DNS, DHCP & IP Address Management appliances
For Microsoft DNS & DHCP servers
For open source DNS & DHCP servers
Cloud-based visualization of analytics across DDI architecture
Manage multi-vendor cloud DNS servers centrally
RIR Declaration Management and Automation
Automated network device configuration and management
Centralized visibility over all your clouds
A single source of truth for your network automation
Why DDI is an Obvious Starting Point
DNS Threat Intelligence for proactive defense
Intelligence Insights for Threat Detection and Investigation
Adaptive DNS security for service continuity and data protection
Improve Application Access Control to prevent spread of attacks
Protect users and block DNS-based malware activity
Carrier-grade DNS DDoS attack protection
Optimize application delivery performance from the edge
for Proactive Network Security
Visibility, analytics and micro segmentation for effective Zero Trust strategy
Enable work from anywhere by controlling access, security and data privacy
Simplify management and control costs across AWS, Azure and GCP environments
Risk-free migration to reduce DDI complexity and cost
Move risk-free to improve performance, security and costs
Automate management, unify control and strengthen security of connected devices
Protect your network against all DNS attacks, data exfiltration and ransomware
Enable zero touch operations for network management and security
Improve resiliency, deployment velocity and user experience for SD-WAN projects
Integrated DNS, DHCP, IPAM services to simplify, automate and secure your network.
Simplify design, deployment and management of critical DDI services for telcos
Optimize administration and security of critical DDI services for healthcare
Simplify and automate management of critical DDI services for finance
Simplify and automate management of critical DDI services for higher education
Simplify and automate management of critical DDI services for retail
Simplify Management and Automation for Network Operations Teams
Open architecture for DDI integration
Technology partnerships for network security & management ecosystems
Extend security perimeters and strengthen network defenses
Submit requests for temporary licenses
Submit access requests for EfficientIP knowledge platforms
Submit membership requests for EfficientIP Community
Strengthen Your Network Protection with Smart DNS Security
Customer-centric DDI project delivery and training
Acquire the skills needed to manage EfficientIP SOLIDserver™
Identify vulnerabilities with an assessment of your DNS traffic
Test your protection against data breaches via DNS
Dedicated representation for your organization inside EfficientIP
Explore content which helps manage and automate your network and cloud operations
Read content which strengthens protection of your network, apps, users and data
Learn how to enhance your app delivery performance to improve resilience and UX
Why Using DNS Allow Lists is a No-Brainer
This enterprise-grade cloud platform allows you to improve visibility, enhance operational efficiency, and optimize network performance effortlessly.
Who we are and what we do
Meet the team of leaders guiding our global growth
Technology partnerships for network security and management ecosystems
Discover the benefits of the SmartPartner global channel program
Become a part of the innovation
The latest updates, release information, and global events
October 28, 2021 | Written by: Surinder Paul | DNS, DNS Security, Network Automation
Client Query FilteringCommand and ControlCyberthreatDNSDNS ApplianceDNS AttackDNS FilteringDNS ManagementDNS Security IssuesDNS SolutionIoTIP Address ManagementIPv6MalwarePhishingThreat Intelligence
Domain names are used as a way to abstract the location of the related application or service and hide its IP address to the user. It is much easier to remember a meaningful name than a meaningless IP address, particularly when it comes to IPv6 addresses.
Before anything, one needs to register the new domain name in a Domain Name Registrar. This corresponds to reserving the name so no one else can use it from then onwards. In order to use it, one needs to create such a newly registered domain name on an active DNS authoritative server. This corresponds to making it available to the users so it can be requested. However, it’s important to note that nothing happens until someone requests it for the first time.
New domain names are created everyday as part of the Domain Name System. They serve various purposes – some are legitimate and useful while others are malicious and used for cybercriminal activities. As we say in the DNS world community, “Of course, not all new domains are bad, but many bad domains are recent”. So, while new domain names are mandatory and really useful for any service provider, they can also be used by cybercriminals or nation-state attacks, all leveraging DNS to execute their fraudulent activities, such as hosting new attack services, command and control servers, phishing websites, spread of malware, spam, botnets, etc.
