What is Private DNS & Zero Trust Applications
Rather than forcing users and systems to rely on IP addresses, private DNS lets you assign text-based names to networked resources. These systems resolve readable domain names into IP addresses that web browsers and other network systems can use. Private and public DNS are fundamental parts of modern networking, making DNS a growing vector for cyberattacks.
We will introduce the concept of private DNS and explain why businesses run their DNS servers. Although private DNS can help protect sensitive company assets, the technology has security flaws that modern Zero Trust solutions can address.
What is a Private DNS
The Domain Name System (DNS) is a distributed database that links human-readable domain names with machine-readable IP addresses. Rather than remembering addresses such as 126.96.36.199, for example, DNS lets people type the more friendly www.twingate.com into their browser instead.
In this use case, the browser contacts a DNS server, often managed by an internet service provider. If that server has the domain name saved in its cache, it returns the corresponding IP address. The browser uses that address to connect to the site. If the domain name is not in the server’s cache, it queries more authoritative servers within the DNS until it finds the IP address or times out.
Private DNS lets an organization’s employees and systems use text-based names such as dev.example.com or engineering.example.com. Using name-based addressing is easier for end-users. It also makes network administration more efficient. User devices and internal systems do not need to be reconfigured every time a resource’s IP address changes.
The difference between private and public DNS
While companies still have uses for public DNS, modern organizations prefer the benefits of managing a private DNS infrastructure.
Companies manage their own publicly-facing DNS servers. For example, browsers connecting to the company’s public website would access this public DNS server as it downloads elements for a webpage.
A private DNS server, on the other hand, may focus entirely on resolving queries for the company’s internal assets. Network administrators can configure the servers and networks for each application to deliver optimal performance.
Caching is an essential feature of public DNS servers. By saving recent results, the DNS server can avoid queries to other servers and respond faster.
For the same reason, companies will dedicate private DNS servers to handle internal users’ internet traffic. Caching IP addresses to the frequently-visited websites of customers, suppliers, and contractors reduces latency and improves the user experience.
Even though some private DNS servers play the same role as public DNS servers, the private approach gives companies more control over network usage. Internally resolving employees’ DNS queries lets administrators block access to social media services and inappropriate websites.
Private DNS also plays a role in network design. Administrators can create custom domain names that reflect the structure and processes within the organization while using IP addresses at the network level. Private DNS ensures that changes to one do not necessarily impact the other.
Security is the most significant benefit of using private DNS. Separating the public and private use of DNS ensures that the two are not mixed. People accessing the public DNS server only get IP addresses for web servers and other public-facing assets. The only way to get IP addresses for internal assets is by querying a private DNS protected within the internal network’s perimeter.
Privacy of employees’ internet activity is another reason companies use private DNS. Public DNS providers get a broad picture of their users’ internet activity that they can use to build profiles for resale. A private DNS keeps those traffic patterns hidden.
Use of private DNS for mobile devices
In the past, implementing DNS on users’ mobile devices has been a challenge. The most popular mobile operating systems did not have global settings for the device’s DNS provider. Instead, they defaulted to whatever DNS the WiFi or cellular provider used. This began to change in 2018 with Android 9’s Private DNS release. Although the words are the same, this feature is not the same private DNS used by businesses.
Android’s Private DNS feature addresses internet privacy. Traditional DNS transmits the query and the response in plain text. Internet providers and hackers alike can use simple tools to see this data. Smartphones running the latest Android operating system automatically encrypt DNS queries through a technique called DNS over TLS. This prevents others from listening in on a user’s internet activity. It also reduces the risk of man-in-the-middle attacks.
Of course, Android’s Private DNS only works if the network’s DNS server supports this encryption format. To get around this, smartphone users can assign a global DNS provider within their device’s network settings that will work for all WiFi and cellular connections.
Until recently, Apple’s iOS platform still relied on the DNS server of each network connection. However, there was a way to achieve the same thing. Third-party developers wrote apps using Apple’s VPN framework but only implemented the narrow subset of functions that enabled DNS encryption. With the release of iOS 14, Apple devices now have native support for DNS encryption and let users specify global DNS providers.
These changes to the most popular mobile platforms also apply to enterprise use cases. Mobile device management systems can push profiles that modify device DNS settings.
What are the security risks of using public DNS?
Like many of the internet’s fundamental building blocks, DNS was designed in a much different era. It evolved from an academic project and depended on idealistic assumptions of trust. As a result, DNS has no security features. Besides transmitting data in the clear, DNS lacks the authentication features needed to prevent spoofing and other DNS attacks.
Complicating matters further, DNS is such a core part of how IP-based networks operate that compromised DNS servers give hackers enormous power. They can reroute traffic to harvest user credentials or use DNS servers to exfiltrate data. The combination of ubiquity and weak security have made DNS a tempting target for cyberattacks.
In their recent Global DNS Threat Report, IDC and efficientIP found that 87% of organizations were the targets of DNS attacks, experiencing more than seven attacks per year. A quarter of these attacks resulted in the theft of customer information. The average cost of these attacks in the United States was more than $1 million.
Targeting DNS in the cloud
DNS attacks are becoming even more widespread as companies adopt cloud and mixed-cloud infrastructures. In the past, companies could reduce their attack surface by protecting their private DNS servers within the on-premises network.
Cloud-based networks, however, must have connections to the public internet. This increases the chances that a private, cloud-based DNS server could be compromised. The Global DNS Threat Report found that one out of every four companies surveyed experienced attacks on their cloud DNS servers — and half of them experienced service downtime as a result.
Today’s complex network architectures require a modern approach to protecting private DNS servers. The old traditions of securing a network perimeter cannot work when the perimeter stretches beyond the company’s on-premises network. Zero Trust offers a modern approach to network security that can reduce the risks created by DNS.
Twingate’s Zero Trust solution uses software-defined perimeters to hide all resources, on-prem or in the cloud. A transparent proxy lets remote and on-site users connect to these protected resources without directly querying the private DNS server.
When the user tries to connect to a resource, the Twingate Client app transparently intercepts the DNS query and resolves it with an IP address. Although this IP address is unique to the resource, it is not the actual address on the private network. The Twingate Client routes traffic for this address to the resource’s Twingate Connector. This Connector queries the company’s private DNS server and receives the actual IP address. By proxying the connection between device and resource, the Client and Connector let users do their work without ever accessing the private DNS server.
Twingate’s Zero Trust solution protects private DNS
DNS has been a fundamental part of the network landscape for nearly four decades. The globally-distributed index of domain names and IP addresses in public DNS servers is the first step in almost every action on the internet. Companies use private DNS servers for the same reasons. The technology can improve performance, make network architectures more flexible, and protect sensitive resources from the risks of the public internet.
But as with so many traditional network technologies, security was not designed into DNS from the beginning. Hackers target DNS because a successful breach can help them pierce deeper into a victim’s network.
Twingate’s Zero Trust network security solution can reduce the attack surface of your organization’s DNS infrastructure. Our software-defined perimeters ensure that no user, device, or hacker on your network can see your DNS servers. Transparent proxies let users do their work while denying hackers access to sensitive data.