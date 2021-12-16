If it’s so great, why are so many organizations not using DNS to their advantage?

DNS traffic sent by UDP used to be plaintext and thus transparent to security admins. To keep DNS queries private, however, that data is now encrypted with DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). As a result, admins no longer see the same data from queries and have lost the visibility they used to have on the network. From the security perspective, in DoT’s case, admins can at least do some blocking, but DoH mixes in with the rest of HTTPS traffic, making it impossible to block without wider implications. That said, DNS should not be abandoned as a place to detect malicious activity. Attackers are definitely using it to their advantage at every turn with DNS tunneling attacks that conceal covert communications and exfiltrated data.

While visibility has changed, one can still detect connections that don’t have corresponding DNS requests and associate them to detect use of unauthorized encrypted DNS services. No one is going to blindly block never-before-seen domains just because they are considered riskier. But blocking them with more context can provide an additional factor within zero trust risk assessments.

To begin, correctly determining the uniqueness of domains is a critical step in its risk assessment. Only broad visibility into a comprehensive global DNS can help validate this analytic effectively. For example, the visibility IBM Security teams get from Quad9 can tell us if a given domain is unique in the enterprise or unique globally.

Then, aside from blocking, how can we treat newly observed domains? The answer ties back again to continuous verification. There are various DNS analytics we can rely on to analyze new domains and their risk potential. Think of domain names generated by DGAs, typo squatting, fast flux networks, and DNS tunneling. Analytics that can provide that sort of context are a powerful way to reveal the true intentions of those who registered the domains and help security admins trigger the right mitigations on time.

DNS security helps support better cyber hygiene in your environment, and it enables continuous risk assessment and validation. Without DNS security, it becomes more difficult to gain early visibility into potential threats even as one works within zero trust principles. It also means that security admins would need to spend more effort on data collection and policy enforcement. Therefore, DNS security is not only essential but also a low-hanging fruit in any Zero Trust architecture.

