Protective DNS for the private sector

Protective DNS (PDNS) systems block access to malicious domains attempted by devices within your network. To better understand this, let’s first examine the role of DNS and its function.

The Domain Name System (DNS) acts as the internet’s address book. DNS resolvers convert human-readable web addresses like ‘www.ncsc.gov.uk’ into Internet Protocol addresses, such as 198.51.100.63. These numerical addresses direct the requesting browser or web service to the appropriate domain. The human-readable address alone is inadequate.

PDNS functions by routing your network’s queries through a designated DNS resolver or set of resolvers managed by the PDNS provider. These providers dictate their response policies, determining which queries will be blocked.

Generally, the requested domain name and the returned IP address from a query will be cross-referenced against a deny list, and access is blocked if a match is found. Additionally, some PDNS providers work to prevent access to websites with automatically generated domain names, commonly used by malware to bypass deny lists.

Types of Domains Blocked by PDNS

PDNS restricts access to various malicious websites, including:

• domains distributing malware
• command and control (C2) domains for malware management
• domains linked to phishing attacks, including fraudulent purposes

By blocking access to these domains, your organization can shield itself from malicious threats, making it more challenging for attackers to infiltrate your networks and exploit vulnerabilities.

An additional advantage of PDNS is the capability to analyze and receive alerts regarding DNS requests directed at blocked domains. This feature should be integrated into a Security Information and Event Management (SIEM) system to facilitate effective incident investigations.

For optimum monitoring, organizations should implement DNS logging. To assist small to medium enterprises, the NCSC has established Logging Made Easy, an open-source initiative aimed at helping organizations set up essential security logging.

Services should be obtained from reputable providers with demonstrated expertise and experience in cybersecurity and DNS.

Providers ought to showcase their understanding of threats that PDNS can neutralize and should continually update their knowledge and capabilities.

They must ensure that their deny lists and policies are continually refreshed with data from threat intelligence sources. Technologies and competencies related to these threat intelligence feeds should undergo regular assessments to confirm their efficiency.

CISA and the NSA in the US have issued guidelines for selecting a PDNS service, which provide a comparative overview of differing provider capabilities.

Interfaces and Analysis

An effective PDNS system offers valuable insights into your network operations by evaluating the security of DNS traffic. PDNS providers typically offer a web interface for managing PDNS, presenting an overview of traffic analysis.

From summarized graphs to actionable insights, these additional perspectives can often highlight errors, misconfigurations, vulnerabilities, and potential compromises in your network that may not be evident through other data views.

These summary visuals, along with the corresponding API data, are uniquely valuable as additional layers in a comprehensive security framework.

The specifics of these interfaces may differ by provider, just as your requirements may vary depending on your organization’s size and security team needs.

Data Logging and Export Options

PDNS services generally grant access to logs of blocked DNS queries originating from your network via both web interfaces and APIs.

These logs, coupled with your own DNS logs and other SIEM details, facilitate the investigation of incidents, identification of compromised devices, and prioritization of critical events.

Consider how seamlessly your organization can integrate these logs with existing security systems.

Allow and Deny Lists

The main function of PDNS is to prevent access to malicious domains. This primarily relies on the use of deny lists.

Deny lists are compiled from various threat intelligence sources, including free, commercial, and governmental databases. A quality PDNS service will categorize and define the threats in these lists.

Alongside deny lists, your organization should have the capacity to create allow lists, which are domain lists that users are permitted to access, even if they appear on the deny list. This ensures that essential services and infrastructure remain accessible.

Administrators within your organization should be able to manage the allow list through a user-friendly interface.

Blocking Mechanisms

When a device attempts to access a denied domain, the corresponding IP address will not be returned. Several alternatives can occur instead.

One approach is redirecting the device to a ‘blocking page’ that informs about the protective DNS service and the reason for the block. This may occasionally lead the browser to present a certificate error. Alternatively, traffic can be directed to a sinkhole, which is a designated server for redirected traffic that supplies a custom response.

Another PDNS response can be an NXDOMAIN reply, signifying there is no record. This will typically result in an error page shown in most browsers, leaving users unaware that the domain was blocked via PDNS.

Support for Protocol Extensions

Various extensions may be utilized or supported within your DNS protocol. Ensure that your provider accommodates any required extensions, including Domain Name System Security Extensions (DNSSEC) and any DNS encryption protocols in place.

For a straightforward network, setting up PDNS should be uncomplicated. It involves switching the DNS resolver used by your networks to those offered by the service provider. This transition delivers immediate security benefits with minimal setup costs.

Complex Network Configurations

Solutions should be adaptable to accommodate various network architectures, including hybrid systems and any legacy or future setups you aim to implement, such as enterprise cloud-based systems or zero-trust architectures. Compatibility with existing security tools and network policies is also essential.

More complex networks may require configuration settings for diverse networks and users within the organization. This can lead to varying blocking protocols for different networks, along with different responses for blocked domains, such as silent blocking using an NXDOMAIN reply or redirecting to a sinkhole.

Supporting Remote and Home Users

To cater to remote and home networks, PDNS services may provide a lightweight DNS client for installation on end-user devices. This ensures that these devices consistently resolve DNS queries through the PDNS resolvers.

Preventing Bypass of PDNS Resolvers

It is crucial to implement strategies that prevent end-users and client applications from employing different DNS resolvers.

This strategy should involve configuring firewalls to obstruct outbound DNS queries over ports 53 or 853 that do not pass through the designated DNS resolver. Ensure DNS over HTTPS (DoH) is deactivated or correctly configured to route traffic through the PDNS resolver while allowing logging.

Such considerations should form part of the broader management of end-user and remote devices, which may include implementing Group Policy Objects (GPOs) for Microsoft systems, and planning mobile device management (MDM) strategies.

Consult with your provider to guarantee a suitable solution that aligns with existing policies and procedures while delivering PDNS security.

Security and Privacy Considerations

PDNS services have visibility over all DNS queries made within a network. It is vital to account for the privacy and security implications this poses for both the network and its users. Consider partnering with service providers that guarantee how they treat and protect your data, as this may not be achievable with free services.

DNS resolvers can be prime targets for cyber attacks aimed at rerouting traffic to incorrect domains. The adoption of public key certificates by websites mitigates this risk, but due diligence is necessary to ensure the provider has robust security measures to prevent DNS spoofing and hijacking, such as support for the DNSSEC protocol.

Service Level Agreements

Given that DNS is foundational for Internet usage, it is crucial that any PDNS provider delivers a resilient service with high availability.

Ensure your organization has a service level agreement (SLA) in place with the provider to maintain this reliability, along with confirming that the provider has appropriate failover mechanisms established.