Should a DNS Firewall be part of your defence-in-depth strategy?

Infoblox Reporting server automatically identifies infected devices when malware attempts to call home, reduces time and cost for removing APT malwareThere has been a slew of DNS Firewall related market activity recently that makes me wonder if DNS Firewall related products/solutions are finally gaining market acceptance.

OpenDNS is probably one of the most well known DNS Firewall vendors, operating a global network of recursive servers that anyone can use for free, but with the option to filter and block queries that might be attempting to resolve undesirable domain names (such as adult or gambling sites, or sites hosting malware). They have been doing this successfully for a number of years, but Cisco recently announced its intention to acquire OpenDNS for the tidy sum of $635m in cash. That certainly raised eyebrows at Calleva Networks HQ!

Just a week later, Verisign announced the launch of an OpenDNS rival, imaginatively called “Verisign DNS Firewall”. This is another cloud based solution, and quite clearly if Verisign and Cisco are both trying to get in on the act, then there must be a demand from the market for these kinds of technologies.

But what about if you want to run an on-premise solution? Well the good news is that all the main DDI vendors have also now launched DNS Firewall solutions, so you can sanitise your DNS queries before they get sent out to the cloud.

In order to encourage companies to evaluate a DNS Firewall, Calleva Networks recently launched a DNS malware assessment service. Our first assessment was for a large European petro-chemical group and during 90 minutes of DNS packet capture we identified numerous DNS queries associated with Cryptolocker ransomware domains, Ponmocup botnet communications and lookups for domains that are on various active blacklists published by Alienvault, Threatstop, Malwaredomainlist and others. The results were truly terrifying! How did this stuff get onto the network in the first place? Clearly traditional perimeter based security solutions cannot hope to prevent the onslaught of malware encrusted mobile devices, so organisations attempt to combat these with MDM solutions and strict Wi-Fi authentication, but clearly malware can still get inside a organisation despite these often complex and expensive solutions.

When taken in context of all the other DNS related threats, such as DNS based DDoS and data exfiltration attacks, we believe that organisations should be considering dedicated DNS security products to add an additional layer to the defence-in-depth paradigm. The good news is that Calleva Networks can provide solutions to protect an organisation from internal threats as well as external threats, which can affect an organisations web presence and reputation.

Please feel free to contact us or comment below to discuss this topic in more detail.

About Paul Roberts

Paul has spent his entire career within the IT industry and since 1997 has been deploying DNS, DHCP and IPAM solutions globally. Paul is a regular guest speaker at exhibitions and seminars.

Leave a comment