WHITE PAPER Dsigning a Scur DNS Architctur In today s ntworking landscap, it is no longr adquat to hav a DNS infrastructur that simply rsponds to quris. What is ndd is an intgratd scur DNS architctur that also nabls smart growth.
Introduction DNS is an ssntial part of any modrn-day organization. DNS, or Domain Nam Systm, is th protocol usd for convrting fully qualifid domain nams (FQDNs) lik www.googl.com into machin-usabl IP addrsss that computrs us to communicat with ach othr. Without a working DNS protocol, it would b almost impossibl to hav an Intrnt of Things that communicat with ach othr. Whil thr ar multipl ways to classify a DNS srvr, on that is spcially rlvant to this papr is th diffrnc btwn primary and scondary DNS srvrs. A primary DNS srvr can b dfind as on that holds th mastr copy of a DNS zon; whil a scondary srvr stors copis of th zon that it rcivs from th primary srvr. Thr could b many rasons for having a scondary DNS srvr, such as prformanc or a dsir to hid your primary srvr. Your customrs us your DNS systm to rach your wbsit. Without a propr DNS infrastructur, your organization would not hav a prsnc in cybrspac. Commrc companis would not b abl to sll thir srvics. Evn brick-andmortar companis nd DNS srvrs to advrtis thir products. In short, th Intrnt as w know it would not xist without DNS protocol. Architcting Your DNS As th dmand for an organization s srvics grows, so dos th load on its DNS srvrs. At som point, whthr it is du to lgitimat traffic or a malicious distributd dnial of srvic (DDoS) attack, th load on th DNS srvr xcds th capacity of th srvr. At this point vry organization looks for ways to incras DNS quris-pr-scond (QPS) capacity. On approach to this problm is to augmnt th primary DNS srvr with a fastr, scondary DNS srvr. This approach works mor fficintly if th two srvrs ar intgratd and us th sam databas and intrfacs. Using two sparat DNS srvrs hr can introduc som introprability issus in basic faturs lik backup and rstor, rporting, and managmnt in gnral. A unifid intrfac is also an important considration hr and can nsur prsrvation of your invstmnt, and lowr total cost of ownrship (TCO). Anothr solution hr is to dploy svral DNS srvrs bhind a load balancr. This approach works bst if th DNS srvrs ar unifid to nsur as of managmnt and dploymnt consistncy to all srvrs. Whn dsigning a DNS infrastructur, it is important to build an nvironmnt that is not only sufficint for currnt nds, but also provids room for futur growth. In addition, whil architcting your DNS, it is also important to undrstand th scurity thrats th DNS might b vulnrabl to. W will discuss ths nxt. 1 WHITE PAPER Dsigning a Scur DNS Architctur
Scuring th DNS Platform Hacking of DNS srvrs is bcoming mor prvalnt vry day. Convntional DNS srvrs hav multipl attack surfacs and xtranous ports such as port 80 and port 25 that ar opn for attack. Hackrs can us ths ports to accss th oprating systm (OS) and hack your srvrs. If your DNS srvrs don t support tird scurity privilgs, any usr could potntially gain accss to OS-lvl account privilgs and caus configuration changs that could mak your srvrs vulnrabl to hacks. Morovr, updats to convntional DNS srvrs oftn rquir tim-consuming manual procsss. Dfnding against DNS Attacks Anothr considration is protction of your DNS infrastructur from xtrnal attacks. Authoritativ DNS srvrs ar rachabl from th Intrnt. This maks thm potntially vulnrabl to attacks such as DNS flood and amplification, which can ffctivly stop your DNS srvr from rsponding. It is also important to prvnt ths srvrs from bcoming a tool to attack othr srvrs (DNS rflction attack). Rflction attacks can damag your company s rputation and cost mony in th long run. Evn though your authoritativ srvr sits bhind a firwall, most of ths attacks cannot b mitigatd by typical firwalls. Firwalls ar ill-prpard to protct you against application-layr attacks. Th ons that do, th so-calld NxtGn firwalls, tnd to hav vry littl covrag for DNS protocols. Ths solutions typically sprad thir