What you need to know about the DNS system and how to protect your clients from the cybercrooks who exploit it.
Protective DNS services are essential components of today’s cyber resilience strategies, but why—or even what the DNS system is and why protection is needed—isn’t well known. This may be the case for your MSP (it’s likely the case for new hires, at least), and it’s certainly the case with some, if not most, of your clients.
To help with those discussions, we’ve put together this primer on the DNS system, how it works and how protective DNS can protect your clients from cybercrooks who have learned to exploit the DNS system to their own benefit.
What is the Domain Name System (DNS)?
The Domain Name System (DNS) is a critical component of the Internet responsible for converting human-readable website names (e.g., www.example.com) into numerical IP addresses that computers use to route traffic on the internet. DNS is often referred to as the “phone book” of the internet because it provides a mapping between domain names and IP addresses. Without DNS, users would have to remember or look up complex IP addresses in order to visit websites.
How DNS Works
DNS is a decentralized system maintained by a network of computers worldwide called name servers. When you type a domain name into your web browser, your computer (or other device, but for this example, let’s just go with a computer) contacts a DNS server to resolve the name into an IP address. The DNS server then sends your computer the IP address of the website you requested, and your computer connects to that site using the IP address.
DNS servers are organized into hierarchies, with each level providing information about a different part of the domain name space. The root level of the hierarchy contains information about top-level domains (TLDs), such as .com, .net and .org. The next level down contains information about second-level domains (e.g., example in www.example.com), and so on. When a DNS server receives a request for a domain name that it doesn’t have information about, it contacts a DNS server at the next level up in the hierarchy until it finds a server that can provide the information (you may have heard of this process as “recursive resolution”).
What is Protective DNS?
A protective DNS service provides security measures that protect devices from online threats. It essentially works like this:
* As we discussed earlier, when you visit a website, your computer typically contacts a DNS server to resolve the site’s domain name into an IP address.
* However, if you’re using protective DNS, your computer instead contacts a special DNS server designed to block malicious sites. This helps protect you from accidentally visiting sites containing viruses or other malware. Protective DNS can also block