There's also the problem of people using DNS to bypass network security controls; that might be employees avoiding network restrictions, security policies or content filtering, or it might be attackers avoiding detection.
DNS attacks are a widespread problem
In a recent Vanson Bourne study of U.S. and U.K. businesses, 75 percent said they'd suffered a DNS attack (including denial of service and DNS hijacking as well as data theft through DNS), with 49 percent having experienced an attack during 2014. Worryingly, 44 percent said it was hard to justify investments in DNS security because senior management didn't recognize the issue.
That's because they think of DNS as a utility, suggests Nominet CTO Simon McCalla. "For most CIOs, DNS is something that happens in the background and isn't a high priority for them. As long as it works, they're happy. However, what most of them don't realize is that there is a wealth of information inside their DNS that tells them what is going on within their network internally."
Liu is blunter: "I'm surprised how few organizations bother to do any kind of monitoring of their DNS infrastructure. DNS doesn't get any respect, yet TCP/IP networks don't work without DNS; it's the unrecognized lynch pin." Liu insists "it's not rocket science to put in monitoring of your DNS infrastructure; there are lots of mechanisms out there for understanding what queries DNS servers are handling and their responses. And you really ought to be doing because this infrastructure is no less critical than the routing and switching infrastructure that actually moves packets across your network."
Usually, he finds demonstrating the threat is enough to get management attention. "Most CIOs once they see how with one compromised machine on the inside of a network you can set up a bi-directional channel between that endpoint and a server on the internet realize they need to do something about this. It's just a matter of being faced with that cold hard reality."
Tackling DNS security
First, you need to stop thinking about DNS as being about networking and just "part of the plumbing," says David Ulevitch, the CEO of OpenDNS (which Cisco is in the process of acquiring).
"It used to be network operators who ran your DNS, and they were looking at it in terms of making sure the firewall was open, and not blocking what they viewed as a critical element of connectivity as opposed to a key component of security policy, access control and auditing. But we live in a world today where every network operator has to be a security practitioner."
If you actively manage your DNS, you can apply network controls at a level employees (and attackers) can't work around. You can detect phishing attacks and malware command and control more efficiently at the DNS layer than using a web proxy or doing deep packet inspection, and you can detect it as it happens rather than days later.
Sign up for CIO Asia eNewsletters.