How many times have you heard the popular information security joke: “It’s always DNS”? It means that every time there’s a problem you can’t figure out, you will dig until you reach the conclusion that it’s always DNS. But DNS is also where a lot of issues can be caught early, and it should be leveraged more than ever, especially by those working on their zero trust journeys. DNS can be part of better threat detection — let’s see how that works.

What’s to DNS and Zero Trust?

Let’s unpack this for a minute. DNS is the internet’s phone book. It translates domain names into numbers that computers can then route. More specifically, “the Domain Name System is the hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the internet or other internet protocol networks.” As such, the DNS protocol is also one of the few application protocols that are allowed to cross organizational network perimeters.

Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats. It helps organize and strategize a thorough approach to counter those threats.

Where do these two meet?

Zero trust is about doing continuous risk assessments and verifications, a principle that also requires examining traffic that comes into and out of organizational networks. You might agree that pretty much everything happening on connected devices is evident somewhere in DNS traffic. That’s especially true since DNS can go everywhere, and that’s where attackers want to get.

Unfortunately, many security professionals have a common misconception that DNS is just a domain blocklist and do not consider its power as a detection tool or a data source to analyze as part of zero trust architectures. But they should. DNS is where security teams can find forensic markers, automatic domain categorization data, suspicious behavior patterns, and potential/confirmed maliciousness.

Better Together

DNS security fits zero trust perfectly for two reasons. Firstly, DNS is fundamental in any network infrastructure, making it an excellent policy enforcement point for all zero trust architectures, no matter what other controls are in play. Since almost every network connection has a corresponding DNS request, we can leverage this advantage in risk assessments.

Second, any new or unknown domain that shows up in secure environments can trigger a validation process because DNS security, like zero trust, also assumes breach. This plays right into the state of continuous verification that zero trust aims to achieve.

Look Beyond the Basics

If it’s so great, why are so many organizations not using DNS to their advantage?

DNS traffic sent by UDP used to be plaintext and thus transparent to security admins. To keep DNS queries private, however, that data is now encrypted with DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). As a result, admins no longer see the same data from queries and have lost the visibility they used to have on the network. From the security perspective, in DoT’s case, admins can at least do some blocking, but DoH mixes in with the rest of HTTPS traffic, making it impossible to block without wider implications. That said, DNS should not be abandoned as a place to detect malicious activity. Attackers are definitely using it to their advantage at every turn with DNS tunneling attacks that conceal covert communications and exfiltrated data.

While visibility has changed, one can still detect connections that don’t have corresponding DNS requests and associate them to detect use of unauthorized encrypted DNS services. No one is going to blindly block never-before-seen domains just because they are considered riskier. But blocking them with more context can provide an additional factor within zero trust risk assessments.

To begin, correctly determining the uniqueness of domains is a critical step in its risk assessment. Only broad visibility into a comprehensive global DNS can help validate this analytic effectively.  For example, the visibility IBM Security teams get from Quad9 can tell us if a given domain is unique in the enterprise or unique globally.

Then, aside from blocking, how can we treat newly observed domains? The answer ties back again to continuous verification. There are various DNS analytics we can rely on to analyze new domains and their risk potential. Think of domain names generated by DGAs, typo squatting, fast flux networks, and DNS tunneling. Analytics that can provide that sort of context are a powerful way to reveal the true intentions of those who registered the domains and help security admins trigger the right mitigations on time.

DNS security helps support better cyber hygiene in your environment, and it enables continuous risk assessment and validation. Without DNS security, it becomes more difficult to gain early visibility into potential threats even as one works within zero trust principles. It also means that security admins would need to spend more effort on data collection and policy enforcement. Therefore, DNS security is not only essential but also a low-hanging fruit in any Zero Trust architecture.

Learn more about DNS analytics in this post from IBM Security.

X-Force’s Recommendations

IBM Security X-Force recommends that every enterprise start using DNS providers with built-in security. For example, Quad9 reduces the complexity of security operations at no cost. 

Quad9 is also a trustworthy DNS provider supporting encryption since malware/botnet won’t use Quad9 for many good reasons. Furthermore, with a partnership with IBM X-Force, Quad9 scrapes every newly observed domain to help Quad9 users stay ahead of threats.

Join X-Force Exchange threat intelligence sharing by visiting: exchange.xforce.ibmcloud.com

To read emerging threat intelligence blogs from X-Force, visit: securityintelligence.com/category/x-force

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read