The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet's resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors intent on causing harm. “Protective DNS” (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.

Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead (T1583.001); threat actors lace phishing emails with malicious links (T1566.002); a compromised device may seek commands from a remote command and control server (TA0011); a threat actor may exfiltrate data from a compromised device to a remote host (TA0010).1 The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.

Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) of USA, included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring government organizations to take steps to mitigate related DNS issues.

Domain classification

A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.

Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command and control malware. For example, these may include sites hosting malicious JavaScript®2 files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.

Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.

Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., “gambling”) and warn or block on those that are deemed a risk for a given environment.

One of the most known and biggest PDNS is Cisco Umbrella with more than 200B request per day and more than 17k companies leveraging Umbrella’s Security capacity. It’s easy to adopt and can provide real value just after the first 10 minutes of its configuration.

If you want to know how Cisco Umbrella compares with the competition you can download the security report here.