DNS for Network Security: Protecting your Network with DNS Resolvers

The Domain Name System (DNS) was designed to simplify how we interface with the internet. Imagine a world where you have to remember that CleanBrowsing is located here: Meaning, you’d open your favorite browser and type in the IP to get to the website.

It’s laughable to think of such an experience, but in reality the only reason that isn’t how we interface with the web is because of DNS.

The creation of DNS not only simplified internet navigation but also allowed for the growth of the internet by making it extremely easy to use (i.e., fostering adoption). I consider it a part of the fabric of the internet, and all of us interface with it daily – whether we’re using our favorite social platform, sending emails, making updates, or even logging into our networks and machines.

With the good, however, comes the bad. Today’s cyber attacks heavily rely on DNS activity as well.

1 in 3 breaches could have been contained by DNS (Global Cyber Alliance | The Economic Value of DNS Security)

This is why securing your DNS should be at the top of your list as you start planning your security enhancements in 2024.

Three Threats DNS Security Addresses

Securing your infrastructures DNS resolvers offer your organization two key benefits: protection and detection. They allow you to prevent malicious communication, while also allow you to detect anomalous behavior on your network that could be indicators of a security event.

There are three key threats having a secure DNS resolver help with:

  1. Malware Distribution
  2. Phishing
  3. Command & Control

Threat 1: Malware Distribution

Malware is short for malicious software, and often attributed with desktops and servers. We think of it as threats solved for by our AV and EDR solutions. Where it typically falls short are on malicious software (malware) distributed via websites.

This website malware can manifest itself in various forms (e.g., virus, worms, spyware, adware, etc…). One of the more prominent types of malware distributed via websites are “information stealers” designed to do just that, steal information (e.g., credentials).

OpenDNS shared a report in 2021 that shows the relationship of malware types to DNS activity:

In their report, they found:

  • 70 percent of organizations had users that were served malicious browser ads.
  • 51 percent of organizations encountered ransomware-related activity.
  • 48 percent found information-stealing malware activity.

OpenDNS – Threats and Trends Security Part I

Threat 2: Phishing

Phishing is like receiving a deceptive message, often pretending to be from a trusted source, asking for personal information. We’ve all fallen victim to this at some point, whether through an email, social media, or text message.

Bad actors that employ Phishing tactics leverage DNS in a few unique ways:

Fake WebsitesThey register domain names similar to the real ones, hoping users won’t notice the difference (e.g., using “paypa1.com” instead of “paypal.com”).

By manipulating DNS, they direct users to their fake websites when the users enter the familiar web address.
URL SpoofingPhishing emails or messages may contain links that appear legitimate but actually lead to malicious websites.

Attackers use DNS to associate their deceptive URLs with IP addresses, making it seem like you’re visiting a trustworthy site.
Hostile TakeoversPhishers can compromise legitimate domain names by exploiting weaknesses in DNS settings.

They may change DNS records to redirect traffic intended for a genuine site to their malicious server, intercepting sensitive information.
Email SpoofingPhishing emails may contain links pointing to deceptive websites, and these links might use subdomains that appear trustworthy.

By manipulating DNS records, attackers can make these subdomains seem legitimate, increasing the likelihood of users falling for the phishing attempt.

Threat 3: Command & Control

Command and Control (C&C) nodes is a component of a malicious network that serves as a communication hub for bad actors. It’s typically a server that cybercriminals use to manage and control compromised devices within a targeted network. The primary purpose of a C&C node is to maintain communication with infected systems, issue commands, and receive data from the compromised devices.

There a few different ways that C&C nodes make use of DNS:

Domain Generation Algorithm (DGA)Some malware uses a Domain Generation Algorithm (DGA) to dynamically generate a large number of domain names.

The malware-infected device periodically queries these generated domains in an attempt to find the active C2 server.

This helps the malware evade detection, as the C2 domain names are constantly changing.
DNS TunnelingCybercriminals can use DNS as a covert communication channel to exchange data between the infected device and the C2 server.

Instead of using standard communication protocols, malicious data is encoded and transmitted through DNS requests and responses, which can be harder to detect.
Domain FluxingSimilar to DGA, domain fluxing involves rapidly changing the IP address associated with a domain to make it challenging for security systems to block or track the malicious infrastructure.

The C2 node periodically changes the DNS records, and infected devices are programmed to query the dynamically changing domains.
Subdomain AbuseAttackers may create a large number of subdomains under a legitimate domain, and these subdomains are used as rendezvous points for communication.

DNS requests for these seemingly harmless subdomains may carry encrypted commands or data between the infected devices and the C2 server.
DNS ExfiltrationSome malware uses DNS to exfiltrate data from the compromised network. The malware encodes sensitive information and includes it in DNS requests sent to the C&C node.

DNS Resolvers for Network Security

DNS resolvers, like CleanBrowsing, can play an important role in an organizations layered defense against the threats posed by malware distribution, Phishing, and Command and Control (C&C) nodes.

Here are a few of the more notable benefits your organization can get when leveraging a third-party DNS resolver:

Domain Reputation and FilteringDNS resolvers integrate with domain reputation services that maintain lists of known malicious domains. When a user attempts to access a website, the DNS resolver checks the domain against these reputation lists.

If the domain is flagged as malicious (associated with malware distribution, C&C nodes, or phishing), the resolver can block access, preventing users from connecting to harmful sites.
Blacklisting and SinkholingDNS resolvers are configured to maintain blacklists of domains associated with malicious activities.

When a DNS request is made for a domain on the blacklist (e.g., a known C&C server), the resolver can redirect the request to a “sinkhole” address, effectively preventing the device from communicating with the malicious server.
Anomaly DetectionDNS resolvers can employ anomaly detection mechanisms to identify unusual patterns in DNS queries that may indicate malicious activities.

For example, a sudden increase in DNS requests to a particular domain or a high volume of requests from a specific IP address could be indicative of a malware outbreak or a C&C communication attempt.
Threat Intelligence IntegrationDNS resolvers can be integrated with threat intelligence feeds, which provide real-time information about emerging threats.

This integration allows a resolver to quickly identify and block access to domains associated with the latest malware campaigns, C&C infrastructure, or phishing schemes.
Content FilteringDNS resolvers can be configured to perform content filtering based on categories, blocking access to domains known for hosting malicious content or phishing pages.

This helps in preventing users from inadvertently accessing harmful websites that could compromise their devices or compromise sensitive information.
Encryption and Privacy MeasuresEncrypted DNS protocols, such as DNS over HTTPS (DoH) or DNS over TLS (DoT), can enhance privacy and prevent attackers from eavesdropping on DNS traffic to gather information about a network’s activities.

By putting these tools to work, DNS resolvers become key players in actively keeping your network secure. A side benefit, beyond security, is that third-party options like CleanBrowsing, give your network additional perks in the realm of improved speed, a global reach, and a more resilient network.

Curious about how CleanBrowsing can make a difference for your organization or just want to chat? Drop us a line at sales@cleanbrowsing.org anytime – we’re here to help!