Tips on Selecting a Protective DNS ServiceNSA, CISA Offer Advice on Using PDNS Services to Help Thwart Attacks
As concerns about the number of attacks targeting domain name system protocols continue to grow, the National Security Agency and the Cybersecurity and Infrastructure Security Agency have released new guidance on how to choose and deploy a Protective Domain Name System service to strengthen security.
The domain name system protocol, or DNS, acts as a "phone book" for the internet, taking the domain names used every day and translating them into a numeric code that helps computers find what the user is seeking. This older protocol is vulnerable to attacks, including DNS hijacking, which involves hackers manipulating records so they can see traffic flowing to a particular website or service (see: Recent DNS Hijacking Campaigns Trigger Government Action).
The new guidance says organizations should consider deploying a Protective DNS, or PDNS, service, to help reduce threats posed by phishing attacks that contain malicious links, compromised devices trying to connect to a command-and-control server, hackers trying to exfiltrate data from a compromised device and even users typing the wrong web address into a browser.
PDNS services use a resolver that helps to prevent connections to known or suspected malicious sites.
"The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise," according to the joint advisory.
In January, the NSA issued a report on using encrypted DNS to help prevent eavesdropping and manipulation of DNS traffic (see: NSA Offers Guidance on Adopting Encrypted DNS).
Putting PDNS to Work
While some federal agencies and private organizations deploy tools that help secure the authenticity of DNS records, as well as the privacy and integrity of client DNS queries and responses, many of these solutions do not address the trustworthiness of upstream DNS infrastructure that may have been compromised by attackers, the NSA and CISA note.
Other security tools can fail to check DNS registrations that may be maliciously provisioned by hackers, the two agencies say.
PDNS services, however, enable an organization to use a DNS resolver that follows policies developed by the security team to mitigate many of the shortcomings associated with other tools, according to the advisory.
"The resolver usually checks both the domain name queries and the returned IP addresses against threat intelligence, and then prevents connections to known or suspected malicious sites," according to the joint advisory. "PDNS can also protect a user by redirecting the requesting application to a non-malicious site or returning a response that indicates no IP address was found for the domain queried."
A PDNS service can respond to a malicious or suspicious domain name query and block those domains from the network. And it can "sinkhole" malicious domains to prevent users from connecting to them, the advisory notes.
The NSA and CISA published a list of security vendors that provide PDNS services, including Akamai, BlueCat, Cisco, EfficientIP, Neustar and Nominet. But the agencies did not endorse a product.
The NSA launched its own "Secure DNS" program in 2020. It was developed by Anne Neuberger, who was then head of the cybersecurity directorate of the NSA. She told the publication Defense One that the program was able to reduce over 90% of malware attacks from command-and-control servers that targeted the agency's networks.
Neuberger is now the deputy national security adviser for cyber and emerging technology at the White House and is coordinating the investigation into the SolarWinds supply chain attack.
Earlier, CISA instructed federal agencies to continue to use the EINSTEIN 3 Accelerated, or E3A, DNS resolution service for devices that are connected to federal government networks (see: CISA Urges Federal Agencies to Use Approved DNS Service).
In light of the SolarWinds supply chain attack and the ongoing hacking of unpatched Microsoft Exchange on-premises email servers, organizations need to rethink how they use threat intelligence to block malicious domains and other malicious activity, says Oliver Tavakoli, CTO at security firm Vectra AI. PDNS services can play an important role, he says.
"Having PDNS in place allows for quick leverage of threat intel to actively block access, and it also allows relatively easy retrospective analysis to see if the organization was affected," Tavakoli says.
Adopting PDNS services and improving security of the aging DNS protocol can help reduce common internet security problems, says Roger Grimes, data-driven defense evangelist at the security firm KnowBe4.
"A far more safe and secure internet can easily be designed. It would not take magic. It would take a few dozen people who control the internet’s future sitting in a room, designing a few global services, like Protective DNS, but on a global level, and agreeing on a few dozen values in a few database tables, and we could do it," Grimes says. He notes, however that "it's hard to get people in your own family to agree on something, much less all of the people in the world."