design, resilience

Defense-in-Depth: DNAT

Posted by resilience on

This is another post about things we can do to improve business efficiency, security, and privacy through the lens of resilience with little or no cost and minimal effort.

While there is no perfect or single solution in the battle to protect our families, friends, and clients from malware, the best we can offer is a solid defense-in-depth strategy that includes doing not just one thing but several things behind-the-scenes that help when someone clicks on something they shouldn’t.

Using DNAT rules is a great addition to a defense-in-depth strategy.

The first malware for Macs in 2018 was MaMi and it did precisely this in combination with a spoofed certificate of authority or CA. Malware like it will evolve over time to add more complexity but one thing it does very well is hijack DNS.

Criminals commonly achieve their goals by using malware to re-route DNS queries on compromised machines.  DNS is used to translate IP addresses into domain names like google.com or chase.com. When criminals successfully re-route DNS, they lead their unsuspecting victims to sites that are not legitimate but compelling imposters they control to do their bidding.

DNAT rules put in place on a network device, such as a router can help detect and prevent malware requests that attempt to re-route our DNS queries before it has a chance to use our own infrastructure against us.

DNAT stands for Destination Network Address Translation. It’s versatile and useful for routing traffic according to specific rules. For example, a rule can be set to help us detect when malware tries to re-route our DNS requests from our LAN to the WAN (or Internet).

Imagine that DNS requests flow from the LAN (our private home or office network) to the WAN (our connection to the Internet that our ISP provides). It’s typical for malware, once successfully installed inside a network, to hijack DNS to communicate with external command and control servers and execute whatever other nasty list of deeds it’s designed for.

Here’s a use case scenario: suppose a device on a network gets infected with malware that then tries to write its own custom DNS configuration. Or here’s another, arguably even more common scenario: maybe someone (clever kids!) tries to set their DNS to something other than the preferred DNS servers to work around content filtering to watch something inappropriate. In either case, a DNAT rule will detect and then re-write the unsanctioned DNS server address(es) to the proper one(s), continuing to forward DNS queries to the proper servers.

This functionality can also be extended, if necessary, to alert someone when the rule is triggered, for example.

Using DNAT rules in this way isn’t a silver bullet nor should it be considered the only solution to have in place on your home or office network, but it’s a key addition to a defense-in-depth strategy.

A layered approach or defense-in-depth, is just like in our cars. We don’t rely only on our rear-view mirror or our seat belt or sensors or our anti-lock brakes to keep us safe. We rely on a symphony of them all working together to minimize our risk of injury when something happens.

Cybersecurity is dead. Long live resilience!