Need cloud computing? Get started now

What Is Protective DNS?

Protective DNS (PDNS) is a security service that analyzes DNS queries to identify and mitigate threats within DNS traffic. Recommended by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), protective DNS services make networks more secure by blocking malware, ransomware, viruses, phishing campaigns, and other cyberattacks, and by preventing users and traffic from accessing malicious sites.

What is DNS?

The Domain Name System (DNS) is GPS for the internet, providing information about the computer addresses for website domain names. DNS translates human-readable web domains like “website.com” into IP addresses — strings of numbers and letters that can be read by machines. When a user types a domain name into a browser or a device seeks to access another device, a DNS request or DNS query is sent to a recursive DNS server. This DNS server or “resolver” may produce the answer from data stored in its cache memory, forward the request to other recursive servers that can resolve the request, or contact the authoritative DNS server that keeps the official record for the selected domain or device.

Why is protective DNS necessary?

Many different DNS resolutions are potentially required to complete one request, making the speed and security of DNS resolution even more important. Yet historically, DNS traffic has often been able to pass through security systems without inspection. Additionally, DNS was not designed with security in mind — its primary purpose is to quickly and accurately resolve DNS requests without questioning the intention of requests or the legitimacy of IP addresses.

For these reasons, DNS is highly attractive to threat actors. There are multiple cyberthreats that target DNS as malicious actors seek to gain access to IT systems or disrupt operations. Attackers may use DNS traffic to exfiltrate data or to communicate with malware-infected devices within an IT environment. Some attacks like flood attacks or DDoS attacks threaten the availability of DNS servers, preventing users and applications from accessing the resources they need. Other attacks compromise the legitimacy of DNS servers by replacing legitimate DNS information with fake records that redirect users to alternate, malicious websites. Attackers may also leverage DNS services to increase the impact of other types of attacks.

By comparing every DNS request with threat intelligence, protective DNS services can mitigate many of these DNS threats.

How does PDNS work?

Protective DNS (PDNS) uses a policy-based DNS resolver with policy data functionality to return DNS responses based on policy criteria.

PDNS uses a policy-based DNS resolver with data functionality to return DNS responses based on specific criteria.

To provide DNS protection, a protective DNS resolver checks the domain name and returned IP addresses against a list of sites with known malicious content and prevents connections to suspicious or malicious sites.

When a protective DNS service identifies a query that may be malicious or suspicious, it has the option to:

  • Block the request by returning an NXDOMAIN response, which means no valid IP address was found
  • Redirect the request to an alternate default page that notifies users that the original domain query was blocked
  • Sinkhole the domain, delaying the execution of potential cyberthreats and allowing cybersecurity teams to investigate the active threat

What are the capabilities of protective DNS?

PDNS services can:

  • Block new domains in real time from the moment they are registered or created
  • Delay the resolution of domains with certain characteristics
  • Limit the number of potential domains that can attack the organization
  • Harden outbound DNS resolution during ransomware or malware incidents
  • Deliver visibility into real-time and historical outbound DNS traffic to assist with analysis and incident response

What are the benefits of PDNS?

Protective DNS services categorize domain names based on threat intelligence regarding known malicious domains or new malicious domains based on pattern recognition. A PDNS system can:

  • Block access to phishing sites. Phishing attacks often use domains that are close lookalikes of common domains to dupe users into revealing credentials, account information, and other sensitive data. PDNS can prevent users from unwittingly connecting to these sites or clicking on malicious links.
  • Prevent malware distribution. Protective DNS can block and alert malicious connection attempts to sites that are known to serve malware content or that are used by hackers for command and control malware.
  • Stop domain generation algorithms. Threat actors use domain generation algorithms (DGAs) to programmatically generate domain names in efforts to circumvent DNS security designed to block static IP addresses and domain names. PDNS protects against this type of malware by analyzing and tagging textual attributes, such as high query name entropy, that are known to be associated with DGAs.
  • Filter content. Organizations may also use PDNS content filtering capabilities to block users from accessing sites that violate acceptable use policies, such as websites used for gambling or adult content.

How is protective DNS deployed?

Protective Domain Name System capabilities can be deployed within minutes by a PDNS service provider. Superior solutions should offer PDNS as a high-availability service that can be deployed across hybrid architectures. The ability to customize by device, group, and network is essential. Services that provide AI-powered analysis and detection will help to block not only known threats but emerging threats as well.

Frequently Asked Questions (FAQ)

Protective DNS offers a range of benefits, including protection from malware and phishing attacks, increased network performance, and peace of mind, knowing that your online activities are secure.

No, protective DNS adds an extra layer of security. While a standard DNS helps translate website names into IP addresses, protective DNS actively scans for malicious websites and blocks access to them.

Protective DNS is beneficial for both personal and business use. It safeguards your online activities, ensuring that you remain protected from a variety of cyberthreats.

Yes, many DNS providers offer protective DNS services. You can choose to enable this feature with your current provider or switch to a provider that includes protective DNS.

No, protective DNS is designed to be efficient and should not noticeably slow down your internet speed. In fact, it may enhance your internet experience by blocking access to malicious sites that could compromise your network.

Setting up protective DNS is relatively simple, and the process varies depending on your DNS provider. It usually involves accessing your DNS settings and enabling the protective DNS feature in your account.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions