The National Security Agency and Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity information sheet, “Selecting a Protective DNS Service." This publication details the benefits of using a Protective Domain Name System (PDNS), which criteria to consider when selecting a PDNS provider, and how to effectively implement PDNS.

The Domain Name System (DNS) is a key component of the internet’s resilience and makes navigating a website, sending an email, or making a secure shell connection easier by translating domain names into Internet Protocol addresses. PDNS is a security service that uses existing DNS protocols and architecture to analyze DNS queries and mitigate threats. Its core capability is leveraging various open source, commercial, and governmental threat feeds to categorize domain information and block queries to identified malicious domains. This provides defenses in various points of the network exploitation lifecycle, addressing phishing, malware distribution, command and control, domain generation algorithms, and content filtering. PDNS can log and save suspicious queries and provide a blocked response, delaying or preventing malicious actions – such as ransomware locking victim files – while enabling an organization to investigate using those logged DNS queries.

Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, explains, “DNS exploitations are still incredibly rampant since it’s such an effect technique used by malicious actors. The capability to reroute email, users web browsing as well as distribute malware at scale are possible when a DNS address has been compromised.  Any steps to mitigate attack vectors such as DNS spoofing and DNS cache poisoning will go a long way to help keep users and companies save from such threats.” 

This Cybersecurity Information Sheet provides a compiled summary of the services by different PDNS providers. This information is provided to help NSA and CISA’s customers to analyze which provider may meet their needs, and it does not recommend or endorse any of the products specifically.  Customers looking to implement PDNS should choose a reputable PDNS provider and take care to understand how the provider will use any customer data.

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, says, “PDNS solutions can be thought of as a “DNS firewall” and they represent a logical way to actively leverage threat intelligence related to registered domains. Like other preventive approaches, they are useful in protecting organizations from “known bads”, but ultimately fall short in blocking the early stages of a new attack or more sophisticated and bespoke attacks which leverage domains lacking bad reputations. So it makes sense to implement PDNS to reduce attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.”

The guidance includes lessons learned from a NSA PDNS pilot, where NSA partnered with the Department of Defense Cyber Crime Center to offer several members of the Defense Industrial Base PDNS as a service. Over a six-month period, the PDNS service examined more than 4 billion DNS queries to and from the participating networks, blocking millions of connections to identified malicious domains.

For more information on cybersecurity guidances, visit NSA.gov/cybersecurity-guidance.