The Differences Between DNS Security and Protective DNS

When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for your endpoint security, and it adds data protection, anti-phishing, and anti-malware protection for users.

Understanding Protective DNS

When users have unfettered access to the internet, you risk them opening malicious sites in their browser or falling victim to phishing attacks. Malicious sites could harvest their business network credentials, probe for browser vulnerabilities allowing for arbitrary code execution, convince users to download malware (also known as drive-by downloads), redirect users to inappropriate sites, or any other numerous web-based threats. The numerous exploits available to attackers targeting your employees threaten your data protection. Antivirus offers some protection from threats, but it can give users a false sense of security. When antivirus is your only form of endpoint protection, it leaves users open to zero-day threats.

Instead of relying solely on antivirus software, protective DNS provides businesses with an added layer of security from web-based threats. As you probably know, every web request from a user browser first performs a lookup of a fully qualified domain name (FQDN) on a nameserver hosting DNS services. When users type a FQDN into their browser, a DNS request begins. DNS links the FQDN with the IP address of the web server. Once the web browser has the IP address of the web server, it can then make a request from the domain’s web server for website content. 

When administrators incorporate protective DNS, they add DNS-based filters that block web requests during the DNS lookup step from a user’s browser. DNS-based filters intercept the request and check with a large database of blacklisted sites obtained from threat intelligence resources. If a match is found, the domain is blocked and users receive an alert. The database needs constant updates, but cloud-based filters receive continual updates without administrator interaction.

Cloud-based DNS filters incorporate continual updates with sites found to host malicious content based on research from threat intelligence. Threat intelligence is a collaborative effort between numerous security researchers and big business contributors. It works with reports from security research findings and detection from artificial intelligence and machine learning applications searching the dark web and other nefarious locations for the latest cyber-attacks. Any new threats are applied to cloud DNS filters so that users cannot access the latest malicious domain creations.

Not only does protective DNS stop web-based attacks, but it helps stop phishing attacks from email messages. You should have email filters set up for your organization, but email security occasionally returns false negatives and allows malicious email messages to pass to an employee’s inbox. Phishing emails often include a link to a malicious website, but integrating DNS filters into your infrastructure stops users from opening the malicious pages. Incorporating email security and web content filters greatly reduces your risks of a data breach from email-based threats that include links for web-based attacks.

Protecting Infrastructure Using DNS Security

DNS security–also called DNSSEC–is a huge umbrella term used to describe methodologies and strategies to protect internet infrastructure. DNS is the backbone of the internet. Without it, we wouldn’t be able to use friendly domain names to browse websites. We’d need to use IP addresses, which are far more difficult to remember than a friendly name. DNS makes the internet more user friendly.

Most internet protocols were developed decades ago without cybersecurity in mind. Because of this, internet protocols often have gaping holes in their security that threaten their stability and often cause data breaches or denial-of-service (DoS) to businesses. DNS is one such protocol with several vulnerabilities and exploits available to threat actors. 

Examples of DNS-based attacks include:

• DNS cache poisoning: Using UDP, the protocol for DNS queries, attackers can impersonate authoritative nameservers and trick forwarding DNS servers to cache the IP of their malicious site for a legitimate site.
• DNS hijacking: Malware with root or admin access to an operating system could redirect DNS requests to their own resolver, or point user requests to an attacker-controlled web server.
• DNS tunneling: Attackers can hide their exfiltration of data and remote access malware in DNS queries. DNS queries freely pass firewalls, and the malware points the queries to an attacker controlled resolver that forwards messages to a command-and-control (C2) server, essentially hiding malicious activity.
• Denial-of-Service (DoS): Just like web servers, DNS servers are vulnerable to a DoS. DNS amplification attacks send repeated malformed requests to a server with a forged sender IP address. A flood of requests with a forged sender IP address can amplify traffic towards a targeted victim causing exhaustion of DNS server resources and victim server resources. Floods of DNS requests can also cause a DoS on the DNS resolver as well.
• Subdomain attack: Similar to the previous example of a DoS on DNS, attackers perform several requests of a subdomain for a specific domain to cause a DoS on the target domain.

DNS security (DNSSEC) is a list of strategies to stop infrastructure attacks. Some DNSSEC is added to your infrastructure, and some security is the responsibility of providers hosting DNS services. Any malware-based DNS threats or local machine poisoning is the responsibility of your business network administrators, but you’ll need different strategies to protect from DNS-based attacks versus filters to stop web-based attacks.

What You Can Do to Protect Business Data

Human error is the biggest threat to every business. Phishing continues to be the primary strategy for cyber-criminals to inject malware into your infrastructure, hijack user devices, remotely access network resources, exfiltrate sensitive data, and trick users into divulging their credentials. Using a DNS filtering solution like DNSFilter, you can stop many of the threats that allow for these vulnerabilities and more. 

Connecting a web content filter like DNSFilter is one of the easiest ways to stop threats. Configuring the service takes a few minutes, and all users–including remote users with their own devices connected to your infrastructure–begin using content filtering services for all their web requests. Not only does this benefit internal administrators, but managed service providers can take advantage of cloud-based DNS filters to stop web-based attacks across all their clients.

To get started with DNSFilter, sign up for a free 14-day trial or book a demo to see what challenges we can solve for your business.