By Mohammad Jamal Tabbara, Head of Solutions Architects, Middle East, Turkey & Africa at Infoblox
In today’s rapidly evolving cybersecurity landscape, organizations are adopting Zero Trust (ZT) frameworks to protect themselves from increasingly sophisticated cyber threats. Zero Trust, a security model predicated on the belief that breaches are inevitable, operates under the principle of “never trust, always verify.” This approach assumes that attackers are already inside the network and seeks to minimize their potential impact. But while Zero Trust frameworks significantly bolster security, there’s one crucial element that is often overlooked: the Domain Name System (DNS).
Why Zero Trust now?
The need for Zero Trust is more pressing than ever. The digital transformation that underpins most modern enterprises has ushered in an era of hyperconnectivity, with organizations adopting hybrid and multi-cloud environments to increase flexibility, scalability, and collaboration. But with these advancements come risks such as an ever-expanding attack surface, and an increasing sophistication of cyber threats like ransomware, phishing, lookalike spear-phishing domains, and AI based attacks. Additionally, the widespread use of IoT and the rise of remote work further increase the attack surface, making it difficult to defend using traditional perimeter-based security models.
With attackers gaining the ability to breach systems and move laterally within networks quickly, Zero Trust aims to contain the damage by enforcing strict access controls, segmenting networks, and constantly verifying the legitimacy of users and devices. However, for Zero Trust to truly work in modern cloud-based infrastructures, it must account for DNS — a fundamental yet often implicitly trusted component of the network.
DNS: An Overlooked Open Door
In traditional security models, DNS is often implicitly trusted. This oversight can be a significant gap in Zero Trust implementations, leaving networks vulnerable to attackers exploiting DNS to carry out their campaigns. DNS is integral to the functionality of hybrid, multi-cloud environments, resolving domain names into IP addresses, and allowing users and devices to access resources. However, DNS has become a common vector for malicious activity, including ransomware, phishing, lookalike domains, and zero-day DNS threats.
A malicious actor can exploit DNS in various ways, such as using it for Command and Control (C2), data exfiltration, and creating fraudulent domains that resemble legitimate ones to trick users into divulging sensitive information. If an organization’s Zero Trust strategy does not account for the security of DNS, it could unknowingly allow access to harmful domains, putting the entire network at risk.
To build a robust Zero Trust strategy, DNS must not be implicitly trusted. Rather, it should be actively monitored, secured, and validated to ensure that all traffic is legitimate. DNS security should be an integral part of the Zero Trust model to ensure that malicious actors cannot exploit DNS as a back door.
Encrypted DNS for Privacy and Integrity
Encryption is also a key part of Zero Trust to protect confidentially and integrity. NIST SP 800-207 states that “all communication should be done in the most secure manner available,” and this includes DNS. By using DNS over TLS (DoT) and DNS over HTTPS (DoH), organizations can encrypt their DNS traffic, preventing attackers from intercepting or manipulating queries. DoT and DoH protect against snooping and ensure that DNS queries are authenticated, offering an added layer of privacy and integrity in hybrid, multi-cloud environments.
Protective DNS: Proactive Security
A Protective DNS (PDNS) solution works by proactively refusing to resolve high-risk and malicious domains, stopping threats before they can reach the organization’s systems. PDNS helps prevent initial infections, blocks ongoing command-and-control (C2) communications, and prevents data exfiltration. Additionally, PDNS plays a critical role in blocking lateral movement within a network. Once an attacker gains access to one part of the network, they often use DNS to facilitate the movement to other parts of the system. By implementing a PDNS solution, organizations can prevent this movement and contain a breach quickly.
Device-Level Enforcement
An important component of a PDNS strategy is device-level enforcement. By ensuring that devices only connect to approved PDNS servers and only access those domains approved by those PDNS servers, this solution minimizes the risk of DNS bypass, a tactic often used by attackers to circumvent traditional security measures. Enforcing DNS security at the device level enhances overall network security and ensures that even rogue devices cannot bypass security protocols.
Asset Discovery and Data as Input to Zero Trust Decisions
To fully realize the potential of a Zero Trust approach, visibility into all network assets is essential. A comprehensive view of assets across hybrid and multi-cloud environments helps organizations maintain an up-to-date real-time asset inventory, detect unauthorized devices, and correlate device activity with user identities.
This asset visibility allows organizations to make informed decisions about access. For instance, a device like an IoT camera can be configured with a Zero Trust policy, allowing it to access only specific domains needed for its operations. By leveraging DNS data as a source of telemetry, Zero Trust systems can accurately assign access policies based on a device’s type, its role, and its current risk level.
Automation and Orchestration
Zero Trust is not a static security model; it requires constant adaptation and response to emerging threats. Automation and orchestration play critical roles in ensuring that security protocols are enforced across the network. By integrating DNS security with other tools and platforms such as SIEM, vulnerability management, ITSM and others, organizations can automate policy enforcement, threat detection, and incident response. By continuously assessing and adjusting security postures, organizations can respond to new threats in real-time, ensuring a more resilient and dynamic security framework.
DNS is Critical to Zero Trust Security
In conclusion, while Zero Trust frameworks are essential for safeguarding against modern cyber threats, they are incomplete without securing DNS. As a fundamental part of the network infrastructure, DNS must be protected with encryption, proactive monitoring, and intelligent filtering to prevent exploitation by threat actors. Without this added layer of DNS security, Zero Trust strategies leave critical gaps that attackers can exploit.
In the world of cybersecurity, assuming that breaches will happen and preparing for them is critical. A Zero Trust model is only effective when it addresses all potential attack vectors, and DNS is one that cannot be overlooked. Only by securing DNS can organizations fully realize the promise of Zero Trust and ensure that their hybrid, multi-cloud environments remain safe from the evolving threat landscape.
