当你说域名系统(DNS),你可能会想,很自然地,域名和运行您的Internet连接的技术细节。你可能会担心您的网站的拒绝服务攻击,或者有人劫持和丑化它。
While those certainly matter, DNS isn't just for looking up Web URLs any more; it's used by software to check licences, by video services to get around firewalls and, all too often, by hackers stealing data out from your business. Plus, your employees may be gaily adding free DNS services to their devices that, at the very least, mean you're not in full control of your network configuration. It’s a fundamental part of your infrastructure that’s key to business productivity, as well as a major avenue of attack, and you probably have very little idea of what’s going on.
DNS是互联网上最普遍的协议,但它也可能是最容易被忽视。数据泄漏防护(DLP),该检查通过电子邮件使用的协议,Web浏览器系统,对等网络软件,甚至Tor的,往往忽视DNS。“没有人看起来会在DNS数据包,即使DNS强调了一切,” Cloudmark公司首席技术官尼尔·库克说。“有Web和电子邮件,但DNS坐在那里,敞开做了很多DLP的。”
Data lost in theSally Beauty breach last year被exfiltrated伪装成DNS查询报文,但库克指出一些意想不到虽然合法用途;“Sophos的使用DNS隧道获得签名;我们甚至可以用它发牌。”
A number of vendors are starting to offer DNS tools, from Infoblox’s appliances to OpenDNS’ secure DNS service; Palo Alto Networks is starting to offer DNS inspection services, U.K. domain registry Nominet has just launched its Turing DNS visualisation tool to help businesses spot anomalies in their DNS traffic, and Cloudmark analyzes patterns of DNS behavior to help detect links in email going to sites that host malware. There are also any number of plugins for common monitoring tools that will give you basic visibility of what’s going on.
[Related:6 DNS services protect against malware and other unwanted content]
很少有企业做自己的DNS流量的任何监控尽管它是许多攻击的来源。这不只是恶意软件的销售点系统的运行,获取客户信用卡像那些在莎莉美容,家得宝和Target的攻击,使用DNS隧道。DNS是恶意软件被用来从您的企业受到恶意软件窃取的数据中最普遍的命令和控制通道,以及。
“DNS是经常使用的一种渠道进出公司的秘密隧道的数据,”板球刘,在Infoblox的首席DNS建筑师说,“和人的原因谁写的恶意软件正在使用DNS隧道出这个流量是因为它是所以监控很差,大多数人不知道什么样的查询会在他们的DNS基础设施。”
还有的使用DNS来绕过网络安全控制人的问题;这可能是员工避免网络限制,安全策略或内容过滤,也可能是攻击者避开检测。
DNSattacks are a widespread problem
In a recent Vanson Bourne study of U.S. and U.K. businesses, 75 percent said they’d suffered a DNS attack (including denial of service and DNS hijacking as well as data theft through DNS), with 49 percent having experienced an attack during 2014. Worryingly, 44 percent said it was hard to justify investments in DNS security because senior management didn’t recognize the issue.
这是因为他们认为DNS是一个实用程序,见subgests Nominet CTO Simon McCalla. “For most CIOs, DNS is something that happens in the background and isn’t a high priority for them. As long as it works, they’re happy. However, what most of them don’t realize is that there is a wealth of information inside their DNS that tells them what is going on within their network internally.”
Liu is blunter: “I’m surprised how few organizations bother to do any kind of monitoring of their DNS infrastructure. DNS doesn’t get any respect, yet TCP/IP networks don’t work without DNS; it's the unrecognized lynch pin.” Liu insists “it’s not rocket science to put in monitoring of your DNS infrastructure; there are lots of mechanisms out there for understanding what queries DNS servers are handling and their responses. And you really ought to be doing because this infrastructure is no less critical than the routing and switching infrastructure that actually moves packets across your network.”