A global 2021 DNS Security survey conducted by IDC revealed that 87% of respondents said they had been targeted by a DNS attack in the last 12 months so the threat is very real.
In essence, any newly registered and created domain is not yet well known and therefore cannot yet easily be in any global security database. As a consequence it is not easy to filter them out as there is no basis to do so. Legitimate are not, a new domain is just unknown to anyone before it has been observed and proven being suspicious or not.
A simplistic and conservative approach could be to restrict any content hosted on an unknown domain name. DNS is by design very well positioned at the intent of any IP communication to perform this simple check.
But this raises the question of What is a Newly Observed Domain (NOD)? How can a given recursive DNS server know that a domain name is new?
As we saw earlier, information about newly registered domain names is at the registrar level to start with. It may be available in the Whois database provided one knows what and how to look for it. This you need to know it has been created even though it might have never been configured on an authoritative server nor used yet. In addition, Whois information won’t be really useful to determine if such a new domain name could be trusted or not.
Ideally, a feed consolidating the information from all registrars worldwide would be necessary to aggregate such data and make it available to all. Nevertheless this would not be sufficient as a domain can be registered, linked to an authoritative DNS server but not yet configured on it. When it is used, so being requested, we can start being informed about its actual usage, legitimate or malicious and this is when it becomes “observed”.
Eventually, in order to keep such a database manageable, we need to stay at the “registrable” level, as all FQDN are not domain names.
This has to start at any recursive DNS server level. The data collected on multiple servers can be filtered and merged. As one can imagine, it is nearly impossible to know for sure a Domain has been observed for the very first time on the Internet. This would require all the resolvers to work together in synchronization which is beyond the current state of the technology. But by sampling using enough of these servers on multiple regions we can assume that the information is correct and that a domain has been observed for the first time: “newly observed”. Now at an organization level, collecting and consolidating the requests on all the resolvers is scalable and can be done. This should be enough to protect all the clients from new potential threats. Looking also at the source can help analyse the propagation scheme for both licit and illicit domain names.
How can someone use the information about Newly Observed Domains?Of course, a new domain is not automatically malicious but as a precaution principle, waiting before using it is a safe option. Letting NOD be categorised and gathered by a security feed might save the day.
How long should you wait before granting access to a Newly Observed Domain?A “certain time” is the good response as stated in the punchline of a famous sketch from an old French standup comedian… It actually depends on the security policy and of course the resources at stake to be protected. For some it will be a matter of hours and for others it would go up to a month.
What if the Newly Observed Domain is critical for my business operations?In this case, the solution is to use a DNS allow list (whitelist) and include such mission critical domain names in it. On the contrary, if the new domain can be ignored for a while, the quarantine period will allow us to know if the domain has been incorporated into a security feed through any Threat Intelligence Process and therefore should never be trusted, or if it is safe after all.
Security teams need up-to-date information about domain names and which ones are known to have a compromised reputation. That’s the role of Security Feeds as part of a DNS Firewall implementation to protect against DNS threats. Among those are specific Security Feeds dedicated to Newly Observed Domains (NOD), those for which no one can be sure yet.
This is where using allow/deny lists at the DNS level to filter access to domain names can be handy, allowing all already known legitimate domain names while denying malicious categories and NOD even before they appear in the licit or illicit categories.
Here’s an example policy which includes NOD management:
Policies should be adapted per client type e.g. an IoT device should not access the internet like a user from the HR department. As is always the case with Security, no one size fits all – each case is specific and should be studied based on the actual requirements of the organization.
As a rule of thumb, avoiding sending all the organization’s traffic to a central recursive service in the cloud is best for performance and efficiency, but also more importantly for data security to stay in control. Allow lists as suggested above will drastically reduce the amount of traffic to look at for NOD.
NOD control linked to DNS is a simple and good tool in the arsenal for safer user access to applications. Organizations would do well to consider it on top of all other existing security measures, for improving their overall security.
When our goal is to help companies face the challenges of modern infrastructures and digital transformation, actions speak louder than words.
Explore content highlighting the value EfficientIP solutions bring to your network
To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.
We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site.