scurity policis across a larg numbr of protocols and sacrific dpth for bradth of covrag. Load balancrs offr som basic lvl of protction against DNS floods lik NXDOMAIN DDoS attacks. Howvr, thr is a whol suit of DNS-basd attacks that can targt your xtrnal authoritativ DNS srvrs, and th mitigation capabilitis of load balancrs fall short whn it coms to addrssing all of thm. For xampl, load balancrs cannot protct against bad or malformd DNS quris. Load balancrs rspond to DDoS attacks at th DNS scurity primtr by scaling prformanc and sprading th load across multipl dvics using IP Anycast. Mrly adding mor load balancrs to th nvironmnt can prov to b an infficint and costly mthod of handling attacks. Rgardlss of th protction tchniqu that you us, it is important to stay on stp ahad of th attackrs. Kping protction up-to-dat is ky as th DNS thrat landscap continuously volvs, and attacks chang form. It is also ssntial to nsur that th updat of protction ruls is don automatically. With th nw lvl of sophistication that w ar sing in modrn-day attacks, it is not possibl to manually crat and add dtction ruls to your DNS. Entrpriss nd spcializd and automatd DNS protction. Your DNS infrastructur should protct itslf against invitabl DNS attacks on your organization. Ths attacks can tak on of two major forms: volumtric and DNS-spcific attacks. 2
Volumtric Attacks Ths attacks, somtims rfrrd to as DoS or DDoS, rly on xhausting a dvic s rsourcs. A typical DNS DDoS snds 10s or 100s of thousands of quris pr scond to a DNS srvr in ordr to xhaust th rsourcs on th DNS srvr and caus a srvic outag. Th historical approach to a DNS DDoS attack has bn to incras your capacity by ithr placing your DNS infrastructur bhind a load balancr or to us a fastr scondary DNS srvr to augmnt your primary srvr. Th problm with this approach is that it is a tmporary patch. According to Arbor Ntworks, 2013 includd svral DNS DDoS attacks of 100 Gbps or mor. With DNS-basd volumtric attacks making 10% of ovrall volumtric attacks and growing, w can only xpct this numbr to grow. Putting a load balancr or a fastr scondary srvr in front of th DNS srvr is not a cost-ffctiv approach to DDoS protction. This amounts to a tmporary patch and rquirs th organization to ramp up its infrastructur vry tim th bad guys catch up to thm. You nd intllignt DNS DDoS protction that dos not rspond to quris indiscriminatly but distinguishs lgitimat traffic from attack traffic. DNS-spcific Attacks Anothr soft spot for a DNS infrastructur is th actual protocol. Whn DNS protocol was dvlopd, fw could hav nvisiond a world whr malicious agnts or disgruntld workrs could xploit or bring down your DNS srvr. Today w raliz that any DNS srvr can b th targt of DNS-spcific attacks. Ths tak many forms: DNS rflction DNS amplification DNS xploits DNS protocol anomalis DNS tunnling Cach poisoning Th various intntions of ths typs of attacks ar to: Congst outbound srvr bandwidth (in th cas of amplification attacks), ovrwhlming ntwork componnts lik firwalls in th path Flood th DNS srvr with traffic to slow it down and prvnt it from rsponding to lgitimat quris Caus th DNS srvr to crash by xploiting its vulnrabilitis A propr DNS infrastructur should protct your DNS srvr against ths businssimpacting attacks. Prvnting Malwar and APTs from Using DNS Data brachs ar growing at a staggring pac, and ovr 100,000 nw Malwar sampls ar bing catalogud vry day. In 2013, thr wr 3,000 scurity incidnts with a total of 822 million rcords xposd worldwid. Many of th brachs wr drivn by Malwar and advancd prsistnt thrats (APTs). Invsting in nxt-gnration firwalls or intrusion prvntion systms (IPSs) can stop som Malwar from ntring th ntwork, but not all. Trnds lik bring your own dvic (BYOD) complicat th situation furthr and provid nw avnus for Malwar to ntr and go undtctd for longr priods of tim. 3 WHITE PAPER Dsigning a Scur DNS Architctur
