What is DNS? DNS was built in the early 1980s to solve the problems posed by the early Internet (the ARPAnet), which used to hold names to address translations in a single table on a single host (HOSTS.TXT). The full name of DNS is “Domain Name Service,” which helps us to translate IP address to a domain name or the reverse. Without it, you may need to remember the IP address of all the websites you frequently browse, like Facebook, Google, or Twitter. In short, DNS is specific servers on the internet that comprises the operators of root and top-level domain servers, recursive name services, authoritative name services offered by managed DNS operators, and domain registrars that handle domain names. Why is DNS Insecure? DNS is a stateless protocol, and there is (again, ). no authentication built-in. By design, DNS does not have security in place the importance of security mindset The records on DNS servers are subjected to . A DNS query may not always respond as expected, which in fact is not new to cybersecurity professionals. unauthorized modifications DNS threats are common. DDoS, Man-In-The-Middle, DNS spoofing, and DNS poisoning are all examples of DNS attacks by different expertise or skill levels. Recently, DNS is also used by for launching attacks or . hackers as a covert channel stealing data According to : IDC’s 2020 Global DNS Threat Report 79% of organizations were hit by DNS attacks in 2019 (from 82% in 2018) of which the average cost was around On average, each organization was affected by . DNS attacks determined . were mitigated automatically. $924,000 per attack. 9.5 DNS attacks application downtime for 82% of organizations 75% of attacks not DNS is concerning, and with more applications rely on active connections, it would be a major threat actor now and in the future. And even worst, as you can see, most DNS threats are not mitigated automatically. has put corporates at risk of being targeted by cybercriminals. It is because nearly none of us would have the same enterprise-grade security as the office. (DNSpooq) also alarmed us to take DNS more seriously. The Work from Home (WFH) movement The recent bugs How to Enhance DNS Security I will provide several ways to enhance your DNS Security. Each of them can work separately. I would also add remarks on the skill level so that you know which one you can choose. DNS Monitoring Visibility is the priority for taking preventive actions. (You cannot protect what you can’t see.) That’s why having a visualization tool is important. In the corporate network, we all have firewalls to protect from intruders. But for the home network, a dedicated firewall may be an over-kill. A software firewall that sits on your laptop or mobile device could be a more reasonable choice. The following all provide a graphical view of connections and can provide alerts specifically on DNS. The application/ process view also offers insights into suspicious connections. This is particularly useful on android devices as we are not fully aware of the over-allowed permissions and hidden codes in mobile apps. (Beginner) —for . It is an open-source mobile app focused on privacy and network monitoring. The default setting would be sufficient for DNS security protection. Lockdown also provides a VPN service. Lockdown Privacy iOS only (Beginner) — the easiest one I tried is Glasswire, which supports . Glasswire Android and Windows (Advance) — Pfsnese is an appliance-based firewall that supports virtual machine format. If you need a centralized firewall for a Soho network or have more than 5 devices, it is better to have a consolidated view as the control point.DNS Filtering and Encryption Pfsense Instead of using firewalls as a middle man, another option is DNS filtering by DNS service providers to control the DNS connections. There are several advantages to enable DNS filtering: Block privacy and security related requests Provide encrypted DNS that prevent the unauthorized modification of the query Prevent the infection from adware and hidden scripts on webpages All you need to do is redirect the original DNS to a customized DNS provider on your devices. It also proffers you insights into the blocked DNS queries such as Blocked Reasons and Blocked Domains. It also provides instructions on ( ) for home settings. The prerequisite is that you backup the original settings before making any changes. how to configure the home router intermediate skill required Below I’ve listed several DNS filters that you can deploy and maintain security in DNS: 1. DNSCloak (Beginner) It is an . It supports DNSCrypt and DNS-over-HTTP (DoH) to ensure the integrity of DNS traffics. Ad-blocking features are also supported. iOS app for secure DNS 2. AdGuard DNS (Beginner) is a fool-proof method to block ads that do not require installing any applications. It is easy-to-use, free, and easily set up on any device. One drawback of AdGuard is limited customization. AdGuard DNS 3. Cloudflare DNS (Beginner to Intermediate) The DNS IPv4 address is “ ”. free DNS encryption since 2014. One bonus of Cloudflare is it can accelerate our browsing as the company is originally a content distribution provider. 1.1.1.1 Cloudflare provides The simplest setup is to change your original DNS to “1.1.1.1” and “1.0.0.1”. The service also and configuration is minimal. When you type “1.1.1.1” on your browser, you will get to the page that contains the installation instruction as below: provides multi-platform support, 4. NextDNS (Beginner to Intermediate) Another free to use DNS provider is . It provides a wide range of protections, from malicious websites to ads and trackers. Like Cloudflare, it Next DNS provides an agent-less, configuration-only setup and agent-based installation. To start, go to the and click “Try it now.” For long-term use, it is required to register an account. There is a Privacy tab for customization. The “ ” option can block the native tracking of specific devices (Apple, Windows, Alexa, Roku, Samsung, Xiaomi, Huawei, and Sonos). NextDNS website Native Tracking Protection Final Words DNS is a vital component and the root of the internet, integrating everything related to the IT infrastructure. It is no wonder that it has shifted to a lucrative spot for attackers. Working at home does not necessarily mean lowered security. All in all, it’s necessary to take decisive steps to enforce and sustain DNS protection measures. This time I suggested two ways to protect your DNS even you are remote working. by a software firewall. 1# DNS monitoring (Beginner) — for . Lockdown Privacy iOS only (Beginner) — the easiest one I tried is Glasswire, which supports . Glasswire Android and Windows Advance Pfsense ( ) by software or DNS service provider. 2# DNS filtering and encryption (Beginner) — It is an iOS app for secure DNS. DNSCloak (Beginner) — Both agent-less or mobile apps. AdGuard DNS (Beginner to intermediate) — Both agent-less or mobile apps. Cloudflare DNS (Beginner to intermediate) — Both agent-less or mobile apps. NextDNS Thank you for reading. May InfoSec be with you🖖. Previously published here .