Six reasons why DPI is better than DNS analysis

DNS is essentially a distributed library that manages records of domain names and their corresponding IP addresses. It involves a DNS resolver or recursor that passes DNS queries and responses through a chain of root servers and top level domain servers, all the way to the authoritative name servers that hold a domain’s official records.

The DNS resolver logs various records from the responses it receives. This includes IPv4 / IPv6 addresses (A / AAAA), domain name aliases (CNAME), text-based descriptions (TXT), mail servers (MX), subdomains, zonal name servers and time-to-live (TTL) values. It also captures the timing, duration and frequency of queries and other information such as device identities, name servers that are pinged, and failed queries. These data points, in combination, make up DNS analysis.

Apart from providing insights on network usage, DNS analysis arms security teams with the information they need to implement various security policies, including blocking access to malicious sites, identifying infected / hijacked devices on the network, controlling Internet usage and others. This helps networks to address insider threats and counter DDoS attacks, phishing, ransomware, botnet activity and others. According to Vercara, DNS requests and responses can be used to identify threats such as evil twin domains, sleeper cells and ghost domains¹.

DNS analysis vs deep packet inspection

Despite this, DNS analysis has its limitations, which raises the question of whether it is adequate in addressing the growing traffic visibility needs of today’s networks. Given the changes in network architecture, adoption of work-from-anywhere (WFA), emergence of new encryption protocols and growing application complexities, networks need deeper and timelier insights on their traffic flows. As a result, networking and cybersecurity vendors may benefit by exploring alternative technologies, specifically deep packet inspection (DPI), that are purpose-built for comprehensive, real-time network traffic visibility at any network layer. Let me explain why.

Application-visibility is limited in DNS analysis

While DNS analysis captures thousands of domain names and records, DPI software tools such as ipoque’s R&S^©PACE 2 and its VPP-native counterpart R&S^©vPACE can dig deeper at the flow- and packet-level to deliver the full picture – from protocols to applications and service types. So while DNS analysis tells you that there are 27 requests to www.facebook.com, DPI goes beyond request numbers to include the protocols, duration, traffic speeds, latency, packet loss and various other metrics. This information is analyzed in real-time not only for each DNS query, but also every ensuing networking session. DPI also determines if the user is using Facebook to stream videos, browse posts or message other users, or if their device is sending automated updates. This level of granularity aids network administrators in implementing dynamic and fine-grained policies for routing, bandwidth allocation, content caching and content compression. And that, in turn, ensures superior application performance and optimized resource consumption.

The encryption battle

The use of encryption poses serious visibility challenges for conventional network tools. The emergence of complex encryption protocols such as ESNI, QUIC and TLS 1.3 simply means that packet payloads, and in some cases handshake information, are fully concealed. Next-gen DPI engines such as R&S^®PACE 2 and R&S^®vPACE address this issue by using encrypted traffic intelligence (ETI). ETI merges techniques such as machine learning (ML), deep learning (DL), advanced caching and high-dimensional data analysis to decipher encrypted flows and prevent blind spots.

In the case of DNS analysis, encryption can be a major drawback. Encrypted queries use protocols such as DoX including DNS-over-QUIC, DNS-over-TLS and DNS-over-HTTPS. While this ensures that client-server communications are safeguarded from eavesdropping, it requires the DNS recursor to decrypt each flow to see what is inside. Where decryption is disabled to make way for ‘end-to-end encryption’, DNS analysis loses all insights relating to encrypted flows. DPI, in contrast, maintains full visibility into every query and every session, despite encrypted DNS communications.

Unearthing hidden threats

In terms of security, it is similar: An encrypted DNS service is no longer able to identify malicious activities, such as botnets, DDoS attacks, data infiltration and exfiltration, as queries and responses are completely masked. Conversely, even when encrypted, DPI detects such flows with ease. It addresses not only connections to malicious sites, but also unauthorized activities such as transfers of sensitive data (e.g. PII) to legitimate sites and between devices in the network perimeter. This equips firewalls, IPS/IDS and SIEM tools with the inputs necessary to safeguard enterprise resources from threats as for instance data breaches, ransomware, Trojans and zero-day attacks. In fact, advanced DPI tools as R&S^®PACE 2 and R&S^®vPACE come with additional functionalities such as tethering detection. This helps networks identify illegal tethering, which can be a hidden conduit to launch attacks on the network.

The use of CDN and proxies

Networks are also increasingly capable of handling anonymized traffic, thanks to the use of CDNs, proxies and other traffic masking techniques. In these scenarios, DNS analysis is rendered useless as responses from authoritative servers and other name servers carry the records of the CDNs and proxies, rather than the actual site visited by users. For example, services such as translate.google.com allow users to pull content from another site while DNS registers only the former. In the case of name-based virtual hosts, stored IP addresses may reflect the default domain instead of the actual domain. In these cases, using DNS analysis simply distorts overall traffic analytics. In contrast, next-gen DPI software, equipped with ML and DL, can identify both intermediary servers and sites, alongside the final domains and applications, regardless of anonymization or obfuscation. They thereby ensure transparency from the first mile to the last.

Cache poisoning and server tampering

The use of cache in DNS servers based on TTL configurations can also lead to inaccuracies in DNS analysis. This happens when stale records are maintained for too long. Similarly, tampering of DNS servers, for example cache poisoning or propagation errors in authoritative servers, can result in deviations in DNS analysis. Using DPI instead of DNS analysis circumvents this as a DPI engine works independently. Its weekly-updated signatures are managed solely by the vendor, ensuring the highest classification accuracy and reliability.

Other workarounds that impact the quality of DNS analysis

BYOD practices and the presence of errant users who connect to third-party DNS services can leave enterprises, who rely solely on DNS analysis, with partial visibility into their web traffic. In fact, more sophisticated users may even configure the IP addresses of selected sites into hosts files, bypassing the DNS service altogether. In addition, attacks on the DNS server itself, in the form of hijacking, spoofing, DDoS and flood attacks, can disrupt data capture, compromise its analysis or lead to data leakage. Deep packet inspection, on the other hand, is a mandatory, administrator-controlled feature and ingests every incoming and outgoing packet. It also comes with a minimal attack surface, as it is neither on the frontline of every Internet query, nor does it interact directly with user devices or third-party servers.

To sum up, DNS analysis is limited to DNS queries and responses, whereas DPI has access to every packet that traverses the network. While DNS analysis helps administrators implement some level of traffic filtering based on DNS queries, networks will eventually need next-gen DPI for comprehensive traffic analysis that is truly reflective of the actual state of network usage, performance and security.

Sources:

[1] Vercara DNS Report 2024