This Week in Enterprise Tech episode 572 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:01 - Curt Franklin
This week in Enterprise Tech we talked about sneaky malware, more access for the visually impaired and how DNS can change your life.

0:00:12 - Leo Laporte
Quiet on the set On the set Podcasts you love From people you trust. This is Tweet.

0:00:30 - Curt Franklin
This is Twight this week in Enterprise Tech, episode 572, recorded December 8, 2023. Dns in depth part two external authoritative DNS.

0:00:45 - Lou Maresca
This episode of this week in Enterprise Tech is brought to you by Finks Canary. Detect attackers on your network while avoiding irritating false alarms. Get the alerts that matter For 10% off on a 60-day Monday back guarantee. Go to canarytoolstwit under the good twit in the how to hear about us box and by Look Out, whether on a device or in the cloud, your business data is always on the move. Minimize risk-increased visibility and ensure compliance with Look Out's unified platform. Visit LookOutcom today and, by Vanta, automate compliance and streamline security reviews with the leading trust management platform. Join 6,000 fast-growing companies like Chili, piper, hatch and Autodesk to use Vanta to manage risk. Improve security in real-time. You can try Vanta free for 7 days by going to Vantacom slash enterprise no costs or obligations.

0:01:49 - Curt Franklin
Welcome to Twyeth this week in Enterprise Tech, your guide to everything that's worth knowing in the world of enterprise technology. I'm Kurt Franklin, your host for this episode of this Week in Enterprise Tech. Now, I know that everyone was waiting and expecting to see Lou Merasco, but circumstances intervened. Lou will be back with us next week. We've got a great show though the continuation of the deep look at DNS that we began last week. To take that deep look, though, I've got to have help, and doing that this week is my friend and co-host, brian Cheese. So, brian, what have you been doing since the last time we huddled together over the cozy fire of DNS?

0:02:43 - Brian Chee
I've actually been reading a little bit so that I can ask some decent questions and not look like a fool. I especially don't want to look like a fool in front of my ex-students Just bad form right.

0:02:59 - Curt Franklin
There's nothing like a knowledgeable ex-student to keep us on our toes, oh yeah.

0:03:03 - Brian Chee
So today we get to play with external authoritative DNS and a lot of the issues that surround that. Now I will say DNS is one of those. I would call it lesser understood Internet technologies. Everybody uses it, just everybody on the Internet uses it, but very few people understand the ramifications of what those servers do. Instead of having to type in numbers, you type in names. Today we're actually going to talk a little bit about things like Unicode and Punicode, how you can substitute other language character sets in to fool people into typing in, say, a phishing site. So we're going to dig deeper into a lot of security issues and talk about what's really going on out of your view.

0:04:11 - Curt Franklin
I love the idea of figuring out what's really going on. I wish I could do that in so many aspects of my life. It'll be a good to do it with DNS, but before we get there, we've got to, as always, get to the blips. Now, just when you thought criminals had plumbed the depths of bad behavior, comes something new, and it's aimed at a population that normally thinks they're pretty safe. What I'm talking about is malware that isn't just dangerous on its own, but it could get the victim in trouble with law enforcement.

According to an article on Dark Reading, researchers at Kaspersky are warning of a Trojan that operates by masquerading as a legitimate program during installation and then, as part of what it does, it subsequently creates a hidden proxy server on the user's system. This hidden server allows threat actors to maintain a backdoor on the system and also redirect network traffic through the compromised device. So if that proxy is used to route the traffic of other users, it can significantly load up the user's network, thereby slowing down its operation or using up a set traffic limit. And that's not even the bad part. The malicious actors can use victims' computers to increase advertising views, organize a botnet for DDoS, attack on other users' organizations or conduct illegal activities like buying weapons and drugs or child porn or any number of bad things. In the case of illegal activities on the Internet, there's a significant direct risk for the victim, since any of those actions will be performed from the victim's IP address, and boy could that draw the interest of a lot of law enforcement officials.

Now this has hit Macintosh users, but no one should get too complacent because, in addition to the Mac OS version, specimens for Android and Windows were discovered connected to the same command and control, or C2 server. For all three, the researchers highlighted the use of DNS over HTTPS DOH, to conceal the C2 communications from traffic monitoring tools. Specifically, doh can allow this traffic to bypass primitive security solutions based only on the analysis of DNS requests, because the request won't look like a DNS request. It will look like a regular HTTPS request to a server that happens to implement DOH. So what's a poor user to do? A simple way to avoid infection is to avoid downloading pirated software. That's number one. If that's just not possible, install a security solution like an antivirus with network traffic analysis function. That way you can add the IP address of the C2 server to the blacklist, so the malware won't be able to connect to its control server and you'll immediately detect that presence on your system.

0:07:45 - Brian Chee
Well, we all know this simple fact GPS doesn't work indoors. They need to be able to see the satellites in the sky. However, I'm going to sit here and beat this accessibility drum. I have several friends that are site-impaired, either partial or fully. Losing their site and moving around in indoor spaces is a challenge. So the first URL I want to throw up is actually from a company called MapNav. Mapnav actually uses no additional hardware. It actually just uses the inertial navigation of your smartphone. So what's happening is this is actually a UK company. It has actually been implemented in several train stations and other large indoor spaces and by mapping accurately mapping the indoor resources, inertial navigation can go and tell you what services are where.

