EP-4742599-A2 - SYNERGISTIC DNS SECURITY UPDATE

Abstract

Systems and methods provide for synergistic domain name (DNS) security updates. A method comprises querying a local domain name system, DNS, blacklist/whitelist regarding a domain. Pushing, in response to a first answer that the domain is not on the local DNS blacklist/whitelist, a query regarding the domain to an advanced DNS security at an associated cloud security system. Querying, in response to a second answer that the domain is cleared at the advanced DNS security, a locally-implemented advanced securities policy on the edge network device. Detecting a threat or clearance regarding an associated domain via the locally implemented advanced securities policy. Finally, an upstream update is sent from the edge network device.

Inventors

• VALLURI, VAMSIDHAR
• PRABHU, Vinay
• EVANS, SARAH ADELAIDE
• RANGASWAMY, Suraj

Assignees

• Cisco Technology, Inc.

Dates

Publication Date

20260513

Application Date

20191118

Claims (15)

1. A method comprising: querying a local domain name system, DNS, blacklist/whitelist regarding a domain; pushing, in response to a first answer that the domain is not on the local DNS blacklist/whitelist, a query regarding the domain to an advanced DNS security at an associated cloud security system; querying, in response to a second answer that the domain is cleared at the advanced DNS security, a locally-implemented advanced securities policy on the edge network device; detecting a threat or clearance regarding an associated domain via the locally implemented advanced securities policy; and sending an upstream update from the edge network device.
2. The method of claim 1, wherein the upstream update includes a signature associated with the detected threat or clearance to a network controller appliance.
3. The method of claim 2, wherein the network controller appliance is of a software-defined wide-area network.
4. The method of any preceding claim, further comprising: notifying the associated cloud security system to update its DNS blacklist/whitelist with respect to the threat.
5. The method of any preceding claim, further comprising: receiving an update from the network controller appliance to void the detected threat and place the domain on the local DNS whitelist.
6. The method of any preceding claim, wherein the advanced security policy is one of the following policies: Unified Threat Defense, UTD; IPSec/SSL Intrusion Detection and Prevention System, IPS/IDS; Advanced Malware Protection, AMP; Anti-virus Protection, AV; Data Loss Prevention, DLP; Application Firewall, AppFW; or Encrypted Traffic Analytics, ETA.
7. The method of any preceding claim, wherein the upstream update is an OMP message.
8. One or more non-transitory computer-readable mediums that include computer-readable instructions stored thereon, which when executed by one or more processors, cause the one or more processors to enact the steps of any one of the preceding claims.
9. An edge network device, comprising: one or more processors; and one or more non-transitory computer-readable medium that include computer-readable instructions stored thereon, which when executed by the one or more processors, cause the one or more processors to: query a local domain name system, DNS, blacklist/whitelist regarding a domain; push, in response to a first answer that the domain is not on the local DNS blacklist/whitelist, a query regarding the domain to an advanced DNS security at an associated cloud security system; query, in response to a second answer that the domain is cleared at the advanced DNS security, a locally-implemented advanced securities policy on the edge network device; detect a threat or clearance regarding an associated domain via the locally-implemented advanced securities policy; and send an upstream update from the edge network device.
10. The edge device of claim 9, wherein the upstream update includes a signature associated with the detected threat or clearance to a network controller appliance.
11. The edge network device of claim 10, wherein the network controller appliance is of a software-defined wide-area network.
12. An edge network device of any of claims 9 to 11, further comprising instructions which when executed by the one or more processors, causes the one or more processors to: notify the associated cloud security system to update its DNS blacklist/whitelist with respect to the threat.
13. The edge network device of any of claims 9 to 12, further comprising instructions which when executed by the one or more processors, causes the one or more processors to: receive an update from the network controller appliance to void the detected threat and place the domain on the local DNS whitelist.
14. The edge network device of any of claims 9 to 13, wherein the advanced security policy is one of the following policies: Unified Threat Defense, UTD; IPSec/SSL Intrusion Detection and Prevention System, IPS/IDS; Advanced Malware Protection, AMP; Anti-virus Protection, AV; Data Loss Prevention, DLP; Application Firewall, AppFW; or Encrypted Traffic Analytics, ETA.
