Advanced Protective DNS Blocks Malware Beaconing

Advanced Protective DNS Blocks Malware Beaconing

Called Internal Authoritative DNS, or IADNS, this advanced form of PDNS shields organizations from both known and unknown sources of DNS-based cyberattacks

Nancy Grady

The recent supply chain attack leveraging Solarwinds software demonstrated that malware still penetrates firewalls with sophistication and stealth, bypassing current detection programs. Earlier cyberattack connections leveraged specific IP addresses, but this became too easy for monitoring systems to detect. Malicious actors then began to leverage domain names for their malware attacks.

The Domain Name System, or DNS, is a fundamental protocol of the Internet but was not designed with security in mind. In the DNS, every server has an IP address. To reach a site, a domain query is made to a DNS resolver, which relays the request to the appropriate nameserver, which knows the IP address for the owner of that domain.

DNS resolvers, which convert domain names into IP addresses and relay them back, do not determine the legitimacy of a nameserver assigned to a domain name, trusting that it is benign. Through a process called DNS cache poisoning, or DNS spoofing, adversaries impersonate a nameserver for their command-and-control (C2) site. The DNS resolver saves this malicious server's IP in its cache, thus providing the vector for malicious code or data exfiltration attacks to beacon to an unsuspecting organization. Another technique — like the one behind the Solarwinds attack — uses bogus computer-generated subdomain names (GDNs) as a mechanism for the malware to pass information back to its C2 server.

Cyber defenders and cybersecurity solution vendors want to thwart such malware-beaconing attacks by defeating DNS spoofing and the subsequent connection to the C2 site belonging to a threat actor. The National Security Agency (NSA) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently published a joint paper recognizing this security challenge, recommending the use of a Protective Domain Name System, or PDNS. According to NSA and CISA, a PDNS service provider analyzes DNS queries and prevents them from going to identified malicious domains. PDNS services use open source, commercial, and governmental information on identified threat domains.

Threat intelligence used in PDNS services identifies only known malicious domains, thereby creating a blacklist. While NSA and CISA's recommendations are necessary to block known malicious sites, this intel-backed approach still would not have stopped the Solarwinds attack. PDNS is not sufficient, since it still leaves organizations vulnerable to attacks from unknown malicious domains, typically for months, until the malware is finally detected — as in the Solarwinds attack.

Open Internet or free DNS services have significant susceptibilities to a range of attack vectors and do nothing to mitigate malware beaconing. Protective DNS is one step above public DNS services but is still insufficient in building a comprehensive zero-trust environment.

A zero-trust DNS service shuts off attack vectors from all unknown domains, allowing only communications with legitimately registered ones. SAIC provides such a zero-trust DNS system as-a-service.

A zero-trust DNS blocks malware

A zero-trust protective DNS service would mitigate unknown malware beaconing rather than waiting until a malicious domain has been identified as a known threat. Such an Internal Authoritative DNS service, or IADNS, requires that each DNS request be made to a legitimately registered domain. Current PDNS solutions do not provide this capability, since they don't have access to authoritative data. When an attacker intending to use malware makes a query to a DNS resolver, the software recognizes it as non-authoritative and simply does not answer — thereby blocking communication back to the attacker's C2 server. In the Solarwinds attack, GDN requests were blindly transmitted to the malicious C2 server, with DNS cache poisoning planting the nameserver IP into a DNS resolver despite being an unregistered domain. The IADNS would have stopped this unknown malware beaconing.

IADNS nodes are secure

An IADNS does not use BIND and never uses cached data. BIND is the core technology used in most DNS servers, and it is pretty old. Servers are also vulnerable through their operating systems or through their virtual machines, which require great care in locking down vulnerabilities. In an IADNS service, all nodes use a hardened, tamper-proof platform that runs on a proprietary kernel that only does DNS queries. All data and the software itself are encrypted on the platform, preventing the risk of attack leading to cache poisoning.

IADNS has the Internet root data

In those cases where nodes in the IADNS do not have the authoritative records, they use the node's root data to send requests directly to the authoritative source. IADNS differs from other approaches that send the user to the root server for DNS and are vulnerable to man-in-the-middle (MitM) attacks. The first to respond wins on the Internet, so a rogue server placed close to the target could reply faster than the root server. A solution with the root data removes the risk of this "last-mile" attack, which attempts to divert the request to a DNS server through speed-to-response, cache poisoning, or Border Gateway Protocol (BGP) route hijacking.

IADNS provides resilience

Organizations relying on the public DNS are vulnerable when a region of the network is under attack and response is degraded or denied — as was the case during the Dyn cyberattack in 2016. Dyn hosted DNS services for large firms that included GitHub, Twitter, PayPal, and Amazon. Their sites were degraded or unavailable due to the intense regional traffic in the distributed denial-of-service (DDoS) attack. An IADNS service would continue operating because it does not rely on external DNS but rather on its own authoritative DNS data.

SAIC's solution

Such a revolutionary zero-trust IADNS service exists. SAIC has an IADNS PDNS service to protect organizations from an entire class of attacks using DNS spoofing or cache poisoning. Each SAIC hardened IADNS node contains roughly 70% of the Internet's authoritative DNS records, or 170 million "A records" — as well as the internet root data. The node determines whether the requested domain is legitimate and does so within a millisecond or less, which is 30 times faster than solutions built on the traditional BIND DNS.

The system alerts the security center that an attempt was made to reach an illegitimate site and identifies the likely-compromised internal IP address. SAIC provides IADNS as-a-service (aaS), so there is no complex integration or maintenance, and it provides increased security and resilience. SAIC's solution is an advanced protective DNS that blocks even unidentified malware's ability to connect to its C2 server by placing hardened DNS nodes with authoritative records at the edge of the enterprise.


Posted by: Nancy Grady

Chief Data Scientist and Solutions Architect

Nancy Grady is chief data scientist and solutions architect in the cyber practice within SAIC’s Strategy, Growth, and Innovation organization. She leads the development of gray/red cyberspace intelligence solutions and the merging of the cyber and electromagnetic-spectrum domains for situational awareness capabilities for SAIC’s customers.

Grady has 35 years of experience in the application of machine learning techniques for data and text analytics systems. She joined SAIC in 2002 to work on text analytics for patent search and later was the analytics lead for a Centers for Disease Control and Prevention program. She then led analytics development support for a Department of Homeland Security effort.

Grady has led a number of SAIC research and development efforts for cyber analytics, big data analytics applications, event situational awareness from open source text, and modeling geospatial outbreak detection. She was instrumental in the creation of SAIC’s process methodology for big data analytics.

Grady, a Ph.D., was the lead editor for the ISO 20546, “Information Technology — Big Data — Overview and Vocabulary” and for the NIST SP 1500-1 and 1500-2 standards for big data definitions and taxonomy. She serves on the industrial track program committee of the IEEE International Conference on Big Data.

Prior to joining SAIC, Grady was a Wigner Fellow and physics researcher at Oak Ridge National Laboratory, performing theoretical modeling of materials. She earned her Ph.D. in theoretical physics from the University of Virginia. She was a dual major in physics and honors mathematics at the University of Tennessee.

Grady pursues her loves for bicycling, photography, and travel with her husband and daughter, in her free time.


Read other blog posts from Nancy Grady >

Connect with Nancy Grady: linkedin icon

< Return to Blogs