通常情况下,他发现证明了威胁足以让管理层的关注。“大多数CIO - 一旦他们看到与您可以设置终端和互联网上的服务器之间的双向信道的网络内一个被感染机器 - 意识到,他们需要为此做些什么。这只是一个被面临着冷酷的现实问题。”
Tackling DNS security
首先,你需要停止思考DNS为关于网络和公正的“管道的一部分,” OpenDNS的首席执行官(思科在收购的过程中)戴维·维奇说。
“这曾经是网络运营商经营你的DNS,and they were looking at it in terms of making sure the firewall was open, and not blocking what they viewed as a critical element of connectivity as opposed to a key component of security policy, access control and auditing. But we live in a world today where every network operator has to be a security practitioner.”
If you actively manage your DNS, you can apply network controls at a level employees (and attackers) can’t work around. You can detect phishing attacks and malware command and control more efficiently at the DNS layer than using a web proxy or doing deep packet inspection, and you can detect it as it happens rather than days later.
“DNS is a very good early warning system,” says Liu. “You can pretty much at this point assume you have infected devices on your network. DNS is a good place to set up little tripwires, so when malware and other malicious software gets on your network, you can easily detect its presence and its activity, and you can do some things to minimize the damage it does.” You could even see how widespread the infection is, by looking for similar patterns of behaviour.
[Related:How to set up Amazon Web Services for your small business]
像OpenDNS和Infoblox的服务也可以看看在超过您的网络。“这是很容易建立的是什么正常的样子基准,并做异常检测” Ulevitch说。“假设你是一个石油和天然气业务在得克萨斯州和新域名在中国指向弹出在欧洲的IP地址,并没有其他的石油公司正在研究这个领域。为什么你应该是豚鼠?”
You also need to monitor how common addresses are resolved on your network – hackers can try to send links to sites like Paypal to their own malicious sites – and where your external domain points to. When Tesla's website was recently redirected to a spoof page put up by hackers, who also took control of the company's Twitter account (and used it to flood a small computer repair store in Illinois with calls from people they'd fooled into believing they'd won free cars), the attackers also changed the name servers used to resolve the domain name. Monitoring their DNS might have given Tesla a heads-up that something was wrong before users started tweeting pictures of the hacked site.
最起码,请记住,DNS贯穿所有的在线服务,Ulevitch指出。“酒吧是提高DNS很低。通常情况下,DNS被视为成本进入;人们不投资于足够可靠的基础设施和足够高的性能的设备,所以很难应付高交易量“。
That doesn’t only matter if you’re targeted by a DNS attack. “Organizations should look at DNS performance because it will have a material impact on everything you do online. Every time you send an email or open an app you're doing DNS requests. These days, web pages are very complex and it's not uncommon to have more than 10 DNS requests to load a page. That can be a whole extra second or more, just to handle the DNS components of loading a page.”
Tracking business behavior
监测DNS也可以给你很多关于什么是整个企业的事情远远超出了网络信息。“我们生活在一个世界里,网络边界正在成为短暂的,这里的服务很容易采取” Ulevitch指出。“一位营销经理可以登录到Salesforce;如果你正在寻找的DNS,你可以看到这一点。你可以看到有多少员工正在使用Facebook的。你可以看到设备的显示你的网络中,无论是因为他们正在检查许可证或做数据泄露。如果你有一百个办事处,你仍然可以看到谁在连接装置“。
That’s not just PCs either, he points out; printers and televisions and IoT devices are increasingly connecting to your business network. “Do I want my TVs phoning home? If you look at the Samsung privacy policy, it says the TV has a microphone that might be listening at any time; do I really want that in the corporate boardroom? Maybe I want to apply DNS policies so my TVs can't phone home.”
Infoblox’s Liu agrees. “IoT devices are often not designed with a lot of security in mind. You want to make sure devices are connecting where they should be and that if someone throws something else onto your IoT network they can't access your internal network. DNS is a useful place to monitor and control that access.”
And because you’re already using DNS, monitoring it isn’t disruptive, Ulevitch points out. “Usually in security, the reason most things aren't used is the effort needed to make sure they don’t have a detrimental effect on user performance.”
In fact, you need a good reasonnot要这样,他说。“有安全的基本最佳实践,其中之一是网络可见性。不能够看到你盲目飞行网络手段的流量。寻找一种方法来检查DNS流量是一个强大的安全性的基本要求。不知道发生了什么你的网络上是边缘废弃“。
This story, "Why you need to care more about DNS" was originally published byCIO 。