DNS Security: Canadian Government Recommends a DNS Firewall

Last month the Canadian Centre for Cyber Security published “Baseline Cyber Security Controls for Small and Medium Organizations.” The guide is designed to help Canadian organizations with fewer than 499 employees improve their resilience through cyber security. According to the National Cyber Threat Assessment, small and medium organizations are most likely to face cyber security threat activity. In order to avoid becoming an easy target for hackers, organizations need to invest in their cyber security.

The publication states:

Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.

Enhancing security through DNS firewalls

To maximize any organization’s investments, the Canadian Centre for Cyber Security uses the 80/20 rule (achieve 80% of the benefit from 20% of the effort) as a basis for its recommended baseline controls.  Using this value-based rule of thumb, the Canadian Centre for Cyber Security recommends establishing a basic perimeter defense.

Most organizations already use firewalls to defend against outside threats. The Centre for Cyber Security now recommends taking it one step further by adding a DNS firewall. DNS firewalls prevent connections to known malicious domains and filter content to limit accessibility to malicious websites.  An estimated 91% of malware attacks use DNS – any investments in cyber security should include DNS as the first line of defense.

Every day, networks passively process billions of DNS queries without any context. Yet each of these queries contains a treasure trove of information about the client’s intent, whether benign or malicious. All that DNS data represents an untapped cyber security resource.

The Centre for Cyber Security’s recommendation is for a perimeter-based DNS firewall, but the benefits of that protection only extend to DNS queries sent to the outside internet.  There’s a whole world of internal network queries which could also benefit from the protection of a DNS firewall.

DNS security at the network core

BlueCat DNS Edge leverages existing DNS infrastructure to monitor and control all DNS activity, enforce security policies, and protect the network from DNS threats such as tunneling, data exfiltration, and domain generation algorithms (DGAs). DNS Edge is a light-weight service point that sits as the first hop onto the network. It logs DNS queries and responses for each client on the network, giving cybersecurity teams visibility into the intent of every device and the ability to identify patterns of malicious behavior.

DNS Edge also has the capability to lock down critical resources to protect against internal threats and inappropriate access to reduce attack surface. Single-use connected devices, like security cameras or point-of-sale machines, are restricted to only the domains and assets they truly require. The ability to set granular policies helps block unwanted access and monitor sensitive data.

Perimeter firewalls monitor traffic going in and out of the network, which leaves a gaping blind spot. Bad actors are creative and scrappy. If the front door doesn’t work, they’re checking side doors, windows, and the vents too. A client-facing firewall, such as DNS Edge, gives organizations full surveillance of their network.

Want more information about DNS Edge?  Let’s start a conversation.


An avatar of the author

Jadecy Kidane is the Marketing Content Manager at BlueCat.

Related content

Banner announcing BlueCat's acquisition of LiveAction, displaying both logos and the phrase "We're about to get bigger."

BlueCat acquires LiveAction to drive network modernization and optimization

BlueCat’s acquisition of LiveAction will allow customers to expand their view beyond DNS and dive deeper into the health of their network.

Read more

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

BlueCat has acquired LiveAction

It’s official! BlueCat has acquired LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.