It’s clear that organizations need a playbook for DoH traffic, and perhaps just generally better DNS security. Credit: mapodile The Domain Name System (DNS) is often referred to as the phone book of the internet. DNS translates web addresses, which people use, into IP addresses, which machines use. But DNS was not designed with security in mind. And even though companies have invested incredible amounts of money into their security stack (and even though they’ve had since the 1980s to figure this out), DNS traffic often goes unmonitored.This has only worsened with the adoption of encrypted DNS, known as DNS-over-HTTPS (DoH). Since its introduction in late 2018, DoH has grown from a personal privacy feature that most IT teams blocked outright, to an encouraged enterprise privacy and security function. While DoH protects traffic in transit, it also leaves organizations with little to no visibility over what’s happening with their DNS queries. ZscalerThe evolution of DNSThreat actors regularly exploit this visibility gap. IDC’s 2022 Global DNS Threat Report revealed that 88% of organizations interviewed had suffered DNS-related attacks—primarily phishing, malware, and DDoS attacks—over the previous year. Additionally, 70% had experienced application downtime as a result.A few DNS attack tactics are particularly popular:DNS tunneling: One of the most popular DNS threats is DNS tunneling, in which threat actors take advantage of the flexible nature of DNS queries to hide communications to command-and-control servers, download malware, or exfiltrate data. Unfortunately, this is challenging to detect due to the broad nature of DNS queries (a website can be called pretty much anything so a DNS query can be pretty much anything) and due to IT visibility gaps, particularly when it comes to encrypted traffic.DNS spoofing: This tactic—frequently executed using Man-in-the-Middle (MitM) techniques—involves altering the DNS entries on a DNS server or entering false information into the DNS cache, resulting in the targeted user traffic getting redirected to an attacker-controlled fraudulent site. This can be used for phishing or to trick users into installing malicious software like worms or viruses.DDoS attacks on DNS servers: Attackers don’t necessarily have to infiltrate a server to be disruptive using DNS. In 2016, cybercriminals used the Mirai botnet to wage a DDoS attack on one of the largest and most popular DNS services, taking down huge swaths of applications and websites.Domain-generated algorithms: Attackers frequently use domain generation algorithms (DGA), programs that can rapidly generate thousands of new domain names to allow them to bypass DNS block lists. This can quickly render many organizational DNS security programs ineffective.A checklist for better DNS securityIt’s clear that organizations need a playbook for DoH traffic, and perhaps just generally better DNS security. A checklist for a better solution should include things like:Full inspection of both encrypted and unencrypted traffic (which is super resource-intensive, so generally requires a cloud-native and horizontally scalable platform)Dynamic traffic analysis, not just blocklistsFailover mechanisms in case one DNS resolver or service is taken downConsistent speed and performance regardless of where their users, devices, and applications are located worldwideThe US and UK governments have begun taking their own actions to protect critical data by introducing protective DNS (PDNS) resolvers. These are government-sanctioned, security-focused, NSA-threat-intelligence-fueled DNS resolvers that are available (and in some cases mandated) to use by any US organization with access to United States Department of Defense (DoD) information, as well as to a range of public services in the UK. Other government bodies around the world are likely to follow suit.For years, Zscaler has been proud to partner with our customers to tackle this problem with a differentiated DNS resolution and security approach. The DNS control features built into the Zscaler Zero Trust Exchange™ platform are critical to ensuring seamless, secure access to the internet and applications in every possible circumstance. That means any user, device, or workload connecting to any resource, on any port or protocol, from anywhere in the world, at any time.Zscaler Innovations to Improve DNS ControlAs a cloud-native proxy, the Zscaler Zero Trust Exchange™ delivers scalable inspection, advanced threat protection, and DNS resolution at over 150 edge locations for optimal performance and security around the globe.Zscaler’s approach to DNS is to not care what resolver you’re using (though we offer our own for peak performance). All traffic that transits through Zscaler gets the same in-depth security analysis, powered by intelligence from the world’s largest inline security cloud that receives over 250,000 security updates per day.Recently, Zscaler announced enhancements to the security, availability, flexibility, and performance of its DNS control module, including: DNS encryption of plaintext traffic into DNS-over-HTTPS (DoH) for better privacy and securityAvailability enhancements with enhanced failover capabilities that automatically redirect traffic to a secondary resolver if the primary failsDNS security enhancements, including improved DNS tunnel protection to prevent data exfiltration and enhanced DGA detection to block any command-and-control malware activitiesProtective DNS enablement by encrypting and sending all government agency traffic to protective DNS (PDNS) resolvers in alignment with mandates from the NSA, CISA, and the National Cyber Security CentreBetter user experience with configurable DNS ECS to provide the best localized resolution based on the country, and to ensure users experience webpages with their local language, content, and currencyEnhanced error handling and reporting for better visibility and controlPart of the world’s leading zero trust solutionDNS Control is just one of many capabilities of the Zscaler Zero Trust Exchange™, which helps organizations reduce business risk while enabling and simplifying digital transformation. We consistently strive to provide better value, security, and performance across our platform and are proud to offer these new benefits to our customers everywhere.To learn more about DNS Control, visit our website. And to learn more about the top DNS threats facing organizations today (and what to do about them), check out the paper “Decoding Modern DNS Threats.” Related content brandpost Sponsored by Zscaler Study finds Zscaler can save $2.1 million annually A new study led by IDC highlights the impact a cloud-delivered approach to data protection can have on the bottom line. The results were eye-opening. By Zscaler Jun 23, 2023 6 mins Security brandpost Sponsored by Zscaler Optimize user experience and achieve faster IT resolutions using AI Broad cloud adoption and hybrid workplaces have pressured network operations, service desks, and security teams. AI offers a reprieve – and a way forward. By Zscaler May 16, 2023 7 mins Machine Learning Artificial Intelligence brandpost Sponsored by Zscaler Mercury Financial gains a competitive advantage with zero trust With many employees working remotely, Mercury Financial needed a solution to help find, troubleshoot, and correct user issues. Enter: Zscaler. By Zscaler May 04, 2023 6 mins Security brandpost Sponsored by Zscaler 7 considerations for successful digital transformation Sanjit Ganguli, Nathan Howe, and Daniel Ballmer help CXOs clarify the confusion around zero trust in their new book: “Seven Questions Every CXO Must Ask About Zero Trust.” Let’s peek into what you’ll find in their executive&rs By Zscaler May 04, 2023 10 mins Digital Transformation PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe