As cyberattacks become increasingly sophisticated, safeguarding national critical infrastructure and services and the citizens of a country demands strong, evolving protection. One such measure gaining traction is the implementation of a country-wide Protective DNS (Domain Name System).
This blog post explores the concept, benefits, and challenges of deploying a Protective DNS at a national level, with insights from existing large-scale implementations by the United States Cybersecurity and Infrastructure Security Agency (CISA), Quad-9 in the UK, and the European Union’s new Protective DNS.
Benefits of Protective DNS
Protective DNS is a filtering DNS resolver designed to block access to malicious domains, often blocking cyberattacks before they can cause harm. It achieves this by filtering DNS queries and providing threat intelligence to identify and block malicious sites in real-time. Protective DNS plays a crucial role in defending against various cyber threats, such as ransomware, malware, and phishing attacks.
Why implement a countrywide Protective DNS?
Every country worldwide provides a range of essential services to its population that require the highest levels of protection from cyber threats. A countrywide Protective DNS is a critical aspect of that protection and provides several benefits, including:
Faster threat blocking.
Most countries do not have the capability to block malicious domains quickly because their ISPs (Internet Service Providers) and other connectivity providers, such as public Wi-Fi providers, are privately held. Even if the country’s Computer Emergency Response Team (CERT) identifies a phishing attack, it has no quick mechanism to block the domains and FQDNs (Fully Qualified Domain Names) used by the attackers.
Instead, the country CERT reports the phishing sites to ISPs, but the sites are usually blocked at the ISP’s discretion, often taking anywhere from 1 to 10 days. In most cases, the ISP institutes an IP address block, which means that if the cybercriminals use a shared provider like a Content Delivery Network (CDN), this also blocks other websites that use the CDN. The result is the phishing attack can rotate through domains faster than the CERT can block them.
However, a PDNS offers rapid blocking of malicious sites, providing real-time mitigation against cyber threats.
Cyber Threat Intelligence.
Attacks against critical infrastructure are unique to a country or region. For example, a country in Southeast Asia, Eastern Europe, or Africa has its own unique set of banks, transportation, utilities, postal service, and government ministries that are not seen elsewhere. However, most Cyber Threat Intelligence (CTI) feeds and services focus on the North American financial services industry because those companies have a larger budget for CTI data.
To compensate for this bias in CTI data, countries can use their own Protective DNS deployment to aggregate and analyze DNS logs and to generate their own DNS-based CTI data about threats that are directed against their critical infrastructure. They can then block those threats and analyze them further for law enforcement action.
Internet content filtering and censorship.
In the past 10 years, governments have had to set policies regarding what types of content they filter inside of their country. This includes variations of the following content types:
- Adult content: While the definition ranges from pornography to intimate apparel or even mature topics, most countries have a list of content that they would like to filter.
- Foreign news sources: These have various levels of journalistic standards, level of truth, and propaganda bias. For countries that have a large immigrant or guest worker population, being able to filter out disinformation, misinformation, and malformation is important to limit their impact on the country.
- Illegal services: Some websites are censored inside of a country because the services that they offer, such as gambling, prostitution, or some financial transactions, are illegal inside their jurisdiction.
Use cases for countrywide Protective DNS.
There are several places where countrywide Protective DNS makes sense and can significantly improve a country’s cyberdefenses.
Government systems and data.
Government ministries, agencies, and departments are frequently targeted by other nations and cybercriminals. This is because the government has the most complete sets of data about the country. Being able to analyze, detect, and block malware downloads, beacons, and command and control is critical for government to be able to protect the data that they hold and their mission of making the country function.
Critical infrastructure protection.
Securing essential services and critical infrastructure or key resources like energy, water, and transportation is vital for national security. Often these are privately-owned and operated but still receive the same types of attacks as the country’s government. Protective DNS can play a significant role in this effort and provide intelligence to the country CERT and other critical infrastructure organizations.
Small and medium business.
Small and Medium Businesses (SMBs) are one of the most underserved markets for cybersecurity tools and many governments have problems building a strategy to help them. A countrywide Protective DNS solution offers a cost-effective and simple security solution that can protect SMBs and reinforce a country’s SMB cybersecurity strategy.
Free public Wi-Fi.
Many public areas such as airports, cafes, and libraries offer free Wi-Fi for both citizens and visitors. Public Wi-Fi users can bring malware from other networks and unintentionally infect other devices on the Wi-Fi network or launch attacks on targets across the internet. Countrywide Protective DNS can help to limit the impact and frequency of attacks using public Wi-Fi.
Country-wide PDNS implementation architecture.
There are several details of the implementation of a countrywide Protective DNS solution.
DNS forwarding.
In forwarding, DNS resolvers on a LAN or WAN forward queries from users to a cloud Protective DNS service instead of performing recursion themselves. This is the quickest way to onboard and protect substantial amounts of users and devices very quickly, especially when they are inside one network.
When the forwarding resolver also does caching of query answers based on the Time to Live (TTL) in the answer, this reduces the number of queries that are sent to the cloud Protective DNS servers and provides better reliability, offload, and speed for users of that forwarding resolver.
Forwarding allows the Protective DNS to receive queries that can be logged and analyzed to generate CTI and block threats specific to the country.
Forwarding preserves privacy since the Protective DNS receives queries from the network resolver and not individual users. However, it is possible to do traffic analysis on the organization (company, government agency/ministry, etc.) based on queries coming from their on-network resolvers.