Malwar and APTs vad traditional scurity dfnss by using DNS to find and communicat with botnts and command-and-control srvrs. Botnts and command-and-control srvrs hid bhind constantly changing combinations of domains and IP addrsss. Onc intrnal machins connct to ths dvics, additional malicious softwar is downloadd or snsitiv company data is xfiltratd. Somtims Malwar and APT attacks ar hiddn or disguisd by xtrnal attacks on ntworks. During an xtrnal attack, IT staff ar distractd in protcting th ntwork, and might miss alrts or warning logs about Malwar and APT activity within th ntwork. By having a singl intgratd and cntrally managd DNS infrastructur (xtrnal and intrnal) with visibility into both xtrnal attacks and Malwar and APT activity, IT will b abl to comprhnd th totality of vnts and tak appropriat action. Infoblox Scur DNS Infoblox Purpos-built Applianc and OS Infoblox provids hardnd, purpos-built DNS appliancs with minimizd attack surfacs with: No xtra or unusd ports opn to accss th srvrs No root login accss with th OS Rol-basd accss to maintain ovrall control All accss mthods ar scurd: Two-factor authntication for login accss Wb accss using HTTPS for ncryption SSL ncryption for applianc intraction via API Th DNS appliancs ar Common Critria EAL2 crtifid, which covrs vrification of hardwar, softwar, and manufacturing procsss. In addition, OS and application updats happn through a singl cntralizd procss, allowing for simpl and cntralizd managmnt and control. All of th abov scurs th DNS platform and hlps protct DNS srvics from various hacks. Infoblox Advancd DNS Protction Infoblox s Advancd DNS Protction solvs th problms of xtrnal attacks that targt your DNS. Advancd DNS Protction provids built-in, intllignt attack protction that kps track of sourc IPs of th DNS rqusts as wll as th DNS rcords rqustd. It can b usd to intlligntly drop xcssiv DNS DDoS rqusts from th sam IP, thrfor saving rsourcs to rspond to lgitimat rqusts. Th figur blow shows Advancd DNS Protction undr attack, and its rspons to good DNS quris. Whil th attacks wr bing launchd (rd lin graph), Advancd DNS Protction also rcivd 50k good DNS quris pr scond, all of which it rspondd to (blu lin graph), vn as th attacks pakd. Th tst was don using an indpndnt third-party scurity and prformanc-tsting platform. 4
550 500 450 DNS Quris pr Scond 400 350 300 250 200 150 Attacks Rspons to good quris 100 50 0 0 25 50 75 100 125 150 175 200 225 250 275 300 Timstamp (Sconds) Figur 1: Advancd DNS Protction rspons rat undr attack It is important to undrstand th diffrnc btwn this tchnology and BIND s rspons rat limiting (RRL). With BIND, rqusts ar rcivd and procssd, and only rsponss ar rat limitd. This is not an fficint approach sinc it uss valuabl CPU and mmory rsourcs to procss rqusts that th DNS srvr should nvr rspond to. This maks it mor likly for th DNS srvr to xhaust its rsourcs and crash which is th aim of a DDoS attack to bgin with. With Infoblox s tchnology, bad rqusts ar droppd bfor thy rach th cntral procssing unit. Hnc, it is a much mor fficint approach. This tchnology is availabl out of th box. Of cours, an attack on a mid-sizd organization would not hav th sam charactristic of on against a larg ntrpris. Whil Infoblox is rsponsibl for crating and maintaining protction ruls with Advancd DNS Protction, usrs can tun th paramtrs associatd with ach rul and customiz thm for thir nvironmnts. Ths nw adjustmnts ar ntrd through a graphical usr intrfac (GUI) but vrifid bfor thy ar applid to th rul ngin, nsuring that th systm oprats at pak prformanc. A typical load balancr dos not provid this lvl of customization. Som vndors might provid a scripting languag that nabls usrs and consultants to crat thir own ruls. Ths vndors do not maintain ths ruls, and usrs ar ultimatly applying thm at thir own risk. This can caus confusion and compatibility problms vry tim that a chang is mad in th product lin. As mntiond arlir, anothr attack vctor that could b usd against a DNS srvr is protocol-basd attacks. Ths includ DNS amplification, rflction, and cach poisoning. Advancd DNS Protction provids prbuilt ruls to protct DNS srvrs against ths and similar attacks. Infoblox activly monitors th latst DNS-basd vulnrabilitis and nsurs that it provids protction against ths attacks out of th box. Anothr advantag of Advancd DNS Protction s rul st is that it is automatically applid to DNS srvrs. It dos not rquir manual intrvntion, ithr through writing scripts or applying thm. This automatic dploymnt of protction ruls can sav prcious tim during an attack. 5 WHITE PAPER Dsigning a Scur DNS Architctur
