DNS Armor, powered by Infoblox, is a fully-managed service that provides DNS-layer security for your Google Cloud workloads. Its advanced threat detector is designed to detect malicious activity at the earliest point in the attack chain—the DNS query—without adding operational complexity or performance overhead.
After a threat is detected, you can gain actionable insights into DNS threats through Cloud Logging.
How DNS Armor works
When you enable a DNS threat detector for a project, DNS Armor securely sends your internet-bound DNS query logs to the Google Cloud-based analysis engine powered by our partner, Infoblox. This engine uses a combination of threat intelligence feeds and AI-based behavioral analysis to identify threats. Any malicious activity detected generates a DNS Armor threat log, which is then sent back to your project and written to Cloud Logging for you to view and act upon.
With DNS Armor's advanced threat detection, you can detect threats, such as the following:
- DNS Tunneling for Data Exfiltration: DNS queries that are structured to secretly carry data out of your network, often bypassing traditional firewalls.
- Malware Command & Control (C2): DNS communication from a compromised workload that is attempting to contact an attacker's server for instructions.
- Domain Generation Algorithms (DGA): DNS queries to random-looking, machine-generated domains that malware creates to find and connect with its command and control servers.
- Fast Flux: DNS queries to domains that rapidly change their associated IP addresses, a technique used to make malicious infrastructure harder to track and block.
- Zero-Day DNS: DNS queries to newly registered domains that attackers use for malicious activities before those domains develop a known bad reputation.
- Malware Distribution: DNS queries to malicious and high-risk domains, owned by threat actors, that are known to host or distribute malware or could host or distribute malware in the future.
- Lookalike Domains: DNS queries to domains already known to be malicious that are intentionally misspelled or formatted to appear like legitimate, trusted brands.
- Exploit Kits: DNS queries to websites that attempt to automatically exploit vulnerabilities in cloud workloads to install malware.
- Advanced Persistent Threats (APT): DNS queries to domains associated with targeted, long-term attack campaigns, often conducted by sophisticated groups for espionage or data theft.
The advanced threat detector is a globally configured service available at the project level, but operates independently in each region. It can be enabled for all VPC networks in a project with an ability to exclude specific networks.
To support data residency requirements, the analysis of your DNS logs for threat detection occurs in the same Google Cloud region from which the query originated.
Performance and scale
DNS Armor processes a peak of 50,000 query logs per second per customer per Google Cloud region.
Billing impact
For more information about how DNS Armor can impact your billing, see Cloud DNS pricing.
DNS Armor also impacts your Cloud Logging bill, as threat findings are written to your project's Cloud Logging account. For more information, see Pricing for Google Cloud Observability: Cloud Logging.