So someone say with a shopping mall or train station, as you're walking past, say, an eatery, it will then say there is Kentucky Fried Chicken just to your right, or the bathrooms are across a bridge that's on your left. The bridge is going to start in 10 meters and then take a hard left Fun stuff, so let's keep going. So a lot of this actually got started because of the Apple iBeacon technology, which you haven't heard a lot about. It's been around, but it's not made headlines very often, so it's a technology before it's time, when it started to appear on the market. What's heartwarming is that the use of Bluetooth low energy at the heart of the Apple iBeacon technology is being used by an Israeli company called Right here. So it's H-E-A-R, so R-I-G-H-T-H-E-A-R and it's an Israeli company. So slightly modified iBeacons are used to share database record numbers for each of eight compass points surrounding the beacon. This way the visually impaired can approach and hear about resources like bathrooms, escalators and other such things at the cardinal points. Obviously, waymap is doing the same thing. That's going to require that you use very accurate indoor surveys, and when I was starting to look at this as a possibility for the Central Florida Fairgrounds, it would almost require that I have a full-time GIS programmer. So fun, interesting. It starts adding up really, really fast.

But there seems to be a couple of different reasons why people are starting to adopt what are called audible waypoint systems. So Right here and MapNav are just two examples. Interestingly enough, there are several other large enterprise corporations that have associated technology. Aerohive was one of the first I heard about, hp Enterprises, aruba Wi-Fi System has it and Cisco does also. There are beacon technologies built into their access points. So as for the future, I personally see the Right here and MapNav technologies being standalone as a stop-gap measure. Both systems work beautifully. Both can add up very quickly in regards to operational costs.

One of the technologies that set enterprise Wi-Fi devices separate from consumer is the integration of the beacon technology in the access point.

So what I would love to see someday in the future I'm jumping around a bit, excuse me is for companies like WayMap and Right here to work with corporations like AeroHive, hp, cisco and so forth.

Maybe someday there might be some sort of industry API that's agreed upon. Sounds like maybe IEEE or IETF need to get involved. Wouldn't it be absolutely spectacular if whichever Wi-Fi access point system you installed in your enterprise could also be augmented with a chunk of software that would be used by a smartphone to help those with site impairment navigate around your enterprise? So this is me beating the accessibility drum, saying we should be doing better. The technology is finally there Inertial navigation capabilities, basically solid state gyroscopes TI actually kind of pioneered that are getting accurate enough so that if we have good beacon technology on where the access points and beacons would have been placed within your enterprise, navigation suddenly becomes the very real possibility. So this is a call out to our industry that we need to go and seriously think about making our spaces more accessible for the people with less or no site at all. Good luck everybody.

0:13:39 - Curt Franklin
Good stuff. So, to stay on my theme of threats to users of systems normally considered pretty resistant to malware, we have a remote access trojan, or RAT, that's been targeting the Linux servers of telecom organizations, primarily in Thailand. The Dark Reading article reports that the RAT, dubbed Krasu named for a nocturnal native spirit in Southeast Asian folklore, uses a combination of stealthy techniques to fly under the radar. This includes the use of a root kit that embeds seven compiled versions within it to support various versions of the Linux kernel. The threat actors, who are thought to be tied to the creators of the X or DDoS Linux RAT, have been using Krasu for nearly two years without detection. The primary function of the RAT, which appeared on VirusTotal in 2021 but had never before been publicly reported, is to maintain access to the host. This means it's likely that the RAT is either deployed as part of a botnet or sold by initial access brokers to other cyber criminals who are looking to acquire access to a particular target. So, to show you just how long this basic threat's been around, microsoft discovered X or DDoS, which has been used widely in attacks against cloud and IoT deployments, in 2014, and its basic code is at the heart of Krasu.

There are new elements, though. One aspect of the RAT that the researchers said is unique is the use of real-time streaming protocol, or RTSP messages, to serve as a disguised alive ping. This is a tactic that is known to researchers but rarely seen in the wild, and it does provide a way for researchers to detect the malware. Simply be on the lookout for anomalous RTSP traffic, which would typically alert to the existence of the malware. On a system For protection, you can enable kernel module signature verification by configuring the Linux kernel to only load signed modules. This one goes a long way toward making sure you're only loading software from a known, trusted source.

0:16:18 - Brian Chee
So this story is probably going to make one of our viewers, jeff Maraccini, very happy because it's going to keep him employed for a long, long time. So the story actually comes from CNBC. So thank you to them. Because the US FDA the US Food and Drug Administration this last Friday approved the country's first gene editing treatment, CASJV, for use in patients with sickle cell disease. The approval comes about a decade after the discovery of CRISPR technology for editing human DNA, representing a significant scientific advancement. Yet reaching the tens of thousands of people who could benefit from the treatment could be challenging given the potential hurdles, including costs, of administering the complex therapy. So CASJV was co-developed by Vertex Pharmaceuticals and CRISPR Therapeutics. It uses Nobel Prize winning technology, crispr, to edit a person's genes to treat a disease. The treatment was approved by UK regulators last month.

Sickle cell and inherited blood disorder causes red blood cells to become misshapen, half-moons to get stuck inside blood vessels, restricting blood flow and causing what are known as pain crises. About 100,000 Americans are estimated to have the disease. Now CRISPR is one of those very, very controversial technologies. We are actually modifying the human genome in order to fix certain problems. I, for one, think this is interesting, but I for one, would also like people to be very, very careful.

