With the recent announcement of the availability of a Protective DNS service for European Union (EU) citizens through the DNS4EU project, this is yet another milestone in the adoption of DNS as a cybersecurity control.
Protective DNS services are DNS resolvers that apply security policies to DNS requests to protect users and assets from malicious threats, cybercrime and illicit content. It seems almost ridiculous that ordinary and indeed most organizations’ DNS servers are complicit in locating threat actor-owned DNS domains. Yet, Protective DNS is not a new concept, and the DNS standard has supported this capability since the inclusion of response policy zones (RPZs) all the way back in 2010. Since then, we have seen governments, such as the United Kingdom (NCSC), United States (CISA) and Australia (ACSC), offer Protective DNS services to protect government and critical infrastructure, and countries, such as Canada, Estonia and Ukraine, deploy secure Protective DNS resolvers to protect citizens. Now, with the new EU service, DNS is beginning to take its rightful place as not just a foundational network service but equally as a cybersecurity control. This de facto standard has been codified in the recent update to the National Institute of Science and Technology’s (NIST) DNS Security best practices guidance, SP-800-81, which along with excellent recommendations for securing DNS itself also recommends the adoption of Protective DNS services.
While the DNS4EU project is a great leap forward, there is much more that can and should be done. A Protective DNS is only as good as the threat intelligence that informs it. With the vast majority of malware and scams relying on DNS to orchestrate the campaigns, we should see these Protective DNS services as more than just enforcement points. It is a valuable source of threat actor telemetry. Infoblox Threat Intel research has uncovered a wealth of threat actors, including those operating traffic distribution systems (TDSs) that are at the heart of industrialized cybercrime. These platforms serve not only fraud and scams but also malware, including ransomware that affects businesses and organizations. With that in mind, organizations should seriously consider the updated NIST guidance and apply Protective DNS services to their own infrastructure. The visibility and security context are invaluable to enterprise defenders and thus even organizations in Europe who have access to the DNS4EU service should consider how Protective DNS can play a foundational role in their own cyber security strategy.
Links
Online Criminal Harm Act – Singapore
Online Safety Act – UK
PDNS – NCSC UK
PDNS – CISA USA
NIST 800-81 Rev 3
Canada Protective DNS
DNS4EU Project
What is Protective DNS?
https://www.infoblox.com/dns-security-resource-center/dns-security-faq/what-is-protective-dns-pdns/
Infoblox Threat Intel
https://www.infoblox.com/threat-intel/
