DNS Security: Canadian Government Recommends a DNS Firewall

Jadecy Kidane

April 4, 2019

Last month the Canadian Centre for Cyber Security published “Baseline Cyber Security Controls for Small and Medium Organizations.” The guide is designed to help Canadian organizations with fewer than 499 employees improve their resilience through cyber security. According to the National Cyber Threat Assessment, small and medium organizations are most likely to face cyber security threat activity. In order to avoid becoming an easy target for hackers, organizations need to invest in their cyber security.

The publication states:

Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.

Enhancing security through DNS firewalls

To maximize any organization’s investments, the Canadian Centre for Cyber Security uses the 80/20 rule (achieve 80% of the benefit from 20% of the effort) as a basis for its recommended baseline controls.  Using this value-based rule of thumb, the Canadian Centre for Cyber Security recommends establishing a basic perimeter defense.

Most organizations already use firewalls to defend against outside threats. The Centre for Cyber Security now recommends taking it one step further by adding a DNS firewall. DNS firewalls prevent connections to known malicious domains and filter content to limit accessibility to malicious websites.  An estimated 91% of malware attacks use DNS – any investments in cyber security should include DNS as the first line of defense.

Every day, networks passively process billions of DNS queries without any context. Yet each of these queries contains a treasure trove of information about the client’s intent, whether benign or malicious. All that DNS data represents an untapped cyber security resource.

The Centre for Cyber Security’s recommendation is for a perimeter-based DNS firewall, but the benefits of that protection only extend to DNS queries sent to the outside internet.  There’s a whole world of internal network queries which could also benefit from the protection of a DNS firewall.

DNS security at the network core

BlueCat DNS Edge leverages existing DNS infrastructure to monitor and control all DNS activity, enforce security policies, and protect the network from DNS threats such as tunneling, data exfiltration, and domain generation algorithms (DGAs). DNS Edge is a light-weight service point that sits as the first hop onto the network. It logs DNS queries and responses for each client on the network, giving cybersecurity teams visibility into the intent of every device and the ability to identify patterns of malicious behavior.

DNS Edge also has the capability to lock down critical resources to protect against internal threats and inappropriate access to reduce attack surface. Single-use connected devices, like security cameras or point-of-sale machines, are restricted to only the domains and assets they truly require. The ability to set granular policies helps block unwanted access and monitor sensitive data.

Perimeter firewalls monitor traffic going in and out of the network, which leaves a gaping blind spot. Bad actors are creative and scrappy. If the front door doesn’t work, they’re checking side doors, windows, and the vents too. A client-facing firewall, such as DNS Edge, gives organizations full surveillance of their network.

Want more information about DNS Edge?  Let’s start a conversation.


Published in:


An avatar of the author

Jadecy Kidane is the Marketing Content Manager at BlueCat.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more