So what makes this story particularly enterprise is how CRISPR needs to run on a supercomputer cluster with names like Cray, dell, ibm and more Now having all of which now have nearly turnkey configurations designed around running CRISPR and other biomedical applications dealing with genetic issues I mentioned. We even have a viewer on the show not too long ago. That's a CISO for a company that deals with supercomputer clusters. Thank you, jeff. And a very unique issues that surround these specialized machines. I look forward to see more genetic diseases solved, again with a smidgen of salt, that we be careful, because we are modifying the human genome and that's how the zombie apocalypse starts, isn't it?

0:19:01 - Curt Franklin
Well, we certainly want to avoid apocalypse, apocalyptic times, zombie or otherwise. That does it for the blips and all of our variety of happy news for you, but it's time for an ad. We need to talk to an advertiser and supporter of this week in enterprise technology, and to do that we call on LumeResca.

0:19:30 - Lou Maresca
Well, thank you guys. I'll get your back to your enterprise at IT News in just one moment, but before we do you have to thank a really great sponsor of this week's enterprise tech, and that's thanks, canary. Everyone knows honeypots are a great idea, so why don't all internal networks run them Well, simple, because with all our network problems, nobody needs one more machine to administer and work about. We know what the benefits that honeypots can bring, but the cost and effort of deployment always drop honeypots to the bottom of the list. Things. Canary changes this. Canaries can be deployed in minutes, even on complex networks, giving you all the benefits without the admin downsides.

The Canary triggers are simple. Canary uses deceptively uncomplicated, high quality markers of trouble on your network. Here's how it works Simply just choose a profile for the Canary device, such as a Windows box or a brand name route, or even a Linux server. If you want, you can further tweak the services your Canary runs. You may need a specific IIS server version, openssh or a Windows file share with actual files constructed accordingly to your name's scheme. Lastly, register your Canary with the hosted console for monitoring and notifications.

Then you wait. Attackers who have breached your network, malicious insiders and other adversaries make themselves known by accessing your Canary. There's a little room for doubt. If someone browsed a file share and opened a sensitive looking document on your Canary, you'll immediately be alerted to the problem. You test the monials at canarytool slash love and see why customers on all seven continents love their things.

Canaries To pull your birds and forget about them. They remain silent until needed. Get one alert via email, text, slack, webhook or syslog only when it matters. Get canarytool slash Twitter for just $7500 per year You'll get five Canaries, your own hosted console, upgrade, support and maintenance. If you use the code TWIT in the how to hear about us box, you get 10% off the price for life. Thanks Canary adds incomparable value and if you're unhappy, you can always return your Canaries with their two month money back guarantee for a full refund. However, all the years the Twitter's partnered with Thanks Canary, the refund guarantee has never needed to be claimed. Visit canarytool slash Twitter and enter the code TWIT in the how to hear about us box, and we thank Thanks Canary for their support of this week and Enterprise Tech. Back to you guys.

0:22:04 - Curt Franklin
Thanks, lou. Well, it's time for part two of our deep look at DNS and to take you to our guests and a whole pile of knowledge. I'm going to turn it over to Brian. Brian, take it away.

0:22:20 - Brian Chee
Well, first off, I'm going to introduce Josh Kuhl. You know, let's let's do some disclosure. Josh is one of my ex students, so I got to torture him for, you know, a few years and we had all kinds of fun, you know, including things like Pringles can in tennis, and, by the way, his generation decided that the pizza-licious flavor of Pringles makes the best Yagi in tennis. But beyond that, he actually got to sit down with some really, really talented people when we took them to the interop trade show and helped build the world's largest mobile network, and I remember him sitting down with people and learning about domain name services, and so he and his partner, ross Gibson, sat down and wrote a really interesting book To the technical director.

There's an Amazon link in the show dock. I'd like us to bring that up so we can show the book that they wrote. They go into some seriously gory detail on domain name services and spend a lot of time talking about the security ramifications, not only of where we were, where we are, but where we will be going in the future, crossing our fingers behind our back, right. So, josh Ross, welcome to the show, and thank you so much for basically letting me shang hi you too into doing a three-part series, because our viewers want deep dives and we're going into lots of detail. We're going to do a little bit of review. We had Josh on the show talking about puny code and unicode, so we're going to do a little bit of review there and I'm going to let you folks introduce part two.

0:24:20 - Josh Kuo
Okay, so I will do a super brief recap of what we've talked about up to this point and then we will go into what the main topics are for this show. So up to this point you've been following the show. Last week we talked about DNS has two major parts. The part that finds the answers I call them the answer seekers, and that's what we mainly talked about. That's what we call recursive in DNS and that's usually the server that's closest to you, the end user, and today we're going to talk about. Well, the seekers are going to find answers on somebody else and that's someone else who keeps the answer. I call them the answer keepers. They are the authoritative servers and today we're going to focus more on that part.

But the quick recap is, if you forgot, this distilled version from last week is well for these recursive servers. The seekers be careful with some of the configuration that we mentioned last week. Particularly think about protective DNS, the newer technology, and basically it's a filtering mechanism. If somebody tries to look up a malicious domain name, like the one that Kurt mentioned earlier, it may be over an encrypted channel, but if you have protective DNS, your DNS server, the seeker should know hey, this is a bad place. Don't resolve this name and it will return some other message, maybe telling the user that the website's not found or redirect them elsewhere. So that's kind of a big takeaway from last week. Then I'll toss it over to Ross to have him introduce what we're going to talk about this week.

