The combination of a hostname and IP has been used to identify networked computers and services for decades. For most of that time, this has been a manual process, wherein some kind of excel or document was used to keep track of these mappings. As the Internet grew and enterprise IT portfolios grew, this manual process became difficult to manage. Too many people were involved, and the files were rarely kept up to date. As a result, organizations couldn’t keep up with this tedious manual tracking and let the management of the critical area slide. Enter DDI and DNS.
Coined by Gartner, DDI is shorthand for the integration of DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), and IPAM (IP address Management) into a unified service or solution. In short, DNS advertises the hostname/IP combinations, DHCP assigns them to the appropriate host(s), and IPAM helps keep management control over the entire system. A complete DDI solution manages these core network services that enable all communications over an IP-based network as one.
To properly manage DDI, organizations need a reliable and comprehensive database that includes extensible attributes about where the data was, where the equipment lived, and what users were responsible for it—along with tracking who’s making changes, what changes were made, and when.
Listen to our episode on Modern Network and Security with Infoblox:
[optin-monster slug=”epzq33tqcymghbgeskfm”]
A Plausible Cloud Solution to the DDI Management Issue
What’s more effective than suffering through the Excel method, is a good cloud-native platform with full DDI capabilities. Via the cloud, DDI (DNS, DHCP, and IP-address management) is taken from the customer network out to the branch, into locations as a pay-as-you-go concept. And, since this type of DDI solution deployment is cloud-based, it can be used to manage any infrastructure, from on-prem to Azure to AWS and more.
The platform must have DNS security, this is a recursive service that blocks bad domains and queries and conducts analytics for detecting data exfiltration, lookalike domains, and much more. As organizations add services onto a cloud platform, they can leverage the massive data lake that resides behind it—the metadata of DNS queries that enables automation, accelerates remediation, and informs more granular policies and filtering of data and assets.
Despite that DNS practices are not a well-known security focus, the fact remains: you incur risk any time data is transmitted across your network. And since IP addresses allow systems to communicate, IT personnel need to know where devices are and what’s happening to them at all times. And as we will see, DNS has a number of remaining quirks and security concerns that are increasingly coming to the fore.
Security Makes A Difference
From a security perspective, what makes a good DDI platform is one that identifies assets at the IP-address phase—the first entry onto the network—and leverages DNS metadata. It’s more than simply protecting a network from packet collisions (although that is an essential service that DDI provides.) What’s important is that two packets are not coming in and out of the system in order to enforce policy, detect malware, contain a device, and audit what people are doing. Also important is that the system is not tied to the infrastructure; in other words, it doesn’t need to be in the line of traffic. This enables huge capabilities in terms of today’s infrastructure which is highly distributed, highly mobile, and cloud-based.
Keeping your organization’s DNS queries private is also very important. Comprehensive DDI minimizes the number of servers going out to the internet—and thus allowing third parties to use the servers’ source information to quickly identify how many devices have malware, what they’re querying, and what they’re going to— is a priority. Compare this to what most organizations without DDI do, which is to send this query data out to public servers (e.g., google, 888, Cloudflare, Quad9)—companies that use your query data for their own benefit.
DDI allows this query data to be protected while providing greater threat intelligence, along with a comprehensive overview of all devices on the network. Threat intelligence should also be overlayed on the DNS queries and tie those queries back to an identity from the IP address system. In some deployments, this can be taken an additional step further, with the actual addresses tied to an identity on the network—tagging traffic to a user, not just to an address.
But the real bang for the buck comes from using the DDI system in your automated response to obtain a holistic view of the data. Once you’ve detected something, you know where it is and can correlate that to the:
- User
- Switch Port
- Virtual Switch Port
- VPC
By doing this, you can now get IP addresses and DNS from everything. And being so distributed in your deployment means you can correlate all the data back and make determinations that other organizations can’t—all based on DNS queries. This allows you to automatically block threats at any point: in the data center, in the cloud, or at home.
One big limitation of cloud services that don’t provide this level of detail is that they might let you know if you have active ransomware in the network, but on which host? And even if you block it, the ransomware is also going lateral. It’s looking for your backups. You need to identify the host and pull it off the network as quickly as possible.
If You’re Not Inspecting DNS Traffic—You’re Vulnerable
If your organization isn’t running DNS threat intelligence in real-time, they are committing cybersecurity malpractice. DNS is literally everywhere and it’s allowed communication, it’s universally allowed traffic. We should all inspect our DNS traffic because the old ways of applying security no longer cut it.
DNS is one of the only remaining “global” internet services that’s not encrypted by default. If your organization isn’t inspecting DNS traffic to know what’s going in and out of your network, you’re missing out on key sources of insight. And if it’s not secure, encrypted, and analyzed from point of origin to point of lookup to response—your organization is at risk. Keep in mind that secure DNS is one thing, but the threat intelligence you apply to identify what you’re blocking and to look for patterns as well as bad actors, is indeed the crucial part.
Have questions or need help getting started? Contact us today!