DNS Security: Canadian Government Recommends a DNS Firewall
The Canadian government helps organizations take on cybersecurity. With BlueCat DNS Edge, organizations can maximize their security investments.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The Canadian Centre for Cyber Security’s “Baseline Cyber Security Controls for Small and Medium Organizations” urges businesses under 499 employees to prioritize practical, high-impact security measures, highlighting that DNS is an essential first line of defense because roughly 91% of malware attacks use DNS. The guidance recommends adding a perimeter DNS firewall to traditional firewalls to block known malicious domains and filter content, while the article highlights that internal DNS queries are also vulnerable and contain valuable telemetry. BlueCat’s DNS Edge is presented as a network-core DNS security solution that logs per-client queries, enforces granular policies, prevents DNS-based threats (like tunneling, data exfiltration, and DGAs), and restricts device access to reduce attack surface and visibility blind spots left by perimeter-only controls.
Why does the Canadian Centre for Cyber Security recommend adding a DNS firewall in addition to traditional firewalls?
The guide recommends a DNS firewall because conventional perimeter firewalls alone leave a blind spot: they monitor traffic crossing the network boundary but do not inspect DNS activity or internal queries. DNS is implicated in an estimated 91% of malware attacks, and DNS queries carry intent-rich telemetry that can reveal malicious behavior. A DNS firewall blocks connections to known malicious domains and filters content, providing an additional perimeter-based control that prevents devices from resolving or reaching harmful sites and complements existing firewall protections.
What additional protection does BlueCat DNS Edge provide beyond a perimeter DNS firewall?
BlueCat DNS Edge extends DNS security into the network core by leveraging existing DNS infrastructure to monitor and control all DNS activity, including internal queries that a perimeter firewall would miss. As a lightweight first-hop service point, it logs DNS queries and responses per client, giving security teams visibility into device intent and patterns of malicious behavior. DNS Edge can enforce granular policies to lock down critical resources, restrict single-use connected devices (like cameras or POS systems) to only necessary domains, and mitigate DNS threats such as tunneling, data exfiltration, and domain generation algorithms.
How does logging per-client DNS queries help reduce an organization’s attack surface?
Logging per-client DNS queries provides detailed visibility into what each device is attempting to access, enabling detection of anomalous or malicious patterns that perimeter-only controls might miss. With that telemetry, teams can identify devices using DNS for covert channels (tunneling), data exfiltration attempts, or contact with DGA-generated domains. Granular policy enforcement based on those logs allows organizations to restrict devices to only the domains and assets they need, lock down critical resources against inappropriate access, and thereby reduce lateral movement and overall attack surface within the internal network.
Last month the Canadian Centre for Cyber Security published “Baseline Cyber Security Controls for Small and Medium Organizations.” The guide is designed to help Canadian organizations with fewer than 499 employees improve their resilience through cyber security. According to the National Cyber Threat Assessment, small and medium organizations are most likely to face cyber security threat activity. In order to avoid becoming an easy target for hackers, organizations need to invest in their cyber security.
The publication states:
Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.
Enhancing security through DNS firewalls
To maximize any organization’s investments, the Canadian Centre for Cyber Security uses the 80/20 rule (achieve 80% of the benefit from 20% of the effort) as a basis for its recommended baseline controls. Using this value-based rule of thumb, the Canadian Centre for Cyber Security recommends establishing a basic perimeter defense.
Most organizations already use firewalls to defend against outside threats. The Centre for Cyber Security now recommends taking it one step further by adding a DNS firewall. DNS firewalls prevent connections to known malicious domains and filter content to limit accessibility to malicious websites. An estimated 91% of malware attacks use DNS – any investments in cyber security should include DNS as the first line of defense.
Every day, networks passively process billions of DNS queries without any context. Yet each of these queries contains a treasure trove of information about the client’s intent, whether benign or malicious. All that DNS data represents an untapped cyber security resource.
The Centre for Cyber Security’s recommendation is for a perimeter-based DNS firewall, but the benefits of that protection only extend to DNS queries sent to the outside internet. There’s a whole world of internal network queries which could also benefit from the protection of a DNS firewall.
DNS security at the network core
BlueCat DNS Edge leverages existing DNS infrastructure to monitor and control all DNS activity, enforce security policies, and protect the network from DNS threats such as tunneling, data exfiltration, and domain generation algorithms (DGAs). DNS Edge is a light-weight service point that sits as the first hop onto the network. It logs DNS queries and responses for each client on the network, giving cybersecurity teams visibility into the intent of every device and the ability to identify patterns of malicious behavior.
DNS Edge also has the capability to lock down critical resources to protect against internal threats and inappropriate access to reduce attack surface. Single-use connected devices, like security cameras or point-of-sale machines, are restricted to only the domains and assets they truly require. The ability to set granular policies helps block unwanted access and monitor sensitive data.
Perimeter firewalls monitor traffic going in and out of the network, which leaves a gaping blind spot. Bad actors are creative and scrappy. If the front door doesn’t work, they’re checking side doors, windows, and the vents too. A client-facing firewall, such as DNS Edge, gives organizations full surveillance of their network.
Want more information about DNS Edge? Let’s start a conversation.
Jadecy Kidane is the Marketing Content Manager at BlueCat.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.