0:26:19 - Ross Gibson
Yeah, so this week we're going to actually take a look at the answer keepers, which is considered the authoritative side of DNS, and that's, particularly in the external world, probably what most people think of when they think of DNS. Right, they think of going to a website, let's say, googlecom or Applecom or anything like that, and the keeper is basically the signpost. It tells them where the traffic needs to go to get to the resource that they're trying to access, whatever that may be video content, audio, web content, anything like that. So, as you mentioned before, with protective DNS, it covers you across all of those technologies. That's what's so great about it is that, rather than using something like a web proxy that's going to deal with HTTP traffic, right, if you're dealing with DNS, any communication that you have is going to be protected as a part of that.

0:27:21 - Brian Chee
Okay, so we actually have graphic number one thrown up on the screen for you guys to reference. What are we looking at? Who's ICANN and what's IANA?

0:27:32 - Josh Kuo
Okay. Well, since I made the graphic, I feel like I should be the one to clarify. I know it might be a little hard to see and I will also try to sound it out, for I know a lot of people consume this over audio only. So we have a picture on the left-hand side of the map. We're going to ignore that for this conversation. That was for something else, but this was a start out with a whiteboard drawing for me to explain to somebody, I think more like a regular home person, perhaps to say, hey, so if I want to set up a website, I need to get some IP addresses, I need to get a domain name. And these are some of the basic requirements, at least in the good old days. Today, you just, you know there's cloud offerings. You click on things, provide your credit card number, everything's up. But you know, back in the old days, you need to get some IP addresses that's the left side of the graphic that we won't talk about today and also domain names. So if I want to get a domain name, how does that really happen? So we're going to go from the bottom up. On the very bottom of the graphic is a that's supposed to be a person, a very poor drawing of a person with a circle and a square. We call them in DNS a registrant, someone who's registering a domain name. And you don't go directly to any of these top level guys. We're going to go through some kind of reseller. So in the US we'll have common popular names like Mark monitor, network solution, kind of the granddaddy of registrars. Go, daddy hover.

These are, all you know, pretty major resellers or registrars in the US. You go to these guys, pay them 1099, whatever you know the fee, then secure the name you want, say you know twittv, whatever. Then they will then contact in the back end we go move up one more block to the registries, registries. Simply you can think of them as people who are taking care of or owning the operation of each of the top level domain or TLD, also like dot US or dot JP for Japan or dot com or dot or dot net. These are each run by a registry and then the registries.

They work with people like I and I can. They are more like the governance people who can set policies on what names can be given out. For example, I can't go out and just register Microsoft dot, whatever the top level domain is. There's some protection mechanisms around that. So the shore of it is I can is more on the policy side, I am it's more on technical side to say these are the blocks, these are the number of fields that you can use, so most of us will not deal with them. We deal with that first layer. We are the registrants. We talk to the registrars to get our domain names and all that stuff happens in the background.

0:30:49 - Ross Gibson
The one place I can think of that you might, in the enterprise space, run across I can, is if you have a trademark domain and you're trying to reclaim it from somebody else that's bought it, you have a process called the UDRP or Uniform Dispute Resolution Process that you can use to basically try to take back your domain that would be related to your trademark. So people doing cyber squatting that kind of put a hamper on that and it's obviously a legal process, not a technical one. But that's probably the one where most enterprises are actually going to talk to I can directly.

0:31:33 - Brian Chee
So, actually, what makes this all work? Why are we even bothering to create a DNS inside our own enterprise? Shouldn't everything be done by someone else nowadays?

0:31:53 - Ross Gibson
Yeah, that's a great question. In the authoritative space you have a lot of players. It's actually a pretty crowded space. The benefit of that is you've got a lot of options. The downside is that you give up control. So running a authoritative DNS server on-premises gives you total control over change, windows, policy settings and things like that and the data.

That's one of the things I think people often don't consider enough when they consider outsourcing external DNS, and I think people don't often use their authoritative DNS data as well as they could from a non-technical perspective. So, for example, you can take your incoming DNS query data and judge how a marketing campaign is doing, and if you've registered a specific domain or even just have a specific resource record that is tied to a particular marketing campaign, you can say, hey, we're seeing a large amount of queries for this domain, and so you can tell what's successful or not. And I think people don't mind that enough. And that is one of the things you definitely lose when you outsource your external DNS. The good part of it is, unfortunately, because DNS is so critical, it's something often that is attacked, whether DDoS fulfilling up the pipe, it just happens to be using DNS traffic or if they're actually targeting your DNS and trying to disrupt your DNS services.

So kind of the best of both worlds is to use an authoritative DNS server that you run and that can be on-premises, like in your own data center.

It could be in AWS, azure or GCP any public cloud provider along with a service provider, right? So a Dyn, cloudflare, akamai, something like that and because they generally are going to have larger pipes and because of the way recursion works, they'll end up getting most of the traffic. But if they're under attack in a way that disrupts your namespace because you have your own servers, traffic will naturally start to flow to those, and so that's a nice happy medium rather than doing maybe two providers or doing on-prem as well as a provider. The only downside to doing that hybrid setup is when you're doing global server load balancing GSLB, which is basically using DNS to route traffic based on health checks or other policy, and that is generally proprietary technology. So when you start crossing different technology offerings, that can become problematic. That's the one downside of having the hybrid. Other than that, it actually works very well to have both an on-premises as well as a third party provider for your external DNS.

