DNS Security for Public Cloud - Homas/ioc2rpz GitHub Wiki

Cloud computing is growing exponentially. Business migrating from traditional data centers to innovative virtualization technologies such as docker and serverless from one side optimize costs and efficiency but from other side these infrastructures become very complex and require new approaches to secure.

The Domain Name Service (DNS) is a core Internet protocol which defines almost all network communications and with wide adoption IPv6 became absolutely indispensable. Hundreds and thousands VMs, containers, functions can be created and removed every single day and these virtual entities (doesn't matter short or long time lived) need to communicate with other related services in or outside a trusted network. DNS is used as a registry to allow and route such communications. You should be sure that physical and virtual infrastructure use trusted and reliable DNS service.

You need a DNS service (ideally with IPAM) which will register VMs, containers and provide local resolution as well as in many cases required a DNS service which will resolve external domains.

A service interruption can be very costly to business doesn't matter where they deployed but because of complexity virtual infrastructure it easily may be misconfigured providing access to unprotected or loosely protected services. Another security risk may come up with rarely updated images (VMs or containers) exposing vulnerabilities in public cloud. Zero trust approach should be used deploying cloud services and DNS is a control point with unique visibility to all communications:

  • In comparison with humans all (almost) services access a limited number of external systems and can be easily profiled. To build such profiles in an efficient way you need to log all DNS requests and responses.
  • DNS defines communications - flexible policies (routing, load balancing, compliance, security) can be applied based on source and/or destination.
  • Malware, botnets, ransomware use DNS for command and control, data exfiltration and attacks. DNS can detect and prevent that.