Threat Protection: policy-based workflow for securing DNS queries
Block attacks at the DNS layer, stopping threats before they ever reach your business
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article describes BlueCat Threat Protection, a policy-based DNS security workflow that blocks malicious DNS queries at the DNS layer to stop threats before they reach enterprise systems. It explains how Threat Protection leverages DNS telemetry and threat feeds such as CrowdStrike to detect and block phishing, DGA, tunneling, and other malware-related domains across wired, wireless, virtual, and mobile endpoints, preserving visibility by blocking public DoH resolvers. Key outcomes include continuous, analyst-reviewed threat intelligence, centralized management via BlueCat IPAM, customizable actions per feed, and detailed logging and reporting to identify infected devices and integrate with existing SIEMs and security investments.
How does BlueCat Threat Protection use DNS to help detect and stop threats?
BlueCat Threat Protection leverages DNS query data as actionable telemetry to reveal how traffic moves and how clients access internal and external resources. By subscribing DNS servers to real-time threat feeds (including CrowdStrike and other third-party feeds) and applying policy-based response actions—such as redirect, blocklist, do not respond, or log—the solution can block lookups to known malicious domains, stopping phishing, DGA, tunneling, and other attacks at the DNS layer before they reach devices. Additionally, Threat Protection provides DoH blocking to retain visibility into DNS queries by preventing lookups to known public DoH resolvers, enabling detection and investigation of suspicious activity.
What kinds of threat intelligence and updates power Threat Protection?
Threat Protection is enriched with continuous, analyst-reviewed threat intelligence derived from more than 30 billion daily events and an elite team of threat analysts and researchers. It provides coverage across millions of domains associated with over 100 unique malware families and 30+ threat types, and it prioritizes activities based on severity, frequency, and confidence. Customers can subscribe to CrowdStrike feeds—the article highlights CrowdStrike as the most active repository in the industry—as well as BlueCat DOH blocklists and other third-party feeds, which are automatically delivered through DNS for continuous, real-time updates.
How does Threat Protection integrate with existing network and security operations?
Threat Protection integrates with BlueCat IPAM, DNS, and DHCP solutions so that threat policies and actions can be centrally managed through BlueCat Address Manager, enabling orchestration across network services. It produces aggregated reporting of query and response policy activity, logs matches to identify which devices attempted to access malicious content, and supports correlation with other data sources and market-leading SIEMs to eliminate blind spots. Organizations can maintain local allowlists and blocklists and use response policy zones to intercept specific hosts and zones, giving networking and security teams flexibility to tailor responses to operational needs.
The solution: BlueCat Threat Protection
Smartphones, point-of-sale (POS) systems, desktops, and security cameras all rely on DNS to connect to the network and external sites. Whether the device is in a fixed location or is mobile and lives beyond the walls of your enterprise, BlueCat Threat Protection can protect it from accessing malicious content and further proliferating threats into your network.
The coordinated use of multiple, complementary security countermeasures is key to enterprise defense in depth strategies. Threat Protection delivers critical contextual network data extending across wired and wireless networks, virtual environments, and mobile endpoints, to augment industry-standard layers of security.
Defend against attacks with CrowdStrike threat feeds, the most active repository of threat intelligence in the industry. Subscribe DNS servers to the security feed, which is automatically delivered through DNS and continuously updated to block threats as they emerge.
To protect against malicious activity, networking and cybersecurity teams need to maintain visibility into DNS traffic. Threat Protection provides DoH blocking to retain visibility into DNS queries by preventing lookups to known public DoH resolvers.
Figure 1. Protect the enterprise by blocking DNS based phishing, DGA, and tunneling attacks
Features
Customizable actions
Each security feed can be configured with its own action, such as redirect, blocklist, do not respond, and log, allowing administrators to tailor the response to their needs.
Reporting
Aggregation of query and response data for a complete view of response policy activity with respect to threat category, source of threat, and targets.
IPAM integration
Integration with BlueCat IPAM, DNS and DHCP solutions enables Threat Protection to be centrally managed and orchestrated through BlueCat Address Manager.
Response policy zones
Provide organizations with the option of maintaining a set of hosts and zones that can be intercepted and handled accordingly.
Logging and visibility
Matches can be logged to determine which devices have attempted to access known malicious content to identify infected systems.
Localized lists
Organizations can augment and maintain their own local lists to blocklist additional sites or allowlist results.
Supported threat feeds
Threat Protection enables seamless integration of security intelligence, including BlueCat DOH blocklists, CrowdStrike, and other third-party threat feeds.
DOH blocking
Retain visibility into DNS queries by blocking lookups to known public DOH resolvers.
BlueCat’s Intelligent Network Operations (NetOps)
BlueCat’s Intelligent NetOps solutions provide the analytics and intelligence needed to enable, optimize, and secure the network to achieve business goals. With an Intelligent NetOps suite, organizations can more easily change and modernize the network as business requirements demand.