0:35:21 - Curt Franklin
Okay, ross, I want to make sure, because there, as with most things, there are a ton of terms here and I want to make sure that we're really clear on this. So are internal and on-prem and external and hosted synonymous, or is internal and external versus on-prem or externally hosted two different things?

0:36:01 - Ross Gibson
That's a great question and thank you for making sure that we clarify that. So internal DNS is a different thing that generally is run on-premises in some form, perhaps in public cloud, for private internal DNS space. External DNS, and the way we're talking about it here, is your internet-facing DNS, so it is something that you are offering to the internet as a whole. External DNS would be private internal namespace stuff that you use for your active directory, your internal servers and things like that, and that's something that we'll actually talk about more next week.

0:36:46 - Curt Franklin
Right, so okay. So one of the questions and this has come from one of our viewers right now you mentioned the idea of using DNS as a way of doing things like tracking marketing campaigns, so that you can use unique URLs and then you judge the number of queries we're getting. But they point out that the external DNS providers often have tiered pricing that is key to just how many queries you're getting. Is it not true that this can be a horrifically expensive way to do things, or are there ways of putting your DNS together and putting your URLs together that give you solid information without bankrupting you?

0:37:53 - Ross Gibson
I think, as you said, it can get expensive, right, because you're based on traffic. So the larger you are, the more traffic you get, the more you're going to pay. That's the downside of the third-party provider. The upside is you're not having to undergo the capital expense of buying the servers and the labor to maintain them, and so that's kind of the trade-off. So sometimes people want to get out of the capital business, right, and that might be a totally non-technical reason. From an accounting perspective. They say, hey, we want to shift away from capital expenses and move to more of an operational expense model. Now, with the public cloud living there, you can do some of that. So in that you're running an operational expense for running the server, but you're not doing it query by query like you would with a large-scale provider.

And then also one thing to consider, that is whether or not you're responsible for DDoS attacks against your namespace.

And you get run into what I like to call the collateral damage problem. If you're using a third-party DNS provider and they're using shared infrastructure, right, if you don't have dedicated infrastructure just for your enterprise, there might be an attack on somebody else's namespace and they just happen to be located on the same DNS server as you and then you end up being collateral damage to that of their attack. That's definitely a potential downside to doing external DNS from a third-party provider, and you saw that back in 2016 when Dyn was attacked, and I think a lot of people remember that day where they couldn't get to all kinds of different services Netflix, facebook, whatever it might have been and that's because the actual DNS provider itself was under attack. And things have shifted a lot since then because I think not that there was anything that Dyn did wrong. I think they actually have a good infrastructure, but that was the first major attack I can think of on a third-party DNS provider and it had really wide-ranging impacts.

0:40:09 - Josh Kuo
Right and I think we have happened to be. We have the second graphic. I think that will lay out sort of the recommended approach. That will help you sort of mitigate that risk a little better. So again for our audio-only listeners.

Our picture has basically four parts. On the left is a cloud with a bunch of users making DNS requests. On the far right there's a little ninja icon. That's you, the person running the DNS server. We call them hidden primary in DNS speak. It's not really hidden, it's just a legacy term. It's something you run under your control.

And in the middle of the diagram we have two separate cloud providers, two providers provider A, provider B, or one or two, whatever. Take your pick. They get a read-only copy of your DNS data. That's really critical. It's read-only so they don't change. There. You, the person, the ninja, you maintain the control, so you publish whatever DNS data you want, push it out to these two different providers. And white two that's what Ross mentioned earlier. We learned our lesson in 2016 when dying a really well-done DNS environment was under attack. I mean, that could be a whole episode by itself on how that happened. Who attacked the details. But the point is, even if someone who did it so well, is dying by putting all our DNS eggs in the same basket. That was too risky, so we want at least two baskets, and so thus the two providers. But then you want to maintain control, so thus on the right-hand side you have the little ninja icon where you are the person controlling what goes in and out of your DNS data.

0:42:14 - Curt Franklin
All right, very good. So here's some great information and we've got more to come. But before we get to our next question and it's going to be a good one we need to hear from another fantastic this week in Enterprise Tech Advertiser.

0:42:31 - Lou Maresca
Well, thank you guys. I'll get you back to your Enterprise in IT News in just a moment, but before we do, we do have to thank another great sponsor of this week at Enterprise Tech, and that's Lookout. Business has changed forever. Business is always on the move, whether audit advice in the cloud or across networks, or at the local coffee shop. Well, that's great for your workforce. Just challenge for IT security.

Lookout helps you control your data and free your workforce. With Lookout, you'll gain complete visibility in all your data, so you can minimize risk from external and internal threats, plus ensure compliance. By seamlessly securing hybrid work, your organization doesn't have to sacrifice productivity for security, and Lookout makes IT security a lot simpler. Working with multiple point solutions and legacy tools in today's environment is just too complex. With its single, unified platform, lookout reduces IT complexity, giving you more time to focus on whatever else comes your way. Good data protection isn't a cage. It's a springboard, letting you and your organization bound toward a future of your making. Visit Lookoutcom today to learn how to safeguard data, secure hybrid work and reduce IT complexity. That's Lookoutcom, and we thank Lookout for their support of this week in Enterprise Tech. Back to you guys.

0:44:00 - Curt Franklin
Thanks Lou. We will hear from Lou at least one more time before we go today, but before we can get back to Lou, we've got to talk about more around DNS, and one of the topics that I want to talk about a little bit involves security, because we know that it is possible for threat actors to hijack a domain, and I want to ask a couple of questions around this. Number one, from the DNS perspective, what is domain hijacking? And then need to talk about what people can do about it, because in certain parts of the economy this is a very big deal.

