You may have heard about Protective DNS (pDNS) from CISA and the NSA, who recommend it as part of the Shields Up initiative. You may have heard about Protective DNS as being a recommended part of a SASE architecture, or even a needed extension to a zero-trust architecture. Perhaps your cyber insurance provider asked if you have a Protective DNS solution in your most recent insurance questionnaire.
Or maybe you are just tired of being reactive to each new attack and technique, and have finally decided to move forward with a proactive business and operational resiliency solution that will provide the required visibility to ensure that breaches do not turn into devastating attacks.
Trying to detect and block each new technique and attack vector is an endless cat-and-mouse game that, at best, you maintain pace with and in general is a losing proposition, which is why leading organizations across the globe are deploying modern pDNS systems.
What Is Protective DNS, Exactly?
Regardless of why you’ve decided to implement and deploy a pDNS system, there is the obvious question – how do you select the right one?
To start with, let’s make sure we’re clear on what pDNS actually is. This is not “DNS Protection” which generally focuses on protecting your DNS system itself from attacks like DDOS and others.
Rather, Protective DNS solutions add a security layer into the DNS process itself. When a client requests a given IP address for a specific domain, pDNS solutions will, in general, only provide the IP address if it is “safe” to do so – that is, if the domain itself is not functioning as command-and-control for some adversary running their attack.
With that understanding, what are the various characteristics of a pDNS system that should be considered to find the right one for you?
Selecting the Right Protective DNS Solution
First and foremost, ask yourself how good is it at doing what it says it does? No one cares about the “bells and whistles” or the overall speed of a solution if it isn’t accurate and effective; specifically, how effective is it at identifying adversary infrastructure (e.g. command-and-control), and how often does it claim something is nefarious when it really isn’t (e.g. a false positive)?
Many vendors and providers will, of course, claim that they are number one. Like reading any other third-party review, you want to ensure that your chosen vendor has a third-party independent test that documents its efficacy and false-positive rate.
Don’t Say It, Prove It
AV-TEST in Germany is the foremost authority for this kind of testing, as they have tested HYAS, Cisco, Akamai, Infoblox, Palo Alto, and others, and their reports are publicly available on their website. For instance, their report on HYAS Protect highlights HYAS’ focus on correctness, via its unique and differentiated HYAS Adversary Infrastructure Platform that powers all of its solutions.
As part of this analysis, we recommend that you dig into how the provider generates the results that they do.That is, where does the underlying data come from? And as attack vectors and techniques change, how could efficacy change in the future? The best solutions are built on general scalable approaches and do not rely on any point-in-time data that could be obsolete a few months from now.
How to Determine Which Protective DNS Solution Is Best for Your Environment
Now that you know how good a solution is, you need to ask yourself will it work in my environment? It actually doesn’t matter how good a solution is if it won’t work for you and your organization, and that includes:
(i) Will it adapt to my network architecture or do I need to change my overall architecture?
(ii) Will it integrate with my existing security stack and components today and improve the overall efficacy of the combined solution?
(iii) Is it future-proof to integrate with other components if/when changes are made?
(iv) Can it be deployed in such a way that respects local and domestic data retention policies and laws (for instance, can you ensure that personally identifiable information or PII does not cross national borders)?
These are all factors of understanding the flexibility and capabilities of a solution to determine “will it work for me.”
How Configurable Is the Protective DNS Solution?
You have ascertained that the solution works well and will work in your environment. Now ask yourself, how configurable is it? While some risks are common across all organizations (e.g. everyone wants to avoid being infected with Emotet), not every organization thinks about risk in the same way or even tries to implement the same level of risk. It is important to consider how policy management and overall solution configurability works so you can adapt and customize the pDNS solution to your specific needs.
For instance, some organizations may want to (hypothetically) block all traffic from Russia (.ru). Others may want to block based on specific nameservers or other aspects of DNS infrastructure. Some may allow movie-streaming (and thus access) to pirated websites on their network; others may see this as a policy violation. The ability to configure the specific level of risk, and change this over time, is vital to making a Protective DNS solution work properly for you.
Will the Protective DNS Solution Scale?
Now that you know it works well and will work for you in your specific environment and allow you to customize it, but will it scale seamlessly as traffic changes? Your usage requirements (e.g. the number of DNS queries processed in any given time period) may change over time, sometimes rapidly based on changes in your business.
A good Protective DNS solution can quickly and automatically scale up to handle both traffic spikes as well as long-term increases in the amount of DNS queries being processed. Ask your proposed Protective DNS provider about their architecture and how it scales with traffic increases to ensure that you don’t ever have an outage due to unintended or unforeseen traffic increases.
Accommodating Changing Standards and Protocols?
If the solution meets all of your needs, you need to confirm that it checks the box with the right standards. Make sure that any Protective DNS solution you select implements DNS over TLS (DoT) and DNS over HTTPS (DoH). You never know when you may need to implement and/or control these protocols inside of your network, and you never want to be caught not being able to implement support for a known standard. And since DNS by itself is not secure, make sure that the pDNS solution you implement supports DNSSEC as well.
Who Says So?
And finally, we must consider, who else will vouch for the solution? Even though most organizations don’t publicly announce what security solutions they use in their environment, every solution provider typically has some client testimonials, but not all testimonials are created equal. We recommend that you look at the sources of these testimonials and consider whether they apply to your use cases and environment or not, as well as if they come from a known brand, for instance.
It is best when documentation comes from an independent, unbiased source such as a government agency. A good example of which would be CISA’s memo on selecting a Protective DNS solution. They do not recommend one solution versus another (although they do compare their abilities), but if the proposed solution isn’t even mentioned by CISA, you should at least ask the question why and what that might imply.
In conclusion – congratulations. You’ve decided to improve your overall security by implementing a Protective DNS solution, and giving you and your organization the confidence to move forward with true support for operational and business resiliency. This is the first step.
Now just make sure that you pick the right one for you. This blog provides a lot of information but if you want to talk to a technical expert for impartial advice, or just answers to questions, feel free to reach out directly to us. We’d be happy to talk with you.
