexibility and Ease of Use
Regardless of what technology is used to protect an organization against external attacks, it is important to consider soft benefits of the technology. After all, the best technical solution might become shelfware if it is unrealistically difficult and cumbersome to implement. Most of today’s technologies rely heavily on command-line interfaces (CLIs) and scripting languages. While these technologies look promising in architecture diagrams, the implementation phase for them is too expensive and they are too hard to maintain, resulting in enterprises never implementing the full solution. Infoblox offers its patented Infoblox Grid™ technology. Important features like high-availability, disaster recovery, maintenance and configuration, and backup and recovery have been built into the Grid. A network administrator can manage and configure just about everything related to DNS from the GUI, without having to get into a CLI or having to script. This significantly reduces the possibility of mistyping commands and configurations and enables the routine day-to-day activities to be delegated to junior admins. Ultimately, this helps save organizations money and enables them to provide better service to their customers.
Reporting
An often-overlooked aspect of DNS architecture is reporting. A modern DNS architecture should include a reporting technology that provides centralized visibility and allows users to evaluate the load on the system, diagnose problems, and be alerted when the system is under attack.
Figure 3: Infoblox Reporting
Conclusion
Designing a scalable and secure DNS architecture requires more than increased bandwidth and QPS. What looks simple in a small test lab tends to become very complex in a larger deployment. Infoblox Secure DNS Architecture, combined with Infoblox Grid technology, provides a comprehensive, secure, and scalable DNS solution that not only provides low latency and high throughput, but also ensures availability of essential infrastructure to enable your organization to both grow and stay protected without the need for frequent infrastructure upgrades.
