Google Cloud has launched DNS Armor, a new cloud-native security service developed in partnership with Infoblox. The service provides a foundational layer of security by preemptively detecting and mitigating DNS-based threats originating from Google Cloud workloads. The offering addresses a critical vulnerability, with one of Infoblox’s own studies finding that 92% of malware utilizes the Domain Name System (DNS) for command and control (C2) communications.
Google describes the service as preemptive threat detection for internet-bound DNS queries initiated from Google Cloud workloads. Moreover, the company states that it complements its cloud-first network security product portfolio by offering a foundational security layer that identifies DNS-based threats, including requests to malicious command and control (C2) servers, DNS tunneling for the exfiltration of sensitive data, and malware using DNS queries.
Essential DNS Armor provides feed-based detection, identifying both known malicious and high-risk domains, as well as newly registered domains that are likely to be used for malicious attacks. Additionally, it provides algorithm-based threat detection utilizing machine-learning-based detection techniques, including the detection of DNS tunneling attacks, to prevent unauthorized data exfiltration.
The authors of a Google blog post write:
Many sophisticated cyberattacks establish a network connection with their command and control environment. You can use DNS Armor to get visibility into the earliest indicators of suspicious and malicious domains by detecting C2 activity, connections to malware distribution sites, and Domain Generation Algorithm (DGA) traffic originating from your workloads.
The focus on DNS is crucial as Michael, an IT Generalist and Network architect, tweeted on X:
DNS seems like an odd area to talk security till you realize that DNS is often the first step in communications in any threat vector, from phishing to C&C botnet traffic.
The documentation of DNS Armor describes the service’s operation as follows: when enabling a DNS threat detector for a project, DNS Armor securely sends the internet-bound DNS query logs to a Google Cloud-based analysis engine powered by its partner, Infoblox. Their engine uses a combination of threat intelligence feeds and AI-based behavioral analysis to identify threats. Any malicious activity detected generates a DNS Armor threat log, which is then sent back to the users´ project and written to Cloud Logging for them to view and act upon.
(Source: Infoblox blog post)
Lastly, users can deploy DNS Armor as a managed service by Google, as it requires no virtual machines to oversee, and it does not impact the performance of Cloud DNS. Moreover, users can enable DNS Armor at the project level across virtual PCs, allowing them to have precise control over which cloud workloads need protection.
