Best DNS Security

Organizations that undervalue the importance of implementing the best DNS security solution are more likely to experience adverse events attributable to phishing and malware.

When the Domain Name System (DNS) was developed in the 1980s, the Internet consisted of interconnected networks (“Internets”) mostly operated by federal agencies and universities. Internet security was not an issue at the time and therefore neither was DNS security. However, as the Internet expanded globally, this weak link in Internet security is being increasingly exploited.

In 2021, IDC conducted a Global DNS Security Survey and reported that 87% of respondents had experienced an adverse event attributable to a DNS attack, 76% of respondents suffered application downtime, and 26% of respondents were victims of data theft. The average number of attacks per respondent was 7.6 per year, yet 42% of respondents were not using a DNS security solution.

Why You Need the Best DNS Security

The results of the IDC survey say more than just 42% organizations are leaving themselves open to attack by failing to address DNS security. If 58% of respondents are using a DNS security solution (100% – 42%), but 87% of respondents still experienced an adverse event attributable to a DNS attack, this implies many respondents to the survey are using inadequate security solutions.

So, what makes the best DNS security solutions? Most sources suggest the best DNS security solutions contain a combination of DNSSEC, DNS over TLS or DNS over HTTPs, and DNS filtering. However, it is also important to consider ease of use. If a solution is too hard to configure, or too restrictive for end users, the solution will fail to prevent adverse issues due to DNS attacks.

A Quick Lesson in How DNS Works

All computers on the Internet – from your smart phone to the servers that deliver website content – find and communicate with each other using Internet Protocol (IP) addresses. When you open a web browser and key in the address for a website, instead of entering a long IP address you enter the domain name – for example www.mybank.com. Thereafter:

  • The request to visit www.mybank.com is routed to a DNS resolver (sometimes called a recursive server), which is typically managed by your Internet Service Provider (ISP).
  • The DNS resolver forwards the request to a DNS root name server, which forwards the request to the appropriate top level domain server (i.e., .com, .org, .mil, etc.).
  • The top level domain server for .com domains responds to your request with the name(s) of the authoritative server(s) associated with the www.mybank.com domain.
  • The DNS resolver forwards the request to the authoritative server, which obtains the IP address for the web server hosting the www.mybank.com domain.
  • The authoritative server returns the IP address to the DNS resolver, which forwards it to your web browser. The DNS resolver also saves (caches) the IP address for future reference.
  • Now it has the IP address, your web browser sends a request to visit www.mybank.com to the IP address it got from the DNS resolver. The web server returns the website for www.mybank.com to the web browser and the website is displayed on your screen.

Potential Security Issues with DNS

While an effective process for quickly connecting you to a website, DNS has a number of potential security issues. Attackers can intercept requests and spoof or modify IP addresses in order to trick users into thinking they are connecting to a legitimate domain when all the time they are being redirected to a phishing site. Similarly, attackers can trick the DNS resolver into saving “poisoned” cache data, so the DNS resolver automatically directs the user to a phishing site.

A further potential security issue with DNS is DNS tunnelling. DNS tunnelling is a cyberattack method in which attackers encode malware and data exfiltration trojans into DNS packets so the malware is delivered and deployed when the host web server returns the target IP address to the end user via the DNS resolver. As DNS packets usually travel through unprotected firewall ports, the malware and any data exfiltration trojans attached to it is not identified by anti-virus software.

Mitigating the Risk of Security Issues

No single solution can eliminate all potential security issues, and security experts recommend a multi-layered strategy for Internet security. Each layer in the strategy should include best-in-class solutions to mitigate risks as much as possible; and, in the context of best DNS security solutions, these should include DNSSEC, DNS over TLS or DNS over HTTPs, and DNS filtering.

The Importance of DNSSEC

Domain Name System Security Extensions (DNSSEC) digitally sign DNS data using public-key cryptography. This validates requests and responses between the DNS resolver and the authoritative server and prevents attackers spoofing or modifying IP addresses – and poisoning cached data – to mitigate the threats of phishing and users being redirected to malware-infested websites.

