Selecting a protective DNS service
The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors intent on causing harm. “Protective DNS” (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.
Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead [T1583.001]; threat actors lace phishing emails with malicious links [T1566.002]; a compromised device may seek commands from a remote command and control server [TA0011]; a threat actor may exfiltrate data from a compromised device to a remote host [TA0010]. 1 The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.
Due to the centrality of DNS for cybersecurity, the Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as recommendations for provider selection. Users of these services must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.