Protective Domain Name System (ITSAP.40.019)

March 2022

Awareness series

ITSAP.40.019

 

Alternate format: Protective Domain Name System (ITSAP.40.019) (PDF, 809 KB)

Threat actors frequently use connections to malicious web domains to further compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. victim’s systems and data. Industry reports estimate that between 80 to 90 percent of cyber attacks leverage the Domain Name System (DNS). If a threat actor can persuade you or a member of your organization to connect to a malicious website, they can infect your network and devices with malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. or steal your data.

What is DNS?

DNS is a protocol that translates user-friendly web addresses, such as “cyber.gc.ca”, into machine-readable IP addresses. It is often referred to as the address book for the Internet. DNS is used for both human-initiated actions (e.g. visiting a website) and machine-initiated actions (e.g. running an update). This translation process is called DNS resolution. DNS queries are required for almost everything your organization does with network applications and online activity. Protective DNS can benefit you as an individual public user or as an organization.

Protective Domain Name Service - Long description immediately follows

 
Long description - Protective Domain Name Service (DNS)

The diagram uses arrows and icons to represent the steps to access the Cyber Centre’s website through a DNS server.

In this example:

  • The web domain DNS request (cyber.gc.ca) is sent to a DNS server
  • The DNS server send back the resolved IP address (205.193.218.119)
  • The computer is able to access the Cyber Center on the internet using the IP address

What is protective DNS?

Protective DNS (PDNS) or DNS firewall FirewallA security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside. is a tool that can be implemented by your organization to protect employees from inadvertently visiting potentially malicious domains on the internet. Malicious domains identified in PDNS blocklists are derived from a variety of cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. intelligence sources. These blocklists contain all of the domains that users are prevented from visiting when using corporate IT assets or while on your organization’s networks. PDNS typically addresses the following four types of domains: phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. , malware command and control, domain generation algorithms, and content filtering.

DNS encryption standards

There are two options within the DNS protocol to encrypt DNS queries and traffic: DNS over HTTPS (DoH) and DNS over Transport Layer Security (DoT). The intent of both is to increase user privacy and prevent observation and manipulation of DNS. DoT or DoH can provide protections against certain cyber attacks, such as person in the middle (PITM). When determining if your organization will implement DoT or DoH you should consider the risks and benefits of both.

DoT

A protocol for encrypting Domain Name System (DNS) resolution via the Transport Layer Security (TLS) protocol.

DoH

A protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol.

For more information on DNS encryption EncryptionConverting information from one form to another to hide its content and prevent unauthorized access. standards, see the National Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. Centre’s Protective DNS for the private sector


Benefits of protected DNS?

By implementing PDNS in your organization, you are adding a layer of defence to protect against malicious domains and potential cyber attacks, like phishing or ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. . PDNS will also benefit your organization by:

  • informing users of potentially malicious links so they know what to look for and aim to avoid them in the future
  • detecting potential threats to your networks, systems, and devices and allowing you more time to ensure mitigation measures are in place
  • protecting mobile devices where traditional anti-virus and anti-malware protection may not apply
  • offering increased protection if your organization has a bring your own devices (BYOD) policy
  • protecting users’ from malicious sites when a typo is made in entering a URL in a browser
  • protecting users from websites that have been compromised by a threat actor without the domain owner’s knowledge, provided the domain has been flagged as malicious
 

Free vs. paid protected DNS services

There are both free and paid protected DNS services available in Canada. Free DNS services are typically marketed for personal and home use. The Canadian Internet Registration Authority (CIRA) provides a free publicly available protected DNS service called Canadian Shield to ensure personal devices always use a trusted DNS and filter out malicious web domains. Canadian Shield can be set-up on your home router or gateway GatewayAn intermediate system that is the interface between two computer networks. A gateway can be a server, firewall, router, or other device that enables data to flow through a network. to better protect your network.

Paid DNS services are usually designed and marketed for organizations. Small and medium sized organizations can procure protected DNS services from vendors within Canada.

How do I select a vendor?

Consider the following items when selecting a vendor to supply protective DNS for your home or organizational network:

  • research providers and ensure they have a solid reputation and can demonstrate their experience in cyber security
  • procure protected DNS services from vendors who allow your organization to have visibility into what is being blocked across your organization
  • ask vendors for case studies or examples in which their services protected an organization from a potential cyber threat
  • confirm whether the vendor or a third party performs regular security testing on their own infrastructure
  • confirm if the vendor provides API access to your DNS query data, including security integration with products like Security Information and Event Management (SIEM)
  • ensure the vendor’s service will work across multiple systems and devices, in particular mobile and BYOD devices (if required)
  • determine whether the vendor releases their own security testing and certification results and reports
  • enquire about your vendor’s DNS service analytics and the source of their threat intelligence feeds

For more information on selecting a protected DNS provider, see Selecting a Protective DNS Service (PDF) from the National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA).

 
Date modified: