What Is Protective DNS?

Protective DNS (PDNS) is a security service that analyzes DNS queries to identify and mitigate threats within DNS traffic. Recommended by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), protective DNS services make networks more secure by blocking malware, ransomware, viruses, phishing campaigns, and other cyberattacks, and by preventing users and traffic from accessing malicious sites.

The Domain Name System (DNS) is GPS for the internet, providing information about the computer addresses for website domain names. DNS translates human-readable web domains like “website.com” into IP addresses — strings of numbers and letters that can be read by machines. When a user types a domain name into a browser or a device seeks to access another device, a DNS request or DNS query is sent to a recursive DNS server. This DNS server or “resolver” may produce the answer from data stored in its cache memory, forward the request to other recursive servers that can resolve the request, or contact the authoritative DNS server that keeps the official record for the selected domain or device.

Many different DNS resolutions are potentially required to complete one request, making the speed and security of DNS resolution even more important. Yet historically, DNS traffic has often been able to pass through security systems without inspection. Additionally, DNS was not designed with security in mind — its primary purpose is to quickly and accurately resolve DNS requests without questioning the intention of requests or the legitimacy of IP addresses.

For these reasons, DNS is highly attractive to threat actors. There are multiple cyberthreats that target DNS as malicious actors seek to gain access to IT systems or disrupt operations. Attackers may use DNS traffic to exfiltrate data or to communicate with malware-infected devices within an IT environment. Some attacks like flood attacks or DDoS attacks threaten the availability of DNS servers, preventing users and applications from accessing the resources they need. Other attacks compromise the legitimacy of DNS servers by replacing legitimate DNS information with fake records that redirect users to alternate, malicious websites. Attackers may also leverage DNS services to increase the impact of other types of attacks.

By comparing every DNS request with threat intelligence, protective DNS services can mitigate many of these DNS threats.

Protective DNS (PDNS) uses a policy-based DNS resolver with policy data functionality to return DNS responses based on policy criteria.

PDNS uses a policy-based DNS resolver with data functionality to return DNS responses based on specific criteria.

To provide DNS protection, a protective DNS resolver checks the domain name and returned IP addresses against a list of sites with known malicious content and prevents connections to suspicious or malicious sites.

When a protective DNS service identifies a query that may be malicious or suspicious, it has the option to:

• Block the request by returning an NXDOMAIN response, which means no valid IP address was found
• Redirect the request to an alternate default page that notifies users that the original domain query was blocked
• Sinkhole the domain, delaying the execution of potential cyberthreats and allowing cybersecurity teams to investigate the active threat

PDNS services can:

• Block new domains in real time from the moment they are registered or created
• Delay the resolution of domains with certain characteristics
• Limit the number of potential domains that can attack the organization
• Harden outbound DNS resolution during ransomware or malware incidents
• Deliver visibility into real-time and historical outbound DNS traffic to assist with analysis and incident response

Protective DNS services categorize domain names based on threat intelligence regarding known malicious domains or new malicious domains based on pattern recognition. A PDNS system can:

• Block access to phishing sites. Phishing attacks often use domains that are close lookalikes of common domains to dupe users into revealing credentials, account information, and other sensitive data. PDNS can prevent users from unwittingly connecting to these sites or clicking on malicious links.
• Prevent malware distribution. Protective DNS can block and alert malicious connection attempts to sites that are known to serve malware content or that are used by hackers for command and control malware.
• Stop domain generation algorithms. Threat actors use domain generation algorithms (DGAs) to programmatically generate domain names in efforts to circumvent DNS security designed to block static IP addresses and domain names. PDNS protects against this type of malware by analyzing and tagging textual attributes, such as high query name entropy, that are known to be associated with DGAs.
• Filter content. Organizations may also use PDNS content filtering capabilities to block users from accessing sites that violate acceptable use policies, such as websites used for gambling or adult content.

Protective Domain Name System capabilities can be deployed within minutes by a PDNS service provider. Superior solutions should offer PDNS as a high-availability service that can be deployed across hybrid architectures. The ability to customize by device, group, and network is essential. Services that provide AI-powered analysis and detection will help to block not only known threats but emerging threats as well.