DNS was built in the early 1980s to solve the problems posed by the early Internet (the ARPAnet), which used to hold names to address translations in a single table on a single host (HOSTS.TXT).
The full name of DNS is “Domain Name Service,” which helps us to translate IP address to a domain name or the reverse. Without it, you may need to remember the IP address of all the websites you frequently browse, like Facebook, Google, or Twitter.
In short, DNS is specific servers on the internet that comprises the operators of root and top-level domain servers, recursive name services, authoritative name services offered by managed DNS operators, and domain registrars that handle domain names.
DNS is a stateless protocol, and there is no authentication built-in. By design, DNS does not have security in place (again, the importance of security mindset).
The records on DNS servers are subjected to unauthorized modifications. A DNS query may not always respond as expected, which in fact is not new to cybersecurity professionals.
DNS threats are common. DDoS, Man-In-The-Middle, DNS spoofing, and DNS poisoning are all examples of DNS attacks by different expertise or skill levels. Recently, DNS is also used by hackers as a covert channel for launching attacks or stealing data.
According to IDC’s 2020 Global DNS Threat Report:
79% of organizations were hit by DNS attacks in 2019 (from 82% in 2018) of which the average cost was around $924,000 per attack. On average, each organization was affected by 9.5 DNS attacks. DNS attacks determined application downtime for 82% of organizations. 75% of attacks were not mitigated automatically.
DNS is concerning, and with more applications rely on active connections, it would be a major threat actor now and in the future. And even worst, as you can see, most DNS threats are not mitigated automatically.
The Work from Home (WFH) movement has put corporates at risk of being targeted by cybercriminals. It is because nearly none of us would have the same enterprise-grade security as the office. The recent bugs (DNSpooq) also alarmed us to take DNS more seriously.
I will provide several ways to enhance your DNS Security. Each of them can work separately. I would also add remarks on the skill level so that you know which one you can choose.
Visibility is the priority for taking preventive actions. (You cannot protect what you can’t see.) That’s why having a visualization tool is important. In the corporate network, we all have firewalls to protect from intruders.
But for the home network, a dedicated firewall may be an over-kill. A software firewall that sits on your laptop or mobile device could be a more reasonable choice.
The following all provide a graphical view of connections and can provide alerts specifically on DNS.
The application/ process view also offers insights into suspicious connections. This is particularly useful on android devices as we are not fully aware of the over-allowed permissions and hidden codes in mobile apps.
Instead of using firewalls as a middle man, another option is DNS filtering by DNS service providers to control the DNS connections. There are several advantages to enable DNS filtering:
All you need to do is redirect the original DNS to a customized DNS provider on your devices. It also proffers you insights into the blocked DNS queries such as Blocked Reasons and Blocked Domains.
It also provides instructions on how to configure the home router (intermediate skill required) for home settings. The prerequisite is that you backup the original settings before making any changes.
Below I’ve listed several DNS filters that you can deploy and maintain security in DNS:
1. DNSCloak (Beginner)
It is an iOS app for secure DNS. It supports DNSCrypt and DNS-over-HTTP (DoH) to ensure the integrity of DNS traffics. Ad-blocking features are also supported.
2. AdGuard DNS (Beginner)
AdGuard DNS is a fool-proof method to block ads that do not require installing any applications. It is easy-to-use, free, and easily set up on any device. One drawback of AdGuard is limited customization.
3. Cloudflare DNS (Beginner to Intermediate)
The DNS IPv4 address is “1.1.1.1”. Cloudflare provides free DNS encryption since 2014. One bonus of Cloudflare is it can accelerate our browsing as the company is originally a content distribution provider.
The simplest setup is to change your original DNS to “1.1.1.1” and “1.0.0.1”. The service also provides multi-platform support, and configuration is minimal. When you type “1.1.1.1” on your browser, you will get to the page that contains the installation instruction as below:
4. NextDNS (Beginner to Intermediate)
Another free to use DNS provider is Next DNS. It provides a wide range of protections, from malicious websites to ads and trackers. Like Cloudflare, it provides an agent-less, configuration-only setup and agent-based installation.
To start, go to the NextDNS website and click “Try it now.” For long-term use, it is required to register an account. There is a Privacy tab for customization. The “Native Tracking Protection” option can block the native tracking of specific devices (Apple, Windows, Alexa, Roku, Samsung, Xiaomi, Huawei, and Sonos).
DNS is a vital component and the root of the internet, integrating everything related to the IT infrastructure. It is no wonder that it has shifted to a lucrative spot for attackers.
Working at home does not necessarily mean lowered security. All in all, it’s necessary to take decisive steps to enforce and sustain DNS protection measures. This time I suggested two ways to protect your DNS even you are remote working.
1# DNS monitoring by a software firewall.
2# DNS filtering and encryption by software or DNS service provider.
Thank you for reading. May InfoSec be with you🖖.
Previously published here.