DNS over TLS or DNS over HTTPs

DNS over TLS and DNS over HTTPs serve a similar function inasmuch as they encrypt plain text queries (DNS/TLS) or mask DNS traffic inside other HTTPs traffic (DNS/HTTPs) to prevent DNS tunnelling. This is a much more effective way to prevent malware deployments and data exfiltration than advanced network threat prevention systems (i.e., prevention is better than cure).

The Advantage of DNS Filtering

DNS filtering is similar to web filtering inasmuch as it enables organizations to block users visiting malicious websites and websites that are inappropriate for a work environment. However, whereas web filters usually block website access by URL (which can be circumnavigated by entering the IP address), DNS filters block website access by IP address – which is much harder to get around.

Why You Should Consider Ease of Use

Multiple DNS filters include DNSSEC and DNS over TLS or DNS over HTTPs capabilities, but some are incredibly complex to configure. This can lead to mistakes being made which either allow bad actors to spoof IP addresses and encode DNS traffic with malware or block access to legitimate websites. It is also the case some DNS filters lack SSL inspection to review the content of encrypted websites.

The complexity of configuration – or a lack of flexibility – can also result in the end user experience being too restrictive. If this happens, end users may attempt to circumnavigate the filter´s controls (via a proxy server or VPN), which could open the door for attackers. For this reason, ease of use is an important consideration when evaluating the best DNS security solution for your organization.

Best DNS Security FAQs

How can you tell “this weak link in Internet security is being increasingly exploited”?

By comparing the results of the IDC survey with like-for-like surveys from previous years. For example, the percentage of respondents who had experienced an adverse event attributable to a DNS attack was up 8 percentage points from 2020, while the percentage of respondents who were victims of a data breach due to a DNS attack increased by 10 percentage points from 2020.

How can you stop people using a proxy server or VPN to circumnavigate a DNS filter?

Once you have identified someone is using a proxy server or VPN (usually by identifying trends in DNS traffic), you use the DNS filter to block the proxy server´s or VPN´s IP address. You may still need to monitor DNS traffic to ensure the user doesn´t switches providers, but a more effective solution to proxy servers and VPNs is the application of user-friendly Internet usage policies.

Is there an easy way to monitor DNS traffic to identify proxy servers and VPNs?

Most DNS filters come with customizable reporting capabilities that can be filtered to identify patterns in DNS traffic. Simply filter out the IP addresses of legitimate websites most often visited by your organization (i.e., banking, marketing, etc.) and schedule reports for regular intervals to identify when more traffic flows between your organization´s IP address and an unrecognized IP address.

Why might it be necessary to view the content of encrypted websites?

Filters that lack SSL inspection cannot view the content of SSL-encrypted websites to ensure the website content complies with Internet usage policies nor inspect the website for malicious downloads. Many malicious websites are now SSL encrypted – especially phishing websites – because the padlock that appears alongside the URL implies the websites are genuine.

Can´t DNSSEC be repurposed by cybercriminals to amplify DDoS attacks?

Improperly configured DNSSEC can be repurposed, and it is important when evaluating best DNS security solutions to ensure the DNS provider does not respond to “ANY” commands and queries. This is something you may need to discuss with the vendor of the solution being evaluated – and another reason why ease of use is an important consideration.

If I deploy a DNS filter, does this mean I no longer need a network threat prevention system?

Every organization is different and exposed to different threats; and, while a DNS filter is an effective way to prevent network threats, it is not guaranteed to prevent 100% of network threats. Therefore, the decision whether or not a network threat prevention system is still necessary should be determined by a risk assessment once a DNS filter is implemented.

Doesn´t it take much longer to block website access by IP address than domain name?

If you were blocking website access one site at a time, the answer is yes. However, DNS filters enable you to block website access by category (i.e., porn, gambling, dating, chat, etc.) and by IP range. Blocking by IP range makes it quicker to block access to websites such as Facebook that have multiple domains (i.e., fb.com, fbcdn.net, fbsbx.com, etc.), thus reducing the administrative overhead of effective DNS filtering.