When you say Domain Name System (DNS), you might think, naturally enough, of domain names and the technical details of running your Internet connection. You might be concerned about denial of service attacks on your website, or someone hijacking and defacing it.
While those certainly matter, DNS isn't just for looking up Web URLs any more; it's used by software to check licences, by video services to get around firewalls and, all too often, by hackers stealing data out from your business. Plus, your employees may be gaily adding free DNS services to their devices that, at the very least, mean you're not in full control of your network configuration. It's a fundamental part of your infrastructure that's key to business productivity, as well as a major avenue of attack, and you probably have very little idea of what's going on.
DNS is the most ubiquitous protocol on the Internet, but it's also probably the most ignored. Data Leak Protection (DLP) systems that check protocols used by email, web browsers, peer-to-peer software and even Tor, often neglect DNS. "Nobody looks much at DNS packets, even though DNS underlies everything," says Cloudmark CTO Neil Cook. "There's a lot of DLP done on web and email but DNS is sitting there, wide open."
Data lost in the Sally Beauty breach last year was exfiltrated in packets disguised as DNS queries, but Cook points out some unexpected though legitimate uses; "Sophos uses DNS tunnelling to get signatures; we even use it for licensing."
A number of vendors are starting to offer DNS tools, from Infoblox's appliances to OpenDNS' secure DNS service; Palo Alto Networks is starting to offer DNS inspection services, U.K. domain registry Nominet has just launched its Turing DNS visualisation tool to help businesses spot anomalies in their DNS traffic, and Cloudmark analyzes patterns of DNS behavior to help detect links in email going to sites that host malware. There are also any number of plugins for common monitoring tools that will give you basic visibility of what's going on.
Few businesses do any monitoring of their DNS traffic despite it being the source of many attacks. It's not just the malware that runs on Point of Sale systems, capturing customer credit cards in attacks like those on Sally Beauty, Home Depot and Target, that uses DNS tunnelling. DNS is the most ubiquitous command and control channel for malware, as well as being used to get data stolen by malware from your business.
"DNS is frequently used as a conduit to surreptitiously tunnel data in and out of the company," says Cricket Liu, the chief DNS architect at Infoblox, "and the reason people who write malware are using DNS to tunnel out this traffic is because it's so poorly monitored, most people have no idea what kind of queries are going over their DNS infrastructure."
Sign up for CIO Asia eNewsletters.