0:44:54 - Josh Kuo
Okay. So thank you. That's a good question and one that we dedicate an entire chapter to in our book, from defining the different types of domain hijacking to what you can do to mitigate each one. So the almost the shortest summary. It kind of echo what Ross said earlier.

Why run your own external DNS? Authoritative service is, once you use a provider, something even as good as dying. Whether you like it or not, they become part of your infrastructure. So if their network was compromised, their systems are compromised, your DNS living on their systems are compromised. So in the book we highlighted a few cases where different variations somebody made a change, just a couple of records in the domain that you own, to point to an IP address that's in you know I think it was in Russia. Or maybe they took over the entire namespace, everything in your you know Josh dot com. Whatever they own the entire thing. Or they play some other tricks to in the cloud based environment to kind of hijack a what we called a record abandonment. You set up a record and you took it offline but you forgot to clean up DNS. That's another chance they can come in and hijack that record to do harm. So I'll pass it over to Ross and see if he has something else to add.

0:46:37 - Ross Gibson
Yeah, I think the record abandonment is a good one, because it does.

It's a unique development that's come out as a part of the public cloud and basically what it's doing is they're not actually having to compromise your DNS at all. They're just finding a record that's on your domain that's pointing at an IP address, that's a cloud provider's IP address that you're not using anymore, because they recycle those and they've actually found Josh had done some great research and there's they're actually very easily able to turn through IP addresses until they get the one they want. So basically, they take over the IP address that you're already pointing at because you've stopped using it, and this is why auditing your DNS records is actually very important from a data perspective. So when you shut down something, you need to make sure that that DNS entry is pulled as well, which unfortunately, all too often is not done. People are really great about requesting DNS records when they spin up a new service, but unfortunately, they generally are pretty bad about letting the administrators know when something is being shut down and it needs to be pulled out.

0:48:00 - Curt Franklin
Well, that that, of course, is one area and another that I we've talked about in the past, but I think it's good to sort of reinforce it here around. This is the idea of sort of lookalike domains, either through using character lookalikes the number one for a lowercase L or through using non-ascii character sets for the URL itself. And two questions how prevalent is this and is there anything to be done about it? Either from the organization that might own the original legitimate URL, or from individuals and companies. It might be victimized by going to the fake site when they just click on a lookalike URL.

0:49:03 - Ross Gibson
Okay, so, man, that is such a huge topic these days it's really prevalent. So in the late 90s and mid-2000s you had typosquadding, which was basically somebody taking a common typo of your name and setting up a site there. So they're just trying to take advantage of traffic that's misdirected. In this case, like you said, you're dealing with things like phishing, where somebody's trying to make it look like your domain so that when they see that link that they need to click on, it looks like they're going to a legitimate site. Like you said, if it's Googlecom, where the L is a one and depending on what font you put it in, it might actually look very close to an L, and you're just trying to take advantage of that lack of visibility into it. And, as you pointed out, the character sets. So, as they brought in the ability to use non-Ascii characters, then that made it worse, because there are characters outside of Ascii that are completely indistinguishable from the Ascii characters, like a lowercase O, omicron, the small Omicron.

0:50:39 - Brian Chee
Actually, ross, I think we have your third graphic queued up, where we actually have an example of this. There we go.

0:50:49 - Ross Gibson
Yes, so, as you can see there, you've got the twyatttv and then you have the lower section of it which translates into what's called puny code, which Josh talked about actually a couple weeks ago on quiet, but other than that. So the puny code, which is what you see in the bottom right, there is an encoding of those particular non-Ascii characters. So you can go to that and get to that as well, but you don't have to. And that hidden piece behind it is where people get into trouble and, like I said before, very prevalent in a phishing type attack, whether, like you said before, just using a one or using a zero instead of an O. But once you start getting into those non-Ascii character sets, they truly are, and there are some examples actually in the book that make it completely indistinguishable. It's impossible for a human to just look at that and know that it's different from the Googlecom that they think they're going to, and that's what's scary. And it actually can be used even further. There's a concept we talk about in the book. That was something I kind of came up with as we learned more about doing this. As they support that now you can use a slash character, or a non-Ascii slash character even more so and use a technique that we call hidden path, which basically allows you to hide the target domain in what looks like path information.

Everybody thinks of DNS, as you know. You've got your, if you look at a URL, you've got your HTTPS colon slash, slash, then you've got your domain name and then you've got that slash and then everything beyond it is path information. Well, if you can use a slash in the domain name which you can't use as a part of the host name, so people misunderstand that the character set limitations for a host name are not the same for domain names, it's actually broader, and so you could put a slash character in a domain name, so in the actual domain, the container, and so you can actually have an entry in badguycom. That is, it has a subdomain of com slash path, and so you could create an entry in that com slash path name and have it say googlecom slash pathbadguycom. So a lot of people think of the.

What follows right after the HTTP or HTTPS is where they're going from a domain perspective. But because of IDNs that's not always the case, and that's become probably a bigger issue now that you have things likezip out there, because then that looks like a file extension, so it only makes that worse. I wouldn't say that we've seen a lot of hidden path, but I think it's something that's probably going to emerge more. Now that you have something likezip and if we have anything else, that's a common file extension that comes out as a utility, I think you're going to see even greater issues with that.

