What is Protective DNS?
Protective DNS (often referred to as PDNS) is an umbrella term for security solutions that examine DNS queries and implement safeguards to prevent systems and people from accessing internet resources that contain malicious (e.g. C2 botnets, malware, ransomware, phishing), or other undesirable content.
The idea of Protective DNS is not new, the term is. The Protective DNS is now actively promoted by the U.S. https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2523771/nsa-and-cisa-release-cybersecurity-information-on-protective-dns/ and the UK https://www.ncsc.gov.uk/information/pdns Governments. You may want to know, that the engine of Protective DNS (or DNS Firewall as we knew it) is Response Policy Zones (RPZ https://www.dnsrpz.info/).
RPZ was co-invented and prototyped back in 2010 by Schryver and Vixie, a co-author of this article — so you have a rare opportunity to learn about this topic from the horse’s mouth.
What is the fuzz about?
There are two fundamental protocols on the Internet: BGP (a “map”) and DNS (an “address book”) — those who control them, control the internet. If in doubt — just think of the recent disappearance of Facebook.
As almost anything on the Internet starts with DNS you may wonder “who controls you”? Perhaps, this is your ISP and you are their customer, but most likely it is a 3rd non-contracted party, e.g. 126.96.36.199 or 188.8.131.52 and a sQuad of others https://duckduckgo.com/?q=public+dns+servers. And now you may wonder “how private and secure they are?” and “whether the cloud solutions is the only option you have?”.
About privacy: the cloud DNS providers may not “sell” your data, but they “know” everything about you — that is why it is “free”. Even if you use DOH — someone who you are not even a paying customer might (i.e. will) be watching.
About security: no one can guarantee absolute security, we even do not know what that is — there is no test that can be devised to demonstrate security, one opposite is true: once you break something you know for sure it is insecure.
About your options: run your own recursive DNS with RPZ, i.e. industry-grade government recommended Protective DNS solution. You can do it even on Raspberry Pi using open source software ( e.g. https://ioc2rpz.net, how-to build it yourself step-by-step instructions are here: https://forum.labs.fsi.io/t/industry-grade-government-recommended-dns-fw-on-raspberry-pi-built-and-managed-by-ioc2rpz-part-ii/252 — registration required), not to mention commercially available enterprise solutions.
Not only do you have options to take control in your hands, but also to have powerful protective and detective tools to protect your business or household.
I do not believe you!
Let assume you receive this email from National Health Services in the UK and wanted to get Digital Passport:
If you had your own DNS with Newly Observed Domains (NOD) RPZ, e.g. from https://www.farsightsecurity.com/Services/NOD/ — you will see the following:
The internet would disappear in front of your eyes (NXDOMAIN means — such record does not exist). However, if you used any other publicly available cloud dns — you would be hit (see IP address returned). Take a closer look at the times too. Now imagine this is a ransomware key distribution site — if that was the case, you would not be reading this article.
Why did (not) it work?
A lot of studies have been done which demonstrated that up to 70% of the new assets on the internet are “not safe” (e.g. https://www.farsightsecurity.com/assets/media/download/VB2018-study.pdf, and https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/) or that up to 90% of malware attacks use DNS (e.g. https://mkto.cisco.com/rs/564-WHV-323/images/cisco-asr-2016.pdf). Therefore, if we deny access to those new assets in bulk for some time (in our example for 24h) we, with 100% certainty prevent access to more than 70% of “unsafe” destinations. And because there is no legitimate reason for anyone to access the new asset on the Internet — the rate of false positives in extremely low.
Moreover, if you run your own Protective DNS (i.e. DNS Firewall) you have access to the logs and will be alarmed if you see any entries triggered by NOD RPZ. Almost certainly this shall be your concern and so you can act with surgical precision!
- RPZ is the engine of the Protective DNS — we invented it!
- You can run Protective DNS on-prem even with minimal efforts and resources
- As a byproduct you will have not only protection but detection mechanisms before any other of your security solution will know about the threat
- No one but you (and the spies) will know what you were interested in on the internet
- Join our Labs.fsi.io — let’s together make the internet a safer place for everyone
Read more data science articles on OpenDataScience.com, including tutorials and guides from beginner to advanced levels! Subscribe to our weekly newsletter here and receive the latest news every Thursday. You can also get data science training on-demand wherever you are with our Ai+ Training platform.