Ken Carnesi is the CEO and co-founder of DNSFilter.
In the early days of networking, if you wanted to send a message from one machine to another, you manually entered the IP address. This quickly became unsustainable as the network grew and heaps of websites were created. Then, in 1983, network engineer Paul Mockapetris introduced the Domain Name System (DNS), which allowed the internet to grow into the massive global network it is today. It’s basically the foundation on which the internet works.
DNS translates a domain name like www.example.com into four sets of numbers that comprise that domain’s IP address. It saves users the hassle of having to memorize seemingly random strings of numbers—the IP address—and it’s why DNS is often called “the phonebook of the internet.”
Even at the age of 40, DNS remains very relevant. It’s just as big a target for cybercriminals as ever—bigger than ever. You might think security would be baked in by now, yet DNS traffic is often unencrypted, unsecured and unmonitored because the original design focused on speed and reliability, not security.
Most breaches and attacks use DNS because it’s used everywhere and for a long time, nobody was watching. But today, DNS can also be used to protect users and organizations.
Why DNS Is Still Such An Attractive Target
Tens of thousands of new domains are registered every day. The Global Cyber Alliance found that 33% of breaches are initiated at the DNS layer, while IDC found that 79% of breaches involve the DNS layer, 85% of malware actors use DNS in the creation of attacks and 90% of organizations have experienced at least one DNS attack.
These attacks use domains in malware exploits or point to deceptive sites. Domains are also used for spear phishing or botnets. Phishing may be responsible for up to 90% of initial infections.
DNS For Security—Overlooked And Under-Monitored
DNS is used heavily by adversaries, but what if it could be part of your defense?
DNS remains an often-overlooked component of the security stack. Why? There’s a lot to unpack here—especially when you consider how much organizations are spending and how many different security tools they’re purchasing. While estimates vary, enterprises are using an average of anywhere from 45 to 76 (if not more) security solutions and technologies.
One problem is it’s too easy to get caught up in “shiny object syndrome” and lose sight of DNS, which isn’t necessarily as flashy or “cutting edge” as some other technologies. Security must start with getting the basics down first. DNS as a security defense isn’t a static solution or legacy tech; it’s the basis of online activity and needs separate protection.
Other misconceptions are that using DNS for security is hard or that monitoring it will have a negative impact on the reliability or functionality of an organization’s operations or internet. There’s also the ongoing issue of alert fatigue; adding another tool to monitor can exacerbate the problem.
One prominent example of an attack that could’ve been effectively stopped by using DNS for security was the 2016 Democratic National Committee (DNC) leak. In this incident, hackers sent emails appearing to be legitimate security notifications from Google. When DNC members clicked on these, they were redirected to a fake Google log-in page designed to steal their credentials. Using DNS for security, the clicked link wouldn’t have resolved and the attack could’ve been stopped.
Flipping The Script
DNS isn’t going anywhere—it’s the backbone of the internet—so getting a better handle on its traffic and using it for security is essential. Leaders must understand the real consequences that overlooking DNS can have, but it’s also important to realize that DNS as a security defense is continually evolving. Today, AI and ML can be leveraged to help detect threats early and make predictions based on the analysis of patterns. An old technology can be taught new tricks.
The four key components of using DNS for security are:
Speed and reliability: Resolving DNS queries fast and reliably helps the applications and services we use perform better, which is its foundational purpose.
Intelligence and control: A DNS resolver that leverages intelligence and applies control can analyze the queries and block them when they’re against policy or nefarious.
Encryption and validation: With DNS over HTTPS (DoH) and DNS over TLS (DoT), portions of DNS traffic can be encrypted, adding privacy from the client machine to the DNS resolver. DNSSEC can be used to validate the site being visited.
Monitoring logs: DNS logs can tell an interesting story about what took place on a machine, including context around the events of a breach.
Gotchas To Watch Out For
DNS security is multi-faceted. Don’t confuse it for a catch-all solution. It is not a substitution for antivirus, endpoint protection, pen-testing, etc. You still need other security; you just need to create a security ecosystem.
Also, keep in mind that setup can be easy, but you can get complex with DNS—and you can break things. If you’re not an expert, lean on external experts or choose simple tools.
When it comes to intelligence and control, using AI and ML can give you an advantage by processing and analyzing queries as they happen, but it’s important to ensure these techniques are fast and don’t hinder the expected speed of DNS. It’s also key that the analysis is effective, with few false positives.
Also important to note is that not all DNS resolvers are created equal, so make sure you’re using an infrastructure that’s built for speed and resilience.
It’s Not Too Late To Change
DNS is an older but still very relevant technology; remember that 79% of breaches involve the DNS layer.
As much as it can be used by adversaries, DNS can be turned around to serve as an incredible security defense. Using DNS for security is one of the simplest, easiest, most cost-effective, fastest-to-deploy, fastest-to-react solutions you can implement.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?