The DNS, the internet’s address book, has long been plagued by malicious domains with little hope for effective recourse against this abuse by its bookkeepers: the registrars. ESET brings its protective technology to bear on this issue.
Since the early 1980s, the Domain Name System (DNS) has been used for looking up the Internet Protocol (IP) addresses of domain names. For most internet users, the work that the DNS performs likely goes completely unnoticed, yet nearly all our activities on the internet begin with a DNS lookup. Monitoring DNS lookups can provide a comprehensive view into the traffic flowing through devices and is a critical point of security control.
TESTING THREAT INTELLIGENCE DATA FOR DNS PROTECTION
Filtering out malicious and suspicious domains is a constant battle to stay protected. Ideally, malicious domains would never be registered in the first place or at least quickly detected and dealt with by delisting, blocking access to, or redirecting traffic away from them (aka sinkholing them). However, registering a new or recycled domain name under a false identity is a fast, simple, and cheap process that has allowed various threats to scale up quickly.
Filtering network traffic for security
The response from the security industry to the abuse of the DNS has been to build automated systems that continually analyze domains for malicious behavior and to create domain blocklists. These lists are then fed into various security products and threat intelligence data feeds to better inform security decisions about allowing connections to specific domains. For example, the anti-phishing database maintained for ESET security products is updated every 20 minutes so that customers can receive protection against the latest phishing websites.
Filtering network traffic against blocklists is no stranger among the security practices of internet service providers (ISPs) and network administrators. Indeed, this is the very task that firewalls have been put to since the mid-1980’s: decapsulate the packets that reach the firewall, look at the IP addresses, the domain names, the protocols, and the port numbers, and if anything is on a blocklist, appears suspicious, or is a communication forbidden by the firewall’s administrators, then block it or raise a warning flag.
With the right fine-tuning, network and endpoint firewalls can be effective as they work in both directions, hindering both external and internal actors from sending packets either into or out of networks and devices. This helps limit the spread of malicious packets and the leak of confidential data no matter the direction or source. A DNS firewall works a little differently as it allows DNS lookups and overrides answers identified as malicious or otherwise undesirable with “not found” or “access denied” messages.
DNS filtering requires partnership
In one sense the use of firewalls and blocklists to deny access to malicious domains can create a false sense of security. With persistent effort, there is almost always some loophole to bypass firewall filters, typically via a Virtual Private Network (VPN) or the Tor Browser.
Since a DNS firewall is tied to a DNS server, to bypass its filters it is possible to change the DNS server you are using. While it is possible to run your own DNS server and filters at home or locally, many internet users are likely using the default DNS server and filters provided by their ISP. A simple search for “public DNS servers” in a search engine reveals a host of popular free and paid alternatives, some offering varying levels of protection against phishing sites and malware.
This means that the successful application of a DNS filtering solution depends critically on the willingness of internet users to enter into a partnership with their selected DNS provider and to choose not to circumvent the offered protection.
Protective DNS with ESET NetProtect
The need for improved security of the DNS has led in some places to mandating PDNS (Protective DNS), an acronym referring to DNS filtering. For instance, since 2020, US Department of Defense (DoD) contractors have been required to earn Cybersecurity Maturity Model Certification (CMMC), which, among other requirements, stipulates DNS filtering to achieve Level 3 out of the five levels. Moreover, at the end of 2021, the DoD set in motion CMMC 2.0, with the repositioning of DNS filtering yet to be seen.
The PDNS market features many vendors offering DNS filtering with different levels of domain feed quality and accompanying security services. ESET offers a unique contribution, one sourced from threat data shared by millions of customers around the world using ESET security products. With 35 years of providing security and developing and fine-tuning internal systems to provide high-quality domain feeds for DNS filtering, ESET is positioned to provide ISPs and home admins a distinctive source of protection.
Perhaps you are an ISP looking to bid for government contracts, or to provide unique protection for your own network or as a security service to your customers? Or perhaps you are a home user looking for better security than is provided by your ISP that can be easily extended to all users and guests of your home network? Whatever your case might be, inquiring about the filtering in place for a DNS server and which entity you are entrusting your DNS security to is no small step toward deflecting the tide of malicious domains proliferating on the internet.
ESET NetProtect is the DNS filtering solution available for home users at ISPs that have partnered with ESET. The solution is capable of detecting and blocking domains that deliver malware, are used for phishing, have a suspicious reputation, or serve potentially unwanted content. ESET NetProtect also offers a configurable web content filter with 35 categories that customers can select from to block content by age group.
For more information about ESET NetProtect and ISP partnerships, visit our product page here.
ESET Ireland 