0:54:22 - Josh Kuo
And I want to respond to what Kurt asked about the two separate pieces that you asked about. What can we, the enterprise users or administrators, do about this to protect ourselves and, potentially, how do we take down these malicious domains? I'll start with the bad news the taking down. It's pretty hard because they most likely register. If you're doing IDN, a lot of these are registered through registrars or resellers from different countries, which they have different codes, different processes, different languages that you need to then contact them and say, hey, you're using something that you think is in your local language but it really just visually looks like some domain I own and it's causing issues. So making them do the take down, it's not impossible, it's just very tedious. You need to find the right processes, talk to the right person and run through that whole domain take down, and they require evidence and whatever the local process might be.

0:55:32 - Ross Gibson
So that's the bad news. There are services that you can actually use that will help with that. We actually offer ones as well, and they can get stuff down really fast because they have established relationships with those registrars and so they can call them and they, as a trusted partner with them, they can get a lot greater response. So sometimes that's one of those things where especially if you're talking about high dollars it's worth investing in a team that knows how to do this and can take it down fast, because if you're starting from scratch it could take weeks, and in the enterprise space you can't afford to do that.

0:56:18 - Curt Franklin
Yes, Time is of the essence, and it seems to be zooming along for us as well, so it's time for one more ad. We have a great sponsor this week in Enterprise Tech, and to tell us about it, it's back to Mr Lou Moresco.

0:56:38 - Lou Maresca
Well, thank you guys. I'll get you back to your Enterprise 19 news in just a moment. Well before we do, you have to thank another great sponsor of this week in Enterprise Tech, and that's Banta. A growing business likely means more tools, third party vendors and even data sharing. In other words, way more risk. Banta founded in 2018.

After several high profile data breaches, online security has continued to become vital. Banta understands firsthand how hard it is for fast growing companies to invest the time in staffing to build a solid security foundation. Banta was inspired by a vision to restore trust in internet businesses by enabling companies to improve their security. Banta brings your GRC and security effort together, integrating information from multiple systems that reduce risks to your business, all without the need for additional staffing. And because Banta automates up to 90% of the work for SOC2 or ISO 27001 and more, you can focus on strategy and security, not maintaining compliance. G2 resoundingly loves Banta year after year.

Check out these honest customer reviews from business leaders. There's no doubt about Banta's effect on building trust with our customers. As we work more with Banta, we can provide more information to our current potential customers about how committed we are to information security, and Banta is the heart of it. That's what Chief Technology Officer and the best in automated compliance monitoring from ahead of quality assurance and customer support, building 6,000 fast growing companies like Chili, piper, patch and Autodesk that use Banta to manage risk and improve security in real time. You can try Banta for free for 7 days by going to vantacomcom that's V-A-N-T-A dot com slash enterprise to start a free trial, no costs or obligations, and we thank Banta for their support of this week in Enterprise Tech. Back to you guys.

0:58:46 - Brian Chee
We had a quick conversation about load balancing Now back in the day. Just about everybody would put a what's called a layer for load balance or say, in front of web servers or whatever, or FTP servers, so that we could load balance and maybe if one server was having problems, we could shift the load to another one and do the repair and then bring it back online. Now, in a global economy, especially as we start going into the cloud, that just doesn't work anymore. So you started talking a little bit about using DNS for global load balancing. Let's go and dive into that a little bit more. What's involved? Can any old DNS do this type of load balancing? Is it? Can I even support, say, one web server on a ginormous machine and a smaller web server that just happens to pick up the leftovers? Can I have asymmetrical load balancing? So let's dive in to global load balancing.

0:59:58 - Ross Gibson
And that's a great. I love that topic. That is one of my areas. It's been actually a fair amount of my time doing global server load balancing work for customers and with customers. Can you do it in an asymmetric way? Yes, it depends on the particular technology you're using, but quite often you can use things like SNMP as a dynamic load balancing component so you can track, for example, the CPU utilization of the device and then determine how much traffic you're going to send to that device versus another one.

Global server load balancing can be used for a lot of different things. It can be used, like you said, to base it on load. It can be used based on location and I would say that's probably what I work with the most, mostly on the internal side, but on the external side it's usually to, basically, if you've got multiple points of presence trying to give the closest answer to the client, so you're going to see where the client is coming from based on their DNS query, and then, based on that information, you can decide oh, this particular server is the best one to return to them. On the back end of that, you also can be doing health checks to know which servers are up and which are not. So if something goes down, you can reroute around a failure, which is a really powerful component of it.

But I think the topology what's called the topology-based load balancing is a really powerful one, and it actually was used in some cases when GDPR first started really coming out because people— couldn't meet the GDPR demands. So instead of dealing with that, they would say oh, if you're coming from Europe, I'm just going to give you an annex domain and not let you even access my site, and then that's how they worked around that problem. So GSLB can be used for solving a lot of different problems. We could do a little episode on that, probably.

1:02:09 - Josh Kuo
Yeah, and I want to add to that, so kind of tying this technology back to what we've talked about from the last episode about looking up answers. One thing we didn't get to talk about is this what Rostor's talked about highlights why it's important, why you, who you use for your DNS lookup, your DNS seeker, is really important. Just continue, as a European example, let's say I'm accessing Microsoft 365 from France, but I somehow picked a DNS server that's in Germany. Well, I'll probably somehow, because maybe I'm on the border of France where, geographically, the DNS server in Germany somehow it responds faster. Maybe I use the DNS benchmark by Steve Gibson to look up which one is faster, right, but just in this case, the fastest one may not be the best one. Because it might. Then the result might be not intentionally that when I go to the websites I want to go to based on the DNS server I'm using, it concludes that I must be coming in from Germany. So I see the German version of all these websites.