Infoblox DNS Firwall Infoblox DNS Firwall addrsss th problm of Malwar and APTs using DNS to communicat with botnts and command-and-control srvrs to xfiltrat data. It dtcts and mitigats communication attmpts by Malwar to malicious domains and ntworks by: Enforcing rspons policis on traffic to suspicious domains, such as blocking it, r-dircting usrs, or allowing th traffic to pass through, so that administrators can dcid what to do whn a clint tris to connct with a suspicious domain Lvraging up-to-dat thrat data both on known malicious domains and zro-day APTs Extrnal attacks L R c gi on tim na at is sa nc Tr af fic ts Ex L R fl c gi tio n/ tim pl at oi ca Am pl ifi Automatd Thrat Updat Srvic Rul updats for DNS-basd attacks Tr af fic tio n Providing timly rporting on malicious DNS quris and pinpointing infctd dvics that ar making th quris INTERNET Block DNS attacks Infoblox Advancd DNS Protction Infoblox DNS Caching Srvr Snd data for rports DMZ Infoblox Rporting Srvr Infoblox Advancd DNS Protction with DNS Firwall Malwar/APT n lin g Tr af fic Intrnal attacks D N S Tu n at tim gi L Po i h Ca c L gi tim at so ni Tr af fic T AP al w ar / ng Snd data for rports M INTRANET DNS Qury Updats for DNS-basd attacks and Malwar/APT Endpoints Figur 2: Scur DNS Dploymnt 6
Flxibility and Eas of Us Rgardlss of what tchnology is usd to protct an organization against xtrnal attacks, it is important to considr soft bnfits of th tchnology. Aftr all, th bst tchnical solution might bcom shlfwar if it is unralistically difficult and cumbrsom to implmnt. Most of today s tchnologis rly havily on command-lin intrfacs (CLIs) and scripting languags. Whil ths tchnologis look promising in architctur diagrams, th implmntation phas for thm is too xpnsiv and thy ar too hard to maintain, rsulting in ntrpriss nvr implmnting th full solution. Infoblox offrs its patntd Infoblox Grid tchnology. Important faturs lik highavailability, disastr rcovry, maintnanc and configuration, and backup and rcovry hav bn built into th Grid. A ntwork administrator can manag and configur just about vrything rlatd to DNS from th GUI, without having to gt into a CLI or having to script. This significantly rducs th possibility of mistyping commands and configurations and nabls th routin day-to-day activitis to b dlgatd to junior admins. Ultimatly, this hlps sav organizations mony and nabls thm to provid bttr srvic to thir customrs. Rporting An oftn-ovrlookd aspct of DNS architctur is rporting. A modrn DNS architctur should includ a rporting tchnology that provids cntralizd visibility and allows usrs to valuat th load on th systm, diagnos problms, and b alrtd whn th systm is undr attack. Conclusion Figur 3: Infoblox Rporting Dsigning a scalabl and scur DNS architctur rquirs mor than incrasd bandwidth and QPS. What looks simpl in a small tst lab tnds to bcom vry complx in a largr dploymnt. Infoblox Scur DNS Architctur, combind with Infoblox Grid tchnology, provids a comprhnsiv, scur, and scalabl DNS solution that not only provids low latncy and high throughput, but also nsurs availability of ssntial infrastructur to nabl your organization to both grow and stay protctd without th nd for frqunt infrastructur upgrads. 7 WHITE PAPER Dsigning a Scur DNS Architctur
Corporat Hadquartrs: +1.408.986.4000 +1.866.463.6256 (toll-fr, U.S. and Canada) info@infoblox.com www.infoblox.com EMEA Hadquartrs: +32.3.259.04.30 info-ma@infoblox.com APAC Hadquartrs: +852.3793.3428 sals-apac@infoblox.com 2014 Infoblox Inc. All rights rsrvd. infoblox-whitpapr-dsigning-scur-dns-architctur-april2014