RnD Report

On
Designing a Secured
DNS Architecture
(InfoBlox)

Dated: July 19, 2014

Presented by: Habib Khan
Presented to: Malek Khader

Introduction:
DNS is an essential part of any modern-day organization. DNS, or Domain Name System is the protocol
used for converting fully qualified domain names (FQDNs) like www.google.com into machine-usable IP
addresses that computers use to communicate with each other.
In todays networking landscape, it is no longer adequate to have a DNS infrastructure that simply responds
to queries. What is needed is an integrated self-protecting DNS architecture that also enables smart growth.
Architecting DNS:
As the organizations services grows, so does the load on its DNS servers. At some point, whether it is due
to legitimate traffic or a malicious distributed denial of service (DDoS) attack, the load on DNS server
exceeds the capacity of the server. At this point every organization looks for ways to increase DNS queriesper-second (QPS) capacity.
One approach is to deploy a secondary DNS server but two separate servers here can introduce some
interoperability issues in basic features like backup and restore, reporting, and management in general.
Another solution here is to deploy several DNS servers behind a load balancer with unique identifier. This
approach works best if the DNS servers are unified to ensure ease of management and deployment
consistency to all servers.
Securing a DNS Platform:
Hacking of DNS servers is becoming more prevalent every day. Conventional DNS server have multiple
attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. If our DNS servers
dont support tiered security privileges, any user could potentially gain access to OS-level account privileges
and cause configuration changes that could make your servers vulnerable to hacks.
Defending against DNS Attacks:
DNS servers are vulnerable to attacks such as DNS flood and amplification which can effectively stop our
DNS server from responding. It is also important to prevent these servers from becoming a tool to attacke
other servers (DNS reflection attack).
Even though our DNS server sits behind a firewall, most of these attacks cannot be mitigated by typical
firewalls. Load balancers offer some basic level of protection against DNS floods like NXDOMAIN DDoS
attacks. However, there is a whole suite of DNS-Based attacks that can target our authoritative DNS servers,
and the mitigation capabilities of load balancers fall short when it comes to addressing all of them.
Our DNS infrastructure should protect itself against inevitable DNS attacks on your organization. These
attacks can take one of two major forms: volumetric and DNS-specific attacks.

Preventing Malware and APTs from using DNS:

Malware and APTs evade traditional security defenses by using DNS to find and communicate with botnets
and command-and-control servers. Botnets and command-and-control servers hide behind constantly
changing combinations of domains and IP addresses. Once internal machines connect to these devices,
additional malicious software is downloaded or sensitive company data is exfiltrated.
INFOBLOX Secure DNS:
InfoBlox Purpose-built Appliance and OS
Infoblox provides hardened, purpose-built DNS appliances with minimized attack surface with:

No extra or unused ports open to access the servers

No root login access with the OS
Role-based access to maintain overall control

All access methods are secured:

Two-factor authentication for login access

Web access using HTTPS for encryption
SSL encryption for appliance interaction via API.

INFOBLOX Advanced DNS Protection:

Infoblox Advanced DNS Protection solves the problems of external attacks that target your DNS. Advanced
DNS Protection provides built-in, intelligent attack protection that keeps track of source IPs of the DNS
requests as well as the DNS records requested. It can be used to intelligently drop excessive DNS DDoS
requests from the same IP, therefore saving resources to respond to legitimate requests.

INFOBLOX DNS Firewall:

It addresses the problem of Malware and APTs using DNS to communicate with botnets and command-andcontrol servers to exhilarate data. It detects and mitigate communication attempts by Malware to malicious
domains and networks by

Enforcing response policies

Leveraging up-to-date threat data
Providing timely reporting

Conclusion:
Designing a scalable and secure DNS architecture requires more than increased bandwidth and QPS. What
looks simple in a small test lab tends to become very complex in a larger deployment. Infoblox Secure DNS
Architecture, combined with Infoblox Grid technology, provides a comprehensive, secured, and scalable
DNS Solution that not only provides low latency and high throughput but also ensures availability of
essential infrastructure to enable your organization to both grow and protect itself without the need for
frequent infrastructure upgrades.