The term “protective DNS” isn’t as sexy as, say, “anti-ransomware” or “threat intelligence.” But it’s every bit as important. In fact, market-leading, protective-DNS services are powered by market-leading threat intelligence, and they often play an essential role in protecting clients from malware. Effective cyber resilience is about layers of services that deliver the right protection in the right place at the right time, and DNS protection is essential to the equation.

If you’d like to dig into protective DNS and why it’s essential to your clients’ cyber resilience, we’ve put together a primer for you here.

We’ve also put together this quick guide to help you identify best-in-class cyber resilience solutions for your clients. Here’s what to look for when selecting a provider partner:

Don’t Overlook DNS Over HTTPS (DoH) Compliance

You’ve likely heard a lot about DNS-over-HTTPS following guidelines issued in March of 2021 by the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA).

We’ve got a rundown on how to help your clients achieve these recommendations here, but for our purposes today, we’ll focus on the attributes your protective DNS solution needs in order to be in compliance with the NSA and CISA guidelines:

• Malware domain blocking
• Phishing domain blocking
• Malware Domain Generation Algorithm (DGA) protection
• Uses machine learning (or other heuristics) to enhance threat feeds
• Content filtering
• Support for SIEM integration or custom analytics via API access
• Web-based dashboard and interface
• DNSSEC validation
• DoH/DoT capabilities
• Group-, device- and network-level policy customization
• Works on hybrid architectures

Threat Intelligence is an Important Protective DNS Differentiator

As we frequently discuss at Resilience Zone, the scope of the resilience provider you trust with your clients’ protection matters. That’s especially the case with threat intelligence, which informs vital first-line defense solutions like endpoint protection, managed detection and response (MDR) and protective DNS services. In other words, world-class threat intelligence, which is essential to achieving cyber resilience, should be the backbone of the protective DNS solution you use to arm your clients.

In fact, looking back at our list of NSA and CISA guidelines, the first three—malware domain blocking, phishing domain blocking and malware domain generation algorithm protection—can all be powered by market-leading threat intelligence.  

Other Meaningful Attributes

Other features to look for include:

• An entirely cloud-based solution for security, resilience and instant deployment without hardware or software concerns
• Fast, accurate and reliable web classifications (We’re dipping back into the strengths of your solution’s threat intelligence again—it’s difficult to overstate the importance of this attribute when you select a provider partner.)
• Domain-level threat blocking that automatically blocks dangerous and questionable site categories
• Policy configuration by group, device or network
• On-demand, detailed reporting power to uncover threats and risky user behavior
• The solution you select should be proven to dramatically reduce risky or undesirable traffic before it touches your network or devices (This isn’t just a matter of cost reductions and downtime avoided, though both are vital. It’s also why a good solution pairs well with endpoint protection to dramatically reduce your client’s attack surface.)

Your MSP Counts, Too

Following the advice and rules above can lead you to a robust and affordable solution for your clients. But it’s also essential to make sure that the solution you source is from a provider that knows how to take care of your business, too, and not just your customers. Look for a provider partner that can help you throughout your customer lifecycle. It makes all the difference in the world when it comes to supporting your customers and growing your MSP.