Malware is commonly delivered via the internet when employees are fooled into visiting malicious websites. DNS malware protection is one of the best ways to block these attacks. DNS protection works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.
What is the DNS?
In order to understand how DNS malware protection works, it is first necessary to know a little about the DNS and what it is used for. DNS is an acronym for Domain Name System, which is the system that converts an easy to recognize domain name such as Google.com into the numeric IP address that computer’s use to find websites. The DNS is essentially a contact list. You look up a name and it returns a number. You couldn’t call your doctor without his/her phone number, and similarly you could not find your doctor’s website without the IP address.
Every time you enter a website address in your browser, a DNS lookup is performed to obtain the unique IP address that allows the website to be found. When your DNS server finds the IP address, it is sent to your browser and a connection is made and the content is displayed in the browser. It is an extremely efficient process that takes a fraction of a second.
DNS Protection Best Practices
The DNS acts as an address book for the internet, so if the DNS is changed, when a user attempts to visit a website an alternative IP address could be provided. Threat actors often target the DNS to redirect users to their malicious websites – often referred to as DNS hijacking. Attacks are also performed to overwhelm websites with DNS response traffic in Denial of Service attacks. It is therefore important for businesses to use some form of DNS protection to prevent these attacks. Security experts recommend three DNS protection best practices to prevent these attacks:
- DNS security extensions
- DNS over TLS and
- DNS over HTTPS
DNS security extensions use digital signature key pairs to validate DNS queries and ensure they are sent from the proper source. DNS over TLS encrypts plain text queries to prevent them from being intercepted and altered. DNS over HTTPS is similar to DNS over TLS as encryption is used, but in addition, responses are hidden within other HTTPS traffic. in addition to the above forms of DNS protection, it is also advisable to use a SIEM system and to feed DNS data into the SIEM for monitoring and analysis.
How Does DNS Malware Protection Work?
DNS malware protection takes place at the DNS lookup stage of a web request, before any content is downloaded by the browser. The DNS makes no distinction between genuine websites and those used for malicious purposes. All websites have an IP address, and the DNS will blindly supply those addresses. DNS malware protection works by comparing the IP address against blacklists of known malicious or illegal websites. With DNS malware protection in place, the IP address will be identified, but if the site is malicious and blacklisted, the IP address will not be returned. Instead, a user will be directed to a local block page that explains why the website has been blocked.
Benefits of a DNS Filtering Service
DNS filtering has advantages over other forms of internet filtering. As previously mentioned, filtering takes place before content is downloaded, which means internet speed is not affected. There is close to zero latency with DNS filtering.
DNS filtering does not require any software downloads or additional hardware as filtering takes place in the cloud on the service provider’s servers. All that is required to start filtering the internet is to change to your DNS settings to point to the service provider’s DNS servers – A very quick and easy process. The DNS servers used by service providers may also be quicker than those used by your ISP.
In addition to providing DNS malware protection, a DNS filtering service will protect against all known malicious websites including those identified as being used to phish for credentials. DNS filtering also allows businesses to exercise control over the types of content that can be accessed by employees. The service provider will scan the internet and categorize websites based on their content. Policies can then be set to prevent employees from accessing certain categories of website such as pornography, gambling, dating, gaming, and peer-2-peer file sharing websites.
WebTitan – DNS Protection for Businesses and MSPs
TitanHQ can provide DNS protection through a cloud-based DNS filtering service called WebTitan Cloud. WebTitan Cloud allows employers, MSPs, and ISPs to carefully control the types of internet content that can be accessed by users and provide protection from malware, ransomware, phishing, and other web-based threats.
WebTitan Cloud gives businesses and MSPs a real-time view of what sites are being accessed and includes an extensive reporting suite that gives full visibility into the activities of users. The solution also allows different controls to be applied for departments, user groups, and individuals, and supports time-based filtering controls.
For further information on DNS filtering and WebTitan Cloud, give the TitanHQ team a call today. You can also book a product demonstration to see WebTitan Cloud in action and try the product for yourself with a free 2-week trial.
DNS Malware Protection: FAQ
What is a DNS hijacking?
Domain Name Systems (DNS) covert domain names to internet provider (IP) addresses so that resources can connect to the Internet. Essentially, this means that when a user types a website name into a browser bar, the DNS will convert this to an IP address, allowing users to access webpages.
DNS hijacking (also called DNS redirection or poisoning) is a process that redirects users to malicious websites. If a user types a domain name into a rogue DNS server, it can redirect them from their intended website that contains malware or illegal content. In some countries, DNS hijacking is used as a form of censorship.
What are “Denial of Service” attacks?
A denial-of-service (DoS) attack aims to overwhelm networks or machines by flooding them with too many requests for the target to respond to. This will greatly slow the functioning of the target, or cause it to crash. These attacks can cause severe disruptions, as users cannot submit legitimate requests to the target network. They are then unable to access emails, online accounts, or websites, having obvious productivity implications.
Do DNSs have any inbuilt protections?
No, DNS do not have inbuilt protections. DNSs implicitly trust all domain names entered into the browser, and has no means of checking the legitimacy of the IP address that it retrieves. This leaves it vulnerable to tampering.
What is DNS filtering?
DNS filtering is a means of blocking malicious websites. It can be used by businesses to prevent their employees from accessing sites that have been blacklisted. The DNS filter blocks specific IP addresses, so the website cannot be loaded even if an employee types its domain name into a web browser. This can dramatically improve the security of a network, but has the additional benefit of allowing businesses to block websites that might distract employees from their work.