NSA, CISA, issue guidance on Protective DNS services
The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) released a joint information sheet Thursday that offers guidance on the benefits of using a Protective Domain Name System (PDNS).
A PDNS service uses existing DNS protocols and architecture to analyze DNS queries and mitigate threats. It leverages various open source, commercial, and governmental threat feeds to categorize domain information and block queries to identified malicious domains.
According to NSA and CISA, the service provides defenses in various points of the network exploitation lifecycle, addressing phishing, malware distribution, command and control, domain generation algorithms, and content filtering. A PDNS can log and save suspicious queries and provide a blocked response, delaying or preventing malicious actions – such as ransomware locking victim files – while letting organizations investigate using those logged DNS queries.
The information sheet offers a list of providers, but NSA and CISA were clear that the federal agencies do not endorse one provider over another. The six companies listed are: Akamai, BlueCat, Cisco, EfficientIP, Neustar, and Nominet.
NSA and CISA based its recommendations on the lessons learned from an NSA PDNS pilot, where NSA partnered with the Department of Defense Cyber Crime Center to offer PDNS-as-a-service to several members of the defense industrial base. Over a six-month period, the PDNS service examined more than 4 billion DNS queries to and from the participating networks, blocking millions of connections to identified malicious domains.
Researchers say security pros should think of PDNS solutions as a “DNS firewall” that represents a logical way to actively leverage threat intelligence related to registered domains, said Oliver Tavakoli, chief technology officer at Vectra.
“Like other preventive approaches, they are useful in protecting organizations from known bads, but ultimately fall short in blocking the early stages of a new attack or more sophisticated attacks,” Tavakoli said. “So it makes sense to implement PDNS to reduce attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.”
Ray Kelly, principal security engineer at WhiteHat Security, added that DNS exploitations are still incredibly rampant and require some attention because they are such an effective technique used by malicious actors.
“The capability to reroute email, user web browsers, as well as distribute malware at scale are possible when a DNS address has been compromised,” Kelly said. “Any steps to mitigate attack vectors such as DNS spoofing and DNS cache poisoning will go a long way to help keep users and companies safe from such threats.”