DNS Security: Canadian Government Recommends a DNS Firewall

Last month the Canadian Centre for Cyber Security published “Baseline Cyber Security Controls for Small and Medium Organizations.” The guide is designed…

Last month the Canadian Centre for Cyber Security published “Baseline Cyber Security Controls for Small and Medium Organizations.” The guide is designed to help Canadian organizations with fewer than 499 employees improve their resilience through cyber security. According to the National Cyber Threat Assessment, small and medium organizations are most likely to face cyber security threat activity. In order to avoid becoming an easy target for hackers, organizations need to invest in their cyber security.

The publication states:

Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.

Enhancing security through DNS firewalls

To maximize any organization’s investments, the Canadian Centre for Cyber Security uses the 80/20 rule (achieve 80% of the benefit from 20% of the effort) as a basis for its recommended baseline controls.  Using this value-based rule of thumb, the Canadian Centre for Cyber Security recommends establishing a basic perimeter defense.

Most organizations already use firewalls to defend against outside threats. The Centre for Cyber Security now recommends taking it one step further by adding a DNS firewall. DNS firewalls prevent connections to known malicious domains and filter content to limit accessibility to malicious websites.  An estimated 91% of malware attacks use DNS – any investments in cyber security should include DNS as the first line of defense.

Every day, networks passively process billions of DNS queries without any context. Yet each of these queries contains a treasure trove of information about the client’s intent, whether benign or malicious. All that DNS data represents an untapped cyber security resource. 

The Centre for Cyber Security’s recommendation is for a perimeter-based DNS firewall, but the benefits of that protection only extend to DNS queries sent to the outside internet.  There’s a whole world of internal network queries which could also benefit from the protection of a DNS firewall.  

DNS security at the network core

BlueCat DNS Edge leverages existing DNS infrastructure to monitor and control all DNS activity, enforce security policies, and protect the network from DNS threats such as tunneling, data exfiltration, and domain generation algorithms (DGAs). DNS Edge is a light-weight service point that sits as the first hop onto the network. It logs DNS queries and responses for each client on the network, giving cybersecurity teams visibility into the intent of every device and the ability to identify patterns of malicious behavior.

DNS Edge also has the capability to lock down critical resources to protect against internal threats and inappropriate access to reduce attack surface. Single-use connected devices, like security cameras or point-of-sale machines, are restricted to only the domains and assets they truly require. The ability to set granular policies helps block unwanted access and monitor sensitive data.

Perimeter firewalls monitor traffic going in and out of the network, which leaves a gaping blind spot. Bad actors are creative and scrappy. If the front door doesn’t work, they’re checking side doors, windows, and the vents too. A client-facing firewall, such as DNS Edge, gives organizations full surveillance of their network.

Want more information about DNS Edge?  Let’s start a conversation.

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

SUNBURST/Solorigate Situation Briefing

BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.

Read more
React faster at the wire with BlueCat and ExtraHop

With the BlueCat ExtraHop Plugin, automatically create missing PTR records, and detect and react to security threats before they reach DNS servers.

Read more
Yes, IT should see what developers do in the cloud

Errors and outages occur when admins lack visibility into DNS and IP allocation in the cloud. With Bluecat, central DDI visibility is within reach.

Read more
Why McMaster University didn’t want another CIO

McMaster’s CTO, Gayleen Gray, highlights the importance of her unique role in a world where expectations of the CIO and CTO are colliding.

Read more