15. The edge network device of any of claims 9 to 14, wherein the upstream update is an OMP message.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of, and priority to, U.S. Non-Provisional Patent Application No. 16/567,435, entitled "SYNERGISTIC DNS SECURITY UPDATE," filed September 11, 2019, which claims the benefit of U.S. Provisional Patent Application No. 62/774,102, entitled "SYNERGISTIC DNS SECURITY UPDATE," filed November 30, 2018, the contents of which are incorporated herein by reference in their entireties. FIELD The present embodiments generally relate to systems and methods that provide for synergistic Domain Name System (DNS) security updates in a network based on threat detection via local security policies on edge network devices. BACKGROUND The enterprise network landscape is continuously evolving. There is a greater demand for mobile and Internet of Things (IoT) device traffic, Software as a Service (SaaS) applications, and cloud adoption. In addition, security needs are increasing and certain applications can require prioritization and optimization for proper operation. As this complexity grows, there is a push to reduce costs and operating expenses while providing for high availability and scale. Conventional WAN architectures are facing major challenges under this evolving landscape. Conventional WAN architectures typically consist of multiple Multi-Protocol Label Switching (MPLS) transports, or MPLS paired with Internet or Long-Term Evolution (LTE) links used in an active/backup fashion, most often with Internet or SaaS traffic being backhauled to a central data center or regional hub for Internet access. Issues with these architectures can include insufficient bandwidth, high bandwidth costs, application downtime, poor SaaS performance, complex operations, complex workflows for cloud connectivity, long deployment times and policy changes, limited application visibility, and difficulty in securing the network. In recent years, software-defined wide-area network (SD-WAN) solutions have been developed to address these challenges. SD-WAN is part of a broader technology of software-defined networking (SDN). SDN is a centralized approach to network management which can abstract away the underlying network infrastructure from its applications. This de-coupling of data plane forwarding and control plane can allow a network operator to centralize the intelligence of the network and provide for more network automation, operations simplification, and centralized provisioning, monitoring, and troubleshooting. SD-WAN can apply these principles of SDN to the WAN. To secure the SD-WAN, a cloud-delivered secure internet gateway can be used to provide the first line of defense against threats on the Internet. The cloud-delivered secure internet gateway can include a Domain Name System (DNS) security platform, a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. The DNS associates a variety of information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. DNS security platforms, like Cisco Umbrella, can deliver complete visibility into Internet activity across all devices on a network and block threats before they reach the network. The DNS security platform can stop phishing, malware infections, and proactively block requests to malicious destinations before a connection is established. More specifically, the DNS delegates the responsibility of assigning domain names and mapping those names to Internet resources by designating authoritative name servers for each domain. Network administrators may delegate authority over sub-domains of their allocated name space to other name servers. This mechanism provides distributed and fault-tolerant service and was designed to avoid a single large central database. Various DNS security platforms (e.g., Cisco Umbrella, OpenDNS, etc.) provide additional security features on top of the DNS. In many cases, these DNS security platforms may be provided as a cloud service. These DNS security platforms may be configured to, for example, use the Internet's infrastructure to block malicious destinations before a connection is ever established. The platforms may use DNS to stop threats over all ports and protocols - even direct-to-IP connections. Instead of proxying all web traffic, the platforms may route requests to risky domains for deeper URL and file inspection. The platforms can effectively protect without delay or performance impact. Even if devices become infected in other ways, the platforms may prevent connections to attacker's servers. The platforms can further stop data exfiltration and execution of ransomware encryption. DNS security platforms often rely on a remotely hosted source of truth that is periodically updated, and is not prepar