• United States



The status quo for DNS security isn’t working

BrandPost By Zscaler
Apr 19, 20235 mins
Data and Information Security

It’s clear that organizations need a playbook for DoH traffic, and perhaps just generally better DNS security.

istock 875247462 image article 5 mapodile
Credit: mapodile

The Domain Name System (DNS) is often referred to as the phone book of the internet. DNS translates web addresses, which people use, into IP addresses, which machines use. But DNS was not designed with security in mind. And even though companies have invested incredible amounts of money into their security stack (and even though they’ve had since the 1980s to figure this out), DNS traffic often goes unmonitored.

This has only worsened with the adoption of encrypted DNS, known as DNS-over-HTTPS (DoH). Since its introduction in late 2018, DoH has grown from a personal privacy feature that most IT teams blocked outright, to an encouraged enterprise privacy and security function. While DoH protects traffic in transit, it also leaves organizations with little to no visibility over what’s happening with their DNS queries.

zscaler article 5 body picture1 1200 Zscaler

The evolution of DNS

Threat actors regularly exploit this visibility gap. IDC’s 2022 Global DNS Threat Report revealed that 88% of organizations interviewed had suffered DNS-related attacks—primarily phishing, malware, and DDoS attacks—over the previous year. Additionally, 70% had experienced application downtime as a result.

A few DNS attack tactics are particularly popular:

  • DNS tunneling: One of the most popular DNS threats is DNS tunneling, in which threat actors take advantage of the flexible nature of DNS queries to hide communications to command-and-control servers, download malware, or exfiltrate data. Unfortunately, this is challenging to detect due to the broad nature of DNS queries (a website can be called pretty much anything so a DNS query can be pretty much anything) and due to IT visibility gaps, particularly when it comes to encrypted traffic.
  • DNS spoofing: This tactic—frequently executed using Man-in-the-Middle (MitM) techniques—involves altering the DNS entries on a DNS server or entering false information into the DNS cache, resulting in the targeted user traffic getting redirected to an attacker-controlled fraudulent site. This can be used for phishing or to trick users into installing malicious software like worms or viruses.
  • DDoS attacks on DNS servers: Attackers don’t necessarily have to infiltrate a server to be disruptive using DNS. In 2016, cybercriminals used the Mirai botnet to wage a DDoS attack on one of the largest and most popular DNS services, taking down huge swaths of applications and websites.
  • Domain-generated algorithms: Attackers frequently use domain generation algorithms (DGA), programs that can rapidly generate thousands of new domain names to allow them to bypass DNS block lists. This can quickly render many organizational DNS security programs ineffective.

A checklist for better DNS security

It’s clear that organizations need a playbook for DoH traffic, and perhaps just generally better DNS security. A checklist for a better solution should include things like:

  • Full inspection of both encrypted and unencrypted traffic (which is super resource-intensive, so generally requires a cloud-native and horizontally scalable platform)
  • Dynamic traffic analysis, not just blocklists
  • Failover mechanisms in case one DNS resolver or service is taken down
  • Consistent speed and performance regardless of where their users, devices, and applications are located worldwide

The US and UK governments have begun taking their own actions to protect critical data by introducing protective DNS (PDNS) resolvers. These are government-sanctioned, security-focused, NSA-threat-intelligence-fueled DNS resolvers that are available (and in some cases mandated) to use by any US organization with access to United States Department of Defense (DoD) information, as well as to a range of public services in the UK. Other government bodies around the world are likely to follow suit.

For years, Zscaler has been proud to partner with our customers to tackle this problem with a differentiated DNS resolution and security approach. The DNS control features built into the Zscaler Zero Trust Exchange™ platform are critical to ensuring seamless, secure access to the internet and applications in every possible circumstance. That means any user, device, or workload connecting to any resource, on any port or protocol, from anywhere in the world, at any time.

Zscaler Innovations to Improve DNS Control

As a cloud-native proxy, the Zscaler Zero Trust Exchange™ delivers scalable inspection, advanced threat protection, and DNS resolution at over 150 edge locations for optimal performance and security around the globe.

Zscaler’s approach to DNS is to not care what resolver you’re using (though we offer our own for peak performance). All traffic that transits through Zscaler gets the same in-depth security analysis, powered by intelligence from the world’s largest inline security cloud that receives over 250,000 security updates per day.

Recently, Zscaler announced enhancements to the security, availability, flexibility, and performance of its DNS control module, including:

  • DNS encryption of plaintext traffic into DNS-over-HTTPS (DoH) for better privacy and security
  • Availability enhancements with enhanced failover capabilities that automatically redirect traffic to a secondary resolver if the primary fails
  • DNS security enhancements, including improved DNS tunnel protection to prevent data exfiltration and enhanced DGA detection to block any command-and-control malware activities
  • Protective DNS enablement by encrypting and sending all government agency traffic to protective DNS (PDNS) resolvers in alignment with mandates from the NSA, CISA, and the National Cyber Security Centre
  • Better user experience with configurable DNS ECS to provide the best localized resolution based on the country, and to ensure users experience webpages with their local language, content, and currency
  • Enhanced error handling and reporting for better visibility and control

Part of the world’s leading zero trust solution

DNS Control is just one of many capabilities of the Zscaler Zero Trust Exchange™, which helps organizations reduce business risk while enabling and simplifying digital transformation. We consistently strive to provide better value, security, and performance across our platform and are proud to offer these new benefits to our customers everywhere.

To learn more about DNS Control, visit our website. And to learn more about the top DNS threats facing organizations today (and what to do about them), check out the paper “Decoding Modern DNS Threats.”