Security Security with DNS Lead image: Lead Image © alhovik, 123RF.com
Lead Image © alhovik, 123RF.com
 

Up your security with local DNS resolvers

Ace on the Network

Local DNS resolution servers provide cost-effective security for applications, services, and users. By Paul Vixie

With limited time and resources, IT administrators generally focus on tools and issues constantly in the forefront. As a result, their understanding of the Domain Name System (DNS) might be only superficial. DNS is an elementary part of the digital world, and companies in almost all areas are now partially or completely dependent on services and data that would not be possible without networking over the Internet and local networks. Without DNS resolvers, which convert IP addresses into human-readable addresses, and vice versa, large IP-based networks would be inconceivable.

The technology also offers great potential for IT security, which many organizations overlook. Companies often rely on external service providers, which creates unnecessary security risks and quashes the significant added value that could be generated by operating a DNS resolver. In this article, I talk about why you should set up your own local DNS resolution server to monitor and protect your applications, services, and users against potential risks.

Advantages of Local DNS Resolvers

Global DNS services for name resolution are usually provided by Internet providers. Continuous consolidation of the market has created some dominant players such as Google, Cisco, IBM, and Cloudflare. These companies essentially provide the name resolution service that was originally provided by the network operators themselves. In some ways, this is a natural development, because these external DNS resolution services are free and convenient.

What most users don't know is that these services are also an important source of network intelligence for the companies running the DNS services. Many IT administrators working today were not in the IT industry when the DNS resolution service was run on site by local staff (see the "DNS as the Dominant Method" box). As a result of current trends and this generation gap, some benefits are lost by the use of external, global, or local DNS resolution servers.

The first of the four disadvantages of outsourcing name resolution is data protection. External DNS queries are rarely protected against sniffing. Although such protection is currently being developed, it will also significantly increase the complexity of the service. The best way to avoid observation, tracking, and analysis of DNS transactions is not to outsource them in the first place. As a rule, employees do not have to worry about monitoring data transmission within their own corporate network, which makes it a better place to store data that is not intended to be viewed publicly.

Second, organizations inhibit performance with the use of external DNS resolvers. No matter how many DNS servers are working externally, none of them can be reached by users and their applications in less than a millisecond. For example, the number of transactions that can be processed per unit of time will inevitably be less than on your own site because of delays in signal transmission over a greater distance. Most web browsers today contain an internal DNS cache to compensate for this limitation, but most networked applications lack this cache. The need for application-level caching is significantly reduced if a simple, local DNS resolver provides the same benefits for all networked applications in an enterprise.

The third disadvantage of using external DNS resolution servers instead of a local server is security monitoring. In many cases, malware and most botnets use DNS to reach their command and control servers, and some even use it to exfiltrate their victims' confidential information. Every modern DNS service provides a way to monitor outbound traffic and thus detect threats. To leverage the benefits of this kind of monitoring, though, you must be able to see your own traffic. If each application on the network has a direct relationship to an external DNS server, only the service operator, not the company's IT administrator, can investigate the traffic for threats. Some providers offer such scanning services to their users, but most do not. Even those who do so usually monetize their monitoring of data traffic.

The fourth disadvantage relates to reduced scope of management by policy. Today's DNS technology includes the ability to enforce policy by rejecting malicious DNS patterns according to policy settings (from the local security operations center) and policy subscriptions (from external security information providers); however, these extremely powerful features are only available to local server operators for name resolution. Some external DNS resolution providers offer this type of filtering, but the filters are not as granular as they could be for a locally operated server.

Custom-Fit Changeover

Irrespective of the increasing shift to external DNS services, not all users and servers need manually provided local service. A mixture of internal and external DNS servers is not only possible, but quite common. The DNS resolver that you want a server to use is typically specified in the server's network settings, and the configuration for desktops, laptops, and mobile devices can be defined by Dynamic Host Configuration Protocol (DHCP) settings. Therefore, it is possible to experiment and make a gradual transition from the use of external DNS resolution servers to internal servers without unpleasant surprises.

Meanwhile, any open source server platform (e.g., Linux, BSD) offers many free implementations of the DNS name resolution service. The oldest of these is BIND, but newer implementations such as PowerDNS, Unbound, and Knot are also trusted and mature software packages. Most already offer local DNS resolution in their basic configurations. Although these configurations will certainly be adapted and improved over time, the effort required to get started is extremely low. Commercial products are also available for DNS resolution, including from Microsoft, Infoblox, Nominum, BlueCat, and others.

Redundancy is essential. Each site requires at least two independent DNS resolution servers, ideally located on different LAN segments with different power sources. Secure configuration is also important – operators must ensure that no requests from outside the network receive a response: a well-known and very popular method for attackers to increase their capacity for distributed denial of service (DDoS) attacks. It's worth studying documentation, how-to instructions, and forums before deploying a new service, especially for a DNS resolver.

The general procedure for setting up and operating a local DNS service within your corporate campus is as follows:

Conclusions

Running your own local DNS resolution servers is one of the easiest and most cost-effective ways an IT administrator can monitor and protect their applications, services, and users against potential risks. These risks, including monitoring uncontrollable external dependencies, attacks via DNS, and attacks that could be detected via DNS, have a far greater cost potential than the alternative outlined here. Moreover, the DNS resolution service is so central to any other IT-related activity that any IT administrator who takes the time to explore and master this technology will increase its effectiveness and grow the value it brings to their business.