Blog · 02 Oct 2018

How to protect yourself from a malware avalanche

Why a DNS firewall might improve your chances of detecting and mitigating malware.

The AV-Test Institute, an independent IT security research institute, has identified the existence of over 780 million malware programs.

The good news is that most of these programs are identifiable and can be mitigated with up to date anti-virus software and firewalls within your network.

Now for the bad news: the AV-Test Institute also claims to register over 350,000 new malicious programs, or malware, per day. That makes it hard for anti-virus and firewall software vendors to remain current in order to detect and mitigate all new malware.

So what additional controls can you add to anti-virus and firewalls to more effectively detect and prevent malware infestation?

Training your people is certainly a key ingredient in your defensive strategy, as many forms of malware infiltrate your network through clicked links, opened attachments, software downloads and related user-triggered means.

But from a technology perspective, there is one additional major defensive layer you can easily put in place to improve your chances of detecting new malware and stopping it from spreading or damaging your network and computing infrastructure. And that is to arm your domain name servers (DNS) with firewall capability.

Everyone uses DNS and every network has DNS servers. It’s a critical component of Internet infrastructure that frankly makes the Internet usable for you and me. That’s because we find it easier to remember names of websites, not numbers. DNS provides a convenient lookup and translation feature so we can connect to sites by name while our computers can connect by numerical addresses.

When we connect on the Internet, we type or click a name on our device, which looks up the name in the DNS. As the second step, our device takes the answer from DNS and attempts to connect to the corresponding address typically through an enterprise firewall. The third step entails our device receiving the response over the connection and presenting it to the user.

Like your devices, the first step for malware typically entails a DNS lookup to translate the malware author’s website address into its corresponding IP address that software uses to communicate over the Internet. Then the malware can make the connection to the IP address returned from DNS, then download software, upload stolen information, or otherwise receive nefarious instructions over that connection.

Most enterprises only address steps two and three in this Internet connection process. Network firewalls examine and filter connection traffic to detect and potentially block suspected malware traffic. Anti-virus software scans received content for malicious software and take appropriate actions. But many enterprises miss an important detection point at step one, at the DNS layer.

With the implementation of a DNS firewall, you can detect malware domain lookups and stop malware before it progresses to the connection and data transfer phases. A DNS firewall can examine not only the name being looked up, but also the answer received, the answering server or name, and more. Based on the examination of the query and response, DNS firewall policies can be defined to dictate whether to drop the response, respond with “not found,” or provide an alternative response answer to redirect the querier to a mitigation server for example.

And DNS firewall functionality is natively supported by many reference implementations including those from ISC/BIND, PowerDNS, KnotDNS and others. Several providers also offer DNS firewall feeds which provide blocklists and whitelists for domains and related information. So if the DNS servers in your network already support DNS firewall functionality, there’s no need to purchase new hardware; all you have to do is subscribe to a DNS firewall service to enable your DNS firewall and receive timely updates.

The type of blocking information you receive from a DNS firewall is different from that received for your in-band data firewalls. And that’s a good thing in order to broaden your net so to speak, by looking at more criteria for a given connection in order to better ascertain a given connection attempt as malicious or not based on DNS, in-band data, and device level controls.

So in the face of 350,000 malware updates a day, a DNS firewall is a simple, affordable solution that can improve your chances of detecting and mitigating malware in your environment.