Protective DNS (often referred to as PDNS) is an umbrella term for security solutions that examine DNS queries and implement safeguards to prevent systems and people from accessing internet resources that contain malicious (e.g. C2 botnets, malware, ransomware, phishing), or other undesirable content.
The idea of Protective DNS is not new, the term is. The Protective DNS is now actively promoted by the U.S. https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2523771/nsa-and-cisa-release-cybersecurity-information-on-protective-dns/ and the UK https://www.ncsc.gov.uk/information/pdns Governments. You may want to know, that the engine of Protective DNS (or DNS Firewall as we knew it) is Response Policy Zones (RPZ https://www.dnsrpz.info/).
RPZ was co-invented and prototyped back in 2010 by Schryver and Vixie, a co-author of this article – so you have a rare opportunity to learn about this topic from the horse’s mouth.
What is the fuzz about?
There are two fundamental protocols on the Internet: BGP (a “map”) and DNS (an “address book”) – those who control them, controls the internet. If in doubts – just think of the recent disappearance of the Facebook.
As almost anything on the Internet starts with DNS you may wonder “who controls you”? Perhaps, this is your ISP and you are their customer, but most likely it is a 3rd non-contracted party, e.g. 126.96.36.199 or 188.8.131.52 and a sQuad of others https://duckduckgo.com/?q=public+dns+servers. And now you may wonder “how private and secure they are?” and “whether the cloud solutions is the only option you have?”.
About privacy: the cloud dns providers may not “sell” your data, but they “know” everything about you – that is why it is “free”. Even if you use DOH – someone who you are not even a paying customer micht (i.e. will) be watching.
About security: noone can guarantee absolute security, we even do not know what that is – there is no test can be devised to demonstrate security, one opposite is true: once you break something you know for sure it is insecure.
About your options: run your own recursive DNS with RPZ, i.e. industry grade government recommended Protective DNS solution. You can do it even on Raspberry Pi using open source software ( e.g. https://ioc2rpz.net, how-to build it yourself step-by-step instructions are here: https://forum.labs.fsi.io/t/industry-grade-government-recommended-dns-fw-on-raspberry-pi-built-and-managed-by-ioc2rpz-part-ii/252 – registration required), not to mention commercially available enterprise solutions.
Not only you have options to take control in your hands, but also to have powerful protective and detective tool to protect your business or household.
I do not believe you!
Let assume you receive this email from National Health Services in the UK and wanted to get Digital Passport:
If you had your own DNS with Newly Observed Domains (NOD) RPZ, e.g. from https://www.farsightsecurity.com/Services/NOD/ – you will see the following:
The internet would disappear in front of your eyes (NXDOMAIN means – such record does not exist). However, if you used any other publicly available cloud dns – you would be hit (see IP address returned). Take a closer look at the times too. Now imagine this is a ransomware key distribution site – if that was the case, you would not be reading this article.
Why did (not) it work?
A lot of studies have been done which demonstrated that up to 70% of the new assets on the internet are “not safe” (e.g. https://www.farsightsecurity.com/assets/media/download/VB2018-study.pdf, and https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/) or that up to 90% of malware attacks use DNS (e.g. https://mkto.cisco.com/rs/564-WHV-323/images/cisco-asr-2016.pdf). Therefore, if we deny access to those new assets in bulk for some time (in our example for 24h) we, with 100% certainty prevent access to more than 70% of “unsafe” destinations. And because there is no legitimate reason for anyone to access the new asset on the Internet – the rate of false positives in extremely low.
Moreover, if you run your own Protective DNS (i.e. DNS Firewall) you have access to the logs and will be alarmed if you see any entries triggered by NOD RPZ. Almost certainly this shall be your concern and so you can act with surgical precision!
- RPZ is the engine of the Protective DNS – we invented it!
- You can run Protective DNS on-prem even with minimal efforts and resources
- As a biproduct you will have not only protection, but detection mechanisms before any other of your security solution will know about the threat
- Noone but you (and the spies) will know what you were interested in on the internet
- Join our Labs.fsi.io – let’s together make the internet a safer place for everyone
Editor’s note: Paul is a speaker for ODSC West 2021. Be sure to check out his talk, “Passive Privacy-respecting Collection of DNS Transaction Data,” there!
About the Authors/ODSC West 2021 Speakers on Protective DNS:
Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, Chief Executive Officer and Cofounder of Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for work related to DNS and DNSSEC. Dr. Vixie is a prolific author of open-source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). He earned his Ph.D. from Keio University.
Boris Taratine is a passionate visionary and an influential ambassador of cybersecurity and cyber defence. He has been working with renowned companies across the Globe, was engaged in consulting with numerous organizations. During the decades of his career, he has held senior technical and leadership roles across several industries. Being a trusted adviser to the c-suite, he has helped global businesses understand the importance of cyber disciplines and take proactive actions for improvements. He is very analytical; his problem-solving skills are hard to match: he sees the roots of the problems through the elephants in the room. He is often at odds with the conventional wisdom that can be quite annoying until you understand the point. He actively promotes industry collaboration, participates in various industry forums, and is a frequent speaker at various industry events to influence global cybersecurity development. He volunteers his time advising to cybersecurity start-ups seeing a weakness in super-duper secure stuff whilst is still on napkin drawings – can be quite annoying too. Boris is the highest honour graduate at the Saint-Petersburg State University. During his Ph.D. studies, he co-authored a number of publications and patents granted under the NATO HiTech project; further has many publications and dozens of patents granted and pending. He is willing to share all the knowledge with anyone who wants to learn – this can be you.