cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer I

Re: Secure DNS missconceptions

What a timely post for me.  I have this exact issue at work and your information was very helpful - thanks

 

L A Jensen  

Community Champion

Re: Secure DNS missconceptions

You are quite welcome!

 

I'm glad you have found it useful.

Newcomer I

Re: Secure DNS missconceptions

Hi Vladimir,

Thanks for this information. Very helpful!
Make Everyone Into A Human Firewall
www.goodsecurityawareness.com
Lxs
Newcomer I

Re: Secure DNS missconceptions

@Vladimir, thank you for sharing your perspective - and even more meaningful to also share a guide to a related fix on Windows 10.

Your comments are valid.

I would add that some folks are altering their DNS not necessarily for misguided (edit: holistic) security perks, but rather for speed. The response time from 1.1.1.1 CloudFlare (or 9.9.9.9 IBM) might on average be a little quicker than default DNS that the user was previously experiencing. This has led some to modify DNS locally on devices, or perhaps configure their home router (or work router).

related youtube video by Linus Tech Tips:
https://www.youtube.com/watch?v=kqnvrjgyEMc

Community Champion

Re: Secure DNS missconceptions

Both are actually valid reasons: The speed, as you have mentioned, is definitely improves when using Cloudflare, unless your carrier blocking it (AT&T incident, already resolved). 

 

The RELATIVE security factor is also present: if using 9.9.9.9, you are actually better-off from security perspective, as IBM does filter DNS queries using their threat intelligence platform. So the probability of accessing malware-loaded sites or tripping CNC is reduced.

 

It's the assumption of complete DNS security and privacy specifically, when relying on simple NS configuration changes, that are dangerous.

Lxs
Newcomer I

Re: Secure DNS missconceptions

@vt100 agree.
Viewer III

Re: Secure DNS missconceptions

Thank-you vt100!  I appreciate your post.  I've been researching DNS security and auditing and it is definitely a problem area.  I've looked at products like Infoblox that mitigate data leakage where the DNS stream is utilized to exfiltrate data.  I'd love to see more information in this area.

 

Community Champion

Re: Secure DNS missconceptions

@rpenner You are quite welcome!

Yes, DNS is the major vector for C&C, data exfiltration and a side-channel communication. Interestingly enough, it was used to some degree for the delivery of the updates in restricted environments by some vendors and, subsequently, by some VPN vendors to circumvent traditional firewalls.

 

These days, practically all UDP based protocols are being used for nefarious purposes as they are seldom afforded same degree of scrutiny as TCP.

 

Traditional firewall vendors do not like to tackle DNS, as it directly impacts listed performance of their appliances and are often limiting their threat prevention for DNS to a subset of common exploits.

 

From the point of view of performance and security, cloud-based DNS specific security solutions are probably the best at addressing these issues.

 

Common names in that area are the OpenDNS (now Cisco Umbrella), TitanHQ and Infoblox Active Cloud.