1:03:30 - Brian Chee
All right. Well, let's go and clear up another term that drives a lot of people crazy recursive DNS, especially for the people that are listening in on their drive to work. What is it? Why is recursive DNS something that comes up in almost every conversation? When we talk about DNS?

1:04:01 - Josh Kuo
Okay. So I would say the recursive, in a nutshell, is all the parts of how DNS finds the final answer Right. So the typical super simplified flow would be if I enter a name into my web browser, usually the web browser has its own internal cache. It's going to check have I been to this name before at a DNS level we're not even talking about the page caching and if, in our example, not, then it checks. Okay, operating system. Have we visited this name before?

It would do something like a system called like get host by name. The OS then will return yes, we've been here recently. Here's the IP address or not, and if not, the OS would then, based on its own configuration, find the DNS server. The recursive DNS server so the popular ones people know once we probably use at home, will be 8888, 444.4, whatever. In your enterprise it would be whatever you or enterprise configure on your laptop, most likely send out by DHCP. Then it contacts your what your OS then contacts this DNS server and that DNS server would then go to starting a route and then go to the next level and go to the next level. So this is this whole thing is recursive DNS. How do I find the answers?

1:05:41 - Ross Gibson
Yeah, and I'll note there. The recursive DNS server is the one that is talking to the route and then walking down the tree, not the client directly. So the recursive DNS server is doing the work on behalf of the client and then just takes all that information and returns the answer that was asked of it Basically. So it's the query response will have you know they're not going to give you bits and pieces like the recursive DNS server is seeing. The recursive DNS server is going to give you all of it. It's going to say here's the name you asked for and here's the answer.

1:06:22 - Brian Chee
Cool. You know we've had all kinds of fun deep diving into this. You know blub, blub, blub, but we're running out of time, oh dear. So I do want to say next week we're going to go into episode number three. Now, this one's going to be fun, this one's going to be very near and dear to our friend Lume Reska, exploring internal DNS and active directory. Because you may know you people listening may not know it, but active directory comes with DNS services built in, and no deep dive would be complete without giving Microsoft its due for, in many cases, giving people their first taste of actually managing a DNS. So ought to be fun. Anyway, I think we need to close up and I think what we're going to do first is say where can people get more information about you folks in football, so forth and I'm going to ask our technical director to go and bring up the Amazon link to your book one more time. And, gentlemen, how, where would people find more information about you and listen to your wisdom?

1:07:43 - Josh Kuo
Well, the, I think the, the main website with that you said is info blockscom. I N, f, o, b L O X. Be careful, there are some local like domains that use different letters to substitute for that, so make sure you spell it right. And our book on Amazon, the. The easiest way, fastest way to find it is probably search for DNS in security. I know we have a longer title but that string is easier to remember to find the book.

1:08:17 - Ross Gibson
Yeah, and then we're both on LinkedIn as well, obviously, so most of the enterprise folks that listen are going to be very familiar with that. So you can, you can find us there as well, and it's great to to get to interact with customers, having been a customer so I actually was was a customer for many years before I came to work here, and it's. It's always fun to talk about things like global server load balancing and how you can use DNS to basically enable your business make it better.

1:08:57 - Curt Franklin
Well, we have a lot to continue talking about, and we've got another week to do it. This is part two of our three part series on DNS, showing you just how important DNS is to the enterprise and for something that seems so simple. Translating a name into an address Pretty complex, so we're looking forward to next week getting us there. Before we do that, though, Brian got to ask what do you have coming up this coming week? Where can folks find you if they need to reach out and touch my cohost and our producer?

1:09:43 - Brian Chee
I'm a dinosaur. I still use Twitter for a lot of my social media. I use Facebook, but yeah, I'm also on LinkedIn and I've been getting some great feedback from you folks. Apparently, you folk the viewers really do like these deep dives because I'm getting deluged with comments and so forth on LinkedIn. So, thank you very much. Appreciate that I'm going to be working on some interesting issues.

A lot of it is surrounding people that have site impairment. Such a service would be spectacular and, considering one of my very good friends that I went to university with lost his site to diabetic retinopathy and then lost his life because of complications, he was blind very late in life in college actually just before college and had to learn how to navigate a very complex world. So in his honor, I want to try and make the world more accessible. So if you want to hear what's going on with me, I'm ADV NET LAB on Twitter. I believe my LinkedIn is key to chi at hawaiiedu. I still have my university account and you're more than welcome to use that email to hit me. We would love to hear from you and everybody. Stay safe.

1:11:23 - Curt Franklin
As for me, well, I've pretty much moved on from X. I haven't deleted my account, but I'm not using it much anymore. I am spending a lot more time on threads. We're just like I am on a number of things. You can look up Curtis Franklin. Linkedin is where I have a lot of conversations and I urge you to find me there. Bam Heads down trying to get some reports published before the end of the year and launch into 2024 in strong form. Well, for our guests, for Brian, for all the folks behind the scenes, we thank you for being here, because we could not and would not do this without you, our audience. We really appreciate you being here each and every week Until next week. Remember, if you want to know what's up to the minute, what's important, what's need to know in enterprise technology, just keep twiet

All Transcripts posts