For many years, businesses face the challenge to combine a user environment, which is getting more and more complex, with the different security requirements. Server, clients, smart phones, network devices, working in different locations, working from home, VPN connection or not….. the only consistent fact is the threat from malware and the attacker.

For quite some time, OpenDNS has provided a solution that apparently combines all requirements with security without adding complexity. DNS (Domain Name System) is in charge of finding out the IP addresses that stand behind the domain names. Every one of us and rather all our devices are using DNS on a daily basis. Most of our applications would not work without DNS. Or do you happen to know the IP address of www.google.at?

OpenDNS takes advantage of precisely this universality of DNS and exactly here applies the security lever. Queries are sent to the OpenDNS servers instead of to the DNS server of the provider or to the well-known Google DNS server 8.8.8.8. These servers act as a recursive name server, which means that they are looking for the IP behind for instance www.nts.eu. As long as there is a legitimate address behind, the response is returned as normal in addition to very good response times.

ENTERING UMBRELLA…

However, if for example a webpage that submits malware or a command and control server is hiding behind the domain name that is being resolved, the OpenDNS servers will not give a response. Instead, it will be indicated to the requesting client, that the domain does not exist (NX). In case an attacker tries to lure a member of your staff e.g. via a phishing mail onto a page that is controlled by him, OpenDNS Umbrella helps to identify and to block the attack.

ANALYTICS

Yet how does OpenDNS identify a malicious domain? Thanks to more than 80 billion DNS queries that reach OpenDNS on a daily basis, many possibilities of correlations (key word Big Data) result from it. If for example, certain domains are always queried together within a short period of time, they apparently are somehow connected to each other. In case that some of these domains are already known to be malicious, the other domains can be branded with a bad reputation with a certain probability.

Something similar is possible in the area of the interaction of IP addresses. In the case that an IP address which is behind a queried domain is located in a rather dark neighborhood of the internet, it is probably not a good idea to permit the connection of a client there. Abnormal behavior can also indicate that the owners of certain domains are up to no good. If for instance, a domain is hosted in Russia, but only clients from Austria and Germany are trying to connect there, then this can be an indication that it is not a case of a legitimate web presence.

ON- AND OFF-NETWORK SECURITY

It is one of the main advantages of OpenDNS that we are already using DNS and this not only to browse the web, but also to send e-mails, receive updates or to identify time slots. It is therefore sufficient to direct the queries as usual to the name server of the provider and the integrated security of OpenDNS can be utilized instantly. As all devices ranging from mobile devices to servers are using DNS, it is therefore possible to use this method for all these devices as well.

In case that employees that are out of office are perhaps using Cloud services and do not want to work via a VPN connection, an agent can be installed on all these devices to make sure that the DNS queries will find their way to the OpenDNS Cloud. Since the release of version 4.3 of the Cisco Anyconnect Secure Mobility Client, this function is already even integrated in the form of a module.

Within the company network, the roaming agent has the possibility to adapt its behavior and it will direct the queries to a local virtual appliance. One can integrate this into the Active Directory which enables permitting or blocking access onto domains based on group memberships. Thus, the logging information will be accumulated with user information.

Sometimes it will not be possible to make the decision at domain level if access should be permitted or not. Cloud services are also used by attackers. To consequently block these completely can greatly restrict the options for the users and could possibly cause that already utilized services will not be accessible any more. In the event that a client requests such a domain, OpenDNS can use Intelligent Proxy. In case this feature is activated, requests are redirected onto these Grey domains via a proxy. As it obtains the exact information about the URL, the Intelligent Proxy is better suited to decide if access should be permitted or not.

NEED MORE? INVESTIGATE!

Über den Schutz von OpenDNS Umbrella hinaus, gibt es noch ein weiteres Produkt dieser Familie und zwar Investigate. Mit Investigate hat Security-Personal wie Analysten oder Incident Responder die Möglichkeit direkt Informationen zu Domains, IPs, ASNs usw. abzufragen. Entweder über eine Web-Konsole, oder über eine Integration in ein SIEM-System, wie Splunk, können mögliche Angriffe schnell erkannt und an einer Verteidigung gegen diese gearbeitet werden.

Thus, OpenDNS offers a protocol-independent protection at DNS level and provides the gathered information to allow defenders to quickly obtain, from a single source an overview of the present state of security. Here, any location and any client can be incorporated with minimal effort into the security concept.

PS: DNS could also be of assistance to you in private areas: Info.

Thomas Fellinger
Senior Systems Engineer
03.04.2018

Similar topics