Role of DNS-level security for SASE
Many articles in the industry and my blog on Deciphering SASE are very clear on the major constituents of SASE. In the case of SASE Security, the predominant components discussed are Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and Next-Generation Firewall (NGFW). Security functions across these components are IP address, domain, URL, file reputation-based access control, anti-malware, Data Loss Prevention, intrusion prevention, in addition to policy-based access controls at various levels, including L3/L4 access controls, URL category-based access controls, Software as a Service function level access controls, etc.
Since Hypertext Transfer Protocol (HTTP) is the most common protocol for Internet, Software as a Service, and even Enterprises applications access, security functions are described in the context of Hypertext Transfer Protocol by many articles.
In this article, the focus is on the Domain Name System (DNS) protocol and threat protection that can be achieved via DNS proxies. We at Aryaka believe that SASE shall include DNS-based security.
What is DNS?
DNS is a system that translates human-readable domain names to IP addresses. Computers communicate with each other using IP addresses, but domain names are easier for humans to remember and use. When a user types in a domain name in their browser to access a website or service, the browser sends a DNS query request to a DNS resolver to look up the IP address associated with the domain name. The resolver looks up the IP address in a distributed database called the DNS hierarchy and returns it to the browser, which then uses the IP address to establish a connection to the server hosting the website or service.
Security via DNS and DNS Security
The term “DNS Security” is typically used to refer to measures taken to protect the enterprise DNS infrastructure, including authoritative DNS servers and DNS resolvers. “Security via DNS” refers to using the DNS protocol for threat protection and access control, typically via transparent DNS proxies. Since SASE is consolidating multiple network security services into one, we believe that SASE needs to include both “Security via DNS” and “DNS Security” functionalities.
Both these functionalities can be realized by SASE via the DNS proxy mechanism. The SD-WAN portion of SASE can intercept the DNS traffic and hand it over to a DNS proxy to perform various security functions. A DNS proxy also needs to act as a simple (non-recursive) DNS resolver to send the DNS queries to upstream DNS resolvers/servers.
Common features of SASE DNS Proxy
Ensuring Privacy: DNS queries generated by clients such as native client applications/browsers are not encrypted. Due to this, any intermediate entity that has access to the traffic can see what websites are being visited by the users. This lack of privacy can make it easier for man-in-the-middle attackers to track users’ online behavior. Since DNS proxy in SASE can come in the picture before the DNS queries go out of Enterprises’ logical boundary, it can protect the privacy of users’ online behavior via DNS-over-TLS and DNS-over-HTTP with upstream DNS resolvers. The DNS proxy intercepts DNS queries from clients and can forward them over DNS-over-HTTPS/TLS to upstream DNS resolvers.
Ensuring integrity and authentication of DNS responses: DNS system is built around trust. DNS clients and DNS resolvers trust the DNS response they get from upstream DNS servers and resolvers. If the upstream DNS systems are compromised, it is possible for the attackers to send DNS responses with their attackers’ site IP addresses for the genuine domain names. This is called DNS spoofing or DNS cache poisoning attacks. DNSSEC (Secure DNS) enhancements on DNS protocol is one of the solutions to stop DNS spoofing. DNSSEC protects against attacks by digitally signing DNS response data to help DNS clients/resolves to validate the authenticity of the data, thereby protecting from manipulated/forged DNS data.
However, all DNS clients and resolvers are not capable of performing DNSSEC. DNS proxies that come in the way of DNS clients and upstream DNS servers can verify the validating of the data using DNSSEC functionality.
Protection from DNS flood attacks: I found this article to be very comprehensive in describing DDoS attacks on DNS infrastructure, specifically DNS amplification & DNS reflection attacks, which can overwhelm the victim. This includes both the infrastructure on which DNS servers/resolvers are running as well as the DNS service itself. Another type of attack aims to exhaust the resources (CPU and memory). Examples of this type include NXDOMAIN flood attacks and water-torture attacks where the attacker sends the DNS queries with non-existent domains and sub-domains with random labels.
SASE with its L3/L4 firewall service, can prevent DNS responses from reaching the victim if there was no DNS query for them, effectively stopping the reflection attacks. Additionally, SASE with its generic rate-limiting service, can be used to restrict the number of queries per source IP/subnet, thereby mitigating the flood of DNS services (resolvers and servers).
