Security Security with DNS Lead image: Lead Image © alhovik, 123RF.com

Up your security with local DNS resolvers

Ace on the Network

Local DNS resolution servers provide cost-effective security for applications, services, and users. By Paul Vixie

With limited time and resources, IT administrators generally focus on tools and issues constantly in the forefront. As a result, their understanding of the Domain Name System (DNS) might be only superficial. DNS is an elementary part of the digital world, and companies in almost all areas are now partially or completely dependent on services and data that would not be possible without networking over the Internet and local networks. Without DNS resolvers, which convert IP addresses into human-readable addresses, and vice versa, large IP-based networks would be inconceivable.

The technology also offers great potential for IT security, which many organizations overlook. Companies often rely on external service providers, which creates unnecessary security risks and quashes the significant added value that could be generated by operating a DNS resolver. In this article, I talk about why you should set up your own local DNS resolution server to monitor and protect your applications, services, and users against potential risks.

Advantages of Local DNS Resolvers

Global DNS services for name resolution are usually provided by Internet providers. Continuous consolidation of the market has created some dominant players such as Google, Cisco, IBM, and Cloudflare. These companies essentially provide the name resolution service that was originally provided by the network operators themselves. In some ways, this is a natural development, because these external DNS resolution services are free and convenient.

What most users don't know is that these services are also an important source of network intelligence for the companies running the DNS services. Many IT administrators working today were not in the IT industry when the DNS resolution service was run on site by local staff (see the "DNS as the Dominant Method" box). As a result of current trends and this generation gap, some benefits are lost by the use of external, global, or local DNS resolution servers.

DNS as the Dominant Method

DNS has been the dominant network strategy for years. Approaches like AppleTalk, DECnet, Systems Network Architecture (SNA), and Xerox Network Systems (XNS) have been abandoned or are hardly used anymore. If you take this into account, you will then determine that useful connections are based on TCP/IP, which in turn uses DNS. Therefore, IT administrators should delve deeper into the use of DNS, although it is often not possible in the scope of their existing tasks. That said, a closer look at how DNS is used by users and applications is very much worthwhile, for example, to better combat online crime.

Many vulnerabilities stem from the different requirements faced by networks today compared with those at the time that DNS was developed. In the 1980s, TCP/IP was mainly designed by research and educational institutions, who maintained only a few large computers – often only one computer – on the entire campus. Because these physically huge computers were expensive to purchase, operate, and maintain, many services and applications shared a single computer, which users could access from rudimentary terminals. Then, as now, users expected fast responses to most DNS queries, usually within milliseconds. Networked applications such as email or file services operate on the assumption that each activity requires at least one-time DNS access that is fast enough not to interfere with the performance of dependent applications and services.

Before the commercialization and privatization of the Internet in the 1990s, cybercrime was rare. When only scientists and engineers could access the Internet and the goals were academic rather than commercial, systems were not of much interest to criminals. Therefore, many of today's attacks are made possible by the total lack of protection mechanisms in some of the oldest core protocols and services on the Internet. Adding security strategies decades later to an established network designed exclusively for trusted users and applications has proven difficult. One of the most serious security problems is the malicious use of DNS. Criminals access the same service for their own purposes as other users do for their legitimate applications.

The first of the four disadvantages of outsourcing name resolution is data protection. External DNS queries are rarely protected against sniffing. Although such protection is currently being developed, it will also significantly increase the complexity of the service. The best way to avoid observation, tracking, and analysis of DNS transactions is not to outsource them in the first place. As a rule, employees do not have to worry about monitoring data transmission within their own corporate network, which makes it a better place to store data that is not intended to be viewed publicly.

Second, organizations inhibit performance with the use of external DNS resolvers. No matter how many DNS servers are working externally, none of them can be reached by users and their applications in less than a millisecond. For example, the number of transactions that can be processed per unit of time will inevitably be less than on your own site because of delays in signal transmission over a greater distance. Most web browsers today contain an internal DNS cache to compensate for this limitation, but most networked applications lack this cache. The need for application-level caching is significantly reduced if a simple, local DNS resolver provides the same benefits for all networked applications in an enterprise.

The third disadvantage of using external DNS resolution servers instead of a local server is security monitoring. In many cases, malware and most botnets use DNS to reach their command and control servers, and some even use it to exfiltrate their victims' confidential information. Every modern DNS service provides a way to monitor outbound traffic and thus detect threats. To leverage the benefits of this kind of monitoring, though, you must be able to see your own traffic. If each application on the network has a direct relationship to an external DNS server, only the service operator, not the company's IT administrator, can investigate the traffic for threats. Some providers offer such scanning services to their users, but most do not. Even those who do so usually monetize their monitoring of data traffic.

The fourth disadvantage relates to reduced scope of management by policy. Today's DNS technology includes the ability to enforce policy by rejecting malicious DNS patterns according to policy settings (from the local security operations center) and policy subscriptions (from external security information providers); however, these extremely powerful features are only available to local server operators for name resolution. Some external DNS resolution providers offer this type of filtering, but the filters are not as granular as they could be for a locally operated server.

Custom-Fit Changeover

Irrespective of the increasing shift to external DNS services, not all users and servers need manually provided local service. A mixture of internal and external DNS servers is not only possible, but quite common. The DNS resolver that you want a server to use is typically specified in the server's network settings, and the configuration for desktops, laptops, and mobile devices can be defined by Dynamic Host Configuration Protocol (DHCP) settings. Therefore, it is possible to experiment and make a gradual transition from the use of external DNS resolution servers to internal servers without unpleasant surprises.

Meanwhile, any open source server platform (e.g., Linux, BSD) offers many free implementations of the DNS name resolution service. The oldest of these is BIND, but newer implementations such as PowerDNS, Unbound, and Knot are also trusted and mature software packages. Most already offer local DNS resolution in their basic configurations. Although these configurations will certainly be adapted and improved over time, the effort required to get started is extremely low. Commercial products are also available for DNS resolution, including from Microsoft, Infoblox, Nominum, BlueCat, and others.

Redundancy is essential. Each site requires at least two independent DNS resolution servers, ideally located on different LAN segments with different power sources. Secure configuration is also important – operators must ensure that no requests from outside the network receive a response: a well-known and very popular method for attackers to increase their capacity for distributed denial of service (DDoS) attacks. It's worth studying documentation, how-to instructions, and forums before deploying a new service, especially for a DNS resolver.

The general procedure for setting up and operating a local DNS service within your corporate campus is as follows:

Search for a solution and a configuration suitable for the transition.
Use at least two different internal (and typically virtual) servers.
Configure the administration side to automate software, configurations, and updates.
Test inside and outside the organization to ensure correct operation.
Monitor events in operations to ensure availability and check the logfiles for all transactions.
Reconfigure a small group of test devices, including servers and end users.
Maintain a vigilant acclimatization phase to acquire measurable results and boost confidence in the new methodology.
Reconfigure a larger number of test candidates or perhaps the rest of the campus.
Provide a test server to experiment with automatic logging and policy filtering.
Explore and test various alternatives for monitoring.
Explore and test various alternatives for filtering the name resolution policy.
Successively introduce new solutions that have achieved good results in your own experiments.

Conclusions

Running your own local DNS resolution servers is one of the easiest and most cost-effective ways an IT administrator can monitor and protect their applications, services, and users against potential risks. These risks, including monitoring uncontrollable external dependencies, attacks via DNS, and attacks that could be detected via DNS, have a far greater cost potential than the alternative outlined here. Moreover, the DNS resolution service is so central to any other IT-related activity that any IT administrator who takes the time to explore and master this technology will increase its effectiveness and grow the value it brings to their business.