DNS Armor, powered by Infoblox, is a fully-managed service that provides DNS-layer security for your Google Cloud workloads. Its advanced threat detector is designed to detect malicious activity at the earliest point in the attack chain—the DNS query—without adding operational complexity or performance overhead. Threat checking is supported for Compute Engine and GKE instances.
DNS Armor allows for the processing and analysis of DNS queries directly within your existing cloud infrastructure. This removes the need to redirect sensitive traffic to a third-party proxy.
After a threat is detected, you can gain actionable insights into DNS threats through Cloud Logging.
Threat checking for DNS CNAME chains is also available with DNS Armor.
How DNS Armor works
When you enable a DNS threat detector for a project, DNS Armor securely sends your internet-bound DNS query logs to the Google Cloud-based analysis engine powered by our partner, Infoblox. This engine uses a combination of threat intelligence feeds and AI-based behavioral analysis to identify threats. Any malicious activity detected generates a DNS Armor threat log, which is then sent back to your project and written to Cloud Logging for you to view and act upon.
With DNS Armor's advanced threat detection, you can detect threats, such as the following:
- DNS Tunneling for Data Exfiltration: DNS queries that are structured to secretly carry data out of your network, often bypassing traditional firewalls.
- Malware Command & Control (C2): DNS communication from a compromised workload that is attempting to contact an attacker's server for instructions.
- Domain Generation Algorithms (DGA): DNS queries to random-looking, machine-generated domains that malware creates to find and connect with its command and control servers.
- Fast Flux: DNS queries to domains that rapidly change their associated IP addresses, a technique used to make malicious infrastructure harder to track and block.
- Zero-Day DNS: DNS queries to newly registered domains that attackers use for malicious activities before those domains develop a known bad reputation.
- Malware Distribution: DNS queries to malicious and high-risk domains, owned by threat actors, that are known to host or distribute malware or could host or distribute malware in the future.
- Lookalike Domains: DNS queries to domains already known to be malicious that are intentionally misspelled or formatted to appear like legitimate, trusted brands.
- Exploit Kits: DNS queries to websites that attempt to automatically exploit vulnerabilities in cloud workloads to install malware.
- Advanced Persistent Threats (APT): DNS queries to domains associated with targeted, long-term attack campaigns, often conducted by sophisticated groups for espionage or data theft.
The advanced threat detector is a globally configured service available at the project level, but operates independently in each region (see DNS Armor Locations for the list of supported regions). It can be enabled for all VPC networks in a project with the ability to exclude up to 100 specific networks.
Detection engines are deployed regionally and receive DNS traffic from the same
region. For example, DNS traffic from a client in us-central1
is forwarded to a detection engine deployed in us-central1.
Detection configurations are configured globally. Your DNS threat detector configuration is identical regardless of which local region threats are analyzed in.
Performance and scale
When detecting data exfiltration threats that use DNS tunneling, multiple DNS queries generate one or a few threat events.
Billing impact
You will be charged based on how many internet-bound DNS queries your workloads produce. This excludes:
- Internal VPC queries (e.g. internal hostnames)
- Queries to Google APIs and services (e.g. private.googleapis.com)
- Queries forwarded to on-premises resolvers or other VPCs
- Queries between peered VPCs
To estimate the number of internet-bound DNS queries, use Cloud Monitoring metrics.
Specifically, the dns.googleapis.com/query/response_count metric and filter
to target_type=external.
DNS Armor also impacts your Cloud Logging bill, as threat findings are written to your project's Cloud Logging account. For more information, see Pricing for Google Cloud Observability: Cloud Logging.
For more information about how DNS Armor can impact your billing, see Cloud DNS pricing.
Other security options
In addition to DNS Armor, other available security options include Google Security Operations and Security Command Center. Both services must be manually configured in your project.
Google Security Operations is a service that normalizes, indexes, correlates, and analyzes security and network telemetry data. For more information, see Google SecOps documentation.
Security Command Center provides a centralized vulnerability and threat reporting service. It evaluates your security and data attack surface, identifies vulnerabilities, and helps you mitigate risks. For more information, see Security Command Center documentation.