What is the Domain Name System (DNS)?
The Domain Name System (DNS) is like a phonebook for the Internet. The DNS catalogues a web page’s IP address—a multidigit identification code—which is its primary nametag on the home server. But IP addresses are not practical for users to enter every time they wish to access a web page. They can be long and complicated and difficult to remember, and although it is possible to visit some websites by entering their IP address, it is a lot easier to enter a domain name, or URL.
When users access information online through domain names, like venafi.com, web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources. DNS—or the domain name system—is the process of naming websites in language familiar to the users as opposed to their numerical IP addresses.
DNS is an essential part of accessing web content – no content can load before the DNS process occurs. This makes DNS filtering or DNS traffic blocking an effective way to exert control over what content users can access.
How does DNS traffic blocking work?
There are certain security measures that can be implemented at the DNS level. For example, you can use DNS traffic blocking to protect users in your organization who click a link on a phishing email from visiting the associated malicious website. Before their computer loads the website, it will send a query to your organization’s DNS resolving service, which uses DNS filtering. If that malicious site is on that company’s blocklist, the DNS resolver will block the request, preventing the malicious website from loading.
A DNS traffic block works by removing the IP address name from the “phonebook” on your server, so your servers lose the ability to locate certain web pages. To block whole genres of web pages, like piracy sites, DNS blocking services can set your server to forget large swaths of IP addresses that fit certain criteria. Because it breaks the communication between the IP server and the user’s device, you can use DNS traffic blocking to prevent users from accessing malicious or unwanted web pages with negligible overheads and no physical hardware.
Block malware and phishing attacks
Most DNS traffic blockers (or filters) simplify the process by categorizing websites into groups. Certain groups of websites are blocked by default if they are known to distribute malware, have been identified as phishing sites, or are likely to be unsafe because they host exploitable vulnerabilities.
If your users visit a website that hosts malware, that site will try trick them into downloading a malicious program, or execute a drive-by download, which triggers the automatic download of a malicious piece of software when the webpage loads. DNS traffic blocking can prevent these kinds of attacks by blocking users from even being able to load malicious webpages at all.
Blocking phishing attacks
Phishing websites are fake websites that attempt to fool users into giving their account credentials to an attacker. The domains used in phishing attacks could be a spoofed domain or just an official-looking domain that it wouldn’t occur to most users to question. You can prevent users from accessing these websites using DNS traffic blocking.
Tips for DNS security
Given its role as a critical facilitator of modern web traffic, it’s easy to understand why DNS has become a key tactic in the playbook of cybercriminals. DNS traffic blocking is one of the many tools in your arsenal to prevent inadvertent access to malware and phishing websites.
Here are some of the DNS security best practices that can help you prevent threats originating from this common source.
Use redundant DNS servers
Because DNS is fundamental to how network applications—such as Active Directory, file sharing, and email services—operate, it’s important that your DNS infrastructure is highly available. To accomplish this, you’ll need, at minimum, redundancy in the form of a primary and secondary DNS server to keep business-critical service functional. This allows one server to take over in the event that the other encounters an error, increasing infrastructure availability and reducing the risk of failures.
Enable cache locking
Every time DNS receives a query, it stores the data in the cache for future use. Primarily, this function serves to significantly reduce the server’s future response time for the same queries. However, if cybercriminals can access this cache, they can use it as an attack vector for gaining entry to your systems.
Locking the cache helps to prevent unauthorized access by restricting when the stored information can be altered, thereby preventing it from being overwritten before a preset expiration. You can enable cache locking by default as well as scaling it to block overwriting the data for a specific time period.
Use DNS logging
Logging DNS activity is a highly efficient way to reveal issues with client activity, queries, updates, and more. Debug logs can also be used to identify cache or DNS poisoning (also called DNS spoofing), which would allow cybercriminals to alter information stored in a user’s cache, causing the server to redirect them away from a legitimate site they’ve previously visited toward a malicious one instead.
Hide DNS servers and information
It probably goes without saying that DNS servers should be treated according to the principle of least privilege, just as you do with other aspects of IT management. That means, DNS servers should only be accessible to the specific end users who use them. Your primary server should be hidden from view and restricted to system managers and authorized IT personnel.
DNS traffic blocking will help you ensure that your organization’s data remains secure and allows security teams to have control over what their employees can access on company-managed networks. As such, DNS traffic blocking, or filtering, is often part of a larger identity and access management program.