Forwarding allows for incredibly rapid blocking, since a true next-generation Protective DNS performs full recursion for queries and checks them in real-time against a data lake to determine if the domain and FQDN are safe.
Publishing blocklists as a Reverse Policy Zone or Text File.
In Response Policy Zones (RPZ), DNS administrators set up a DNS zone that contains blocked domains and FQDNs. DNS resolvers set up a recurring zone transfer to pull the blocklist zone from the publishers via zone transfer and implement it at their recursive server.
A similar technique is to publish a text file containing blocked hosts and domains. DNS administrators then use a facility built into their resolver software or another piece of software to download the blocked host list via HTTPS and implement it as a blocklist on the resolver.
By using the on-network resolver as a full recursive server, these methods reduce the risk of a countrywide Protective DNS being unavailable.
These methods are particularly good at protecting user privacy since the Protective DNS service does not receive any queries from the users. However, this also means there is no query log for CTI. Resolvers can forward their sanitized logs through a different mechanism to restore this visibility.
These methods incur a protection gap depending on how frequently the blocklist is updated, published, and synchronized to the individual recursive servers.
Endpoint clients.
Most Protective DNS solutions support endpoint clients. Endpoint clients support use cases of government and enterprise IT systems. . These endpoint clients capture DNS queries from the device and forward them to the Protective DNS service. This is ideal for users on separate networks where forwarding to Protective DNS is not possible such as in coffee shops, hotels, and in other countries.
Advanced endpoint clients can detect if they are on an internal LAN and participate in forwarding instead of using Protective DNS directly. This allows internal hostnames to resolve using LAN resolvers.
Endpoint clients used with a next-generation Protective DNS allow users to set a protective policy for groups of endpoint clients based on device or user identifier.
Endpoint clients do not support privacy because each DNS query is identified to the machine that sent it. This makes it more suitable for government agencies or critical infrastructure users on organization-owned devices.
Blocking alternative DNS.
One of the implementation details for a Protective DNS is to block several alternative methods of DNS resolution:
- Link-Local Multicast Name Resolution (LLMNR): This multicast DNS protocol uses network broadcast traffic on a LAN to resolve hostnames. There are other variations of multicast DNS called Bonjour or ZeroConf. Because LLMNR allows hostnames to be hijacked when attackers are inside of the broadcast domain, most organizations consider it to be a vulnerability and disable it for their devices.
- DNS over HTTPS (DoH): This protocol was created to evade censorship in oppressive regimes by sending DNS queries over HTTPS requests, typically implemented inside of the user’s browser. However, this also turns into a side channel that evades Protective DNS. Most of the commonly used DoH servers are blocked by Vercara’s Protective DNS, UltraDDR, in the “Anonymous Proxies” category.
- LAN resolvers on “foreign” networks: For laptops and mobile devices on a network such as a coffeeshop, ignoring local resolvers such as those provided by Dynamic Host Control Protocol (DHCP) keeps the local resolver from hijacking queries intended for the Protective DNS.
Countrywide sinkhole or selective proxy.
When DNS queries are blocked in a next-generation Protective DNS solution, they are blocked by providing the IP address of a sinkhole. The sinkhole logs IP addresses that send traffic to it to generate CTI. Sinkholes can also support a message to the user to explain why their traffic was blocked. In a variation of a sinkhole, the user is directed to a proxy where the full URL and response object can be analyzed to determine if it is malware.
A major implementation detail of a sinkhole or selective proxy is the use of Transport Layer Security (TLS) certificates. In enterprise use cases for sinkholes and selective proxies, endpoints install a Certificate Authority certificate used to generate certificates for FQDNs sent to the sinkhole. While this is acceptable for government agencies and critical infrastructure, this practice is considered not suitable for the public inside of a country because of privacy and impersonation challenges.
Implementing a countrywide protective DNS.
There are several problems that a countrywide Protective DNS needs to solve to be a viable solution, including:
Scalability.
When most of a country’s DNS queries go to one set of DNS resolvers as a Protective DNS service, being able to scale the DNS service is critical to keep the country’s internet access running. Several techniques, such as caching forwarders, can reduce the volume of queries going to the Protective DNS service.
Reliability.
Where organizations such as ISPs, telecommunications providers, and other connectivity providers might not want to become dependent on a government-provided service. In these cases, forwarding with caching, blocklist publishing with a logging facility, and being able to failover to their own recursion can help provide additional resiliency.
Privacy.
Some architectural modes for Protective DNS are better at protecting the privacy of users, while other modes are better for CTI analysis and faster blocking. A good Protective DNS supports multiple deployment modes to balance these competing requirements.
Customizability and configurability.
Most Protective DNS solutions are built for enterprise use and enforce one policy across all users. A truly countrywide Protective DNS is built on a federated model that allows organizations such as government, critical infrastructure, and businesses to set their own policy on acceptable usage while still having a standard for the entire country.
Towards a safer future.
Deploying a country-wide protective DNS offers numerous benefits, including enhanced threat detection, real-time blocking, and improved data security. However, challenges such as scalability, reliability, and privacy must be carefully managed. Vercara’s Protective DNS, UltraDDR, meets these challenges head-on.
Organizations should consider implementing protective DNS to bolster their cybersecurity posture and protect their nation, its economy, and its citizens. For more information and resources on UltraDDR, check out these resources or contact our support team.