A SASE DNS proxy is necessary for intelligent protection against flood attacks, including NXDOMAIN floods and water-torture attacks. The SASE DNS proxy mitigates these attacks through DNS protocol-level rate limiting and the detection of random labels using abnormal domain name detection methods.
Protection from DNS based Exploits: Vulnerabilities and misconfiguration of the DNS infrastructure can be exploited by attackers to compromise DNS services. Once a DNS service is compromised, attackers can spoof the DNS responses with their own IP addresses. Some examples of buffer overflow vulnerabilities include Bind9 TKEY vulnerability and inverse query overflow vulnerability. Some exploits can be detected by checking the compliance with the relevant RFCs. However, in some cases, the exploit payload adheres to RFCs, while taking advantage of vulnerabilities in the implementation of DNS services.
SASE security typically includes IDPS (Intrusion Detection and Protection System) that can be used to detect known exploits. For zero-day protection, it is important that SASE DNS proxy checks for protocol compliance and employ anomaly detection to identify abnormal DNS payload content compared to what is typically observed.
Access Control and Prevent Users from Visiting Sites with a Bad Reputation: As described in the “What is DNS” section above, the domain name query is the first step when a user visits any website. Via-DNS security can play a significant role in preventing users from accessing sites that host malware and phishing content. Many threat intelligence vendors provide reputation scores for IP addresses and domain names. This intelligence can be utilized to block DNS queries to malicious domain names and prevent DNS responses that include bad IP addresses.
The functionality of a SASE DNS proxy enables the implementation of this first-level anti-malware and anti-phishing security for users. SASE DNS proxies integrate with multiple threat intelligence vendors to regularly obtain the IP/Domain reputation database and filter DNS queries and responses that involve malicious IP addresses and domain names. However, it is important to note that there can be false positives in the threat intelligence feeds, so it is crucial to ensure that your SASE provider offers the capability to create exceptions.
Additionally, a SASE DNS proxy allows administrators to filter custom domain names and IP addresses, which can help prevent users from accessing sites that are not aligned with the enterprise’s interests.
Protection from Compromised Upstream DNS Services: As mentioned earlier, DNSSEC can address the issue of DNS response validity and prevent DNS responses with spoofed IP addresses. However, not all DNS services implement DNSSEC. Detecting DNS spoofing from non-DNSSEC-based compromised DNS services is crucial to prevent users from accessing phishing and malware sites. One technique is to utilize multiple upstream DNS resolvers, compare the responses from each resolver, and only forward the DNS response if the results are consistent.
The functionality of a SASE DNS proxy allows for the cross-verification of multiple DNS responses received from various upstream DNS resolvers. It checks for consistency among the responses and only responds when successful verification is achieved. Since this approach may introduce additional latency to DNS queries due to the need to wait for responses from multiple upstream DNS resolvers, it is common practice to send multiple DNS queries and perform cross-verification only when the threat intelligence database does not have an answer for the queried domain names.
Indicators of Compromise (IoC): Security analysis of DNS traffic can provide valuable insights and indicators of compromise. Some of the insights and IoCs that SASE DNS security can provide include:
- Suspicious domain names using threat intelligence feeds.
- Detection of DNS spoofing attempts through DNS response analysis, as described in the section “Protection from compromised upstream DNS services” and other techniques.
- Identification of abnormal and unexpected DNS response codes, such as NXDOMAIN and SERVFAIL.
- Detection of unusual query patterns, such as a high volume of requests to a particular domain or repeated failed queries.
- Detection of Domain Generation Algorithms (DGAs) typically used by malware to communicate with command-and-control centers.
- Identification of fast flux networks, where IP addresses associated with a domain rapidly change. This behavior is commonly observed in sites hosting malware.
SASE DNS Proxy, IDPS, and firewalls play a significant role not only in mitigating risks for users but also in providing valuable insights through the logs generated by the SASE system.
In our view, DNS-based security serves as the first line of defense for both users and DNS infrastructure, as DNS is consulted before actual data transactions occur. Detecting attacks as early as possible is crucial for effective security. While DNS-based security may not be prominently featured in much of the current SASE/SSE literature, we firmly believe that SASE/SSE services should incorporate DNS-based security.
CTO Insights blog
The Aryaka CTO Insights blog series provides thought leadership for network, security, and SASE topics. For Aryaka product specifications refer to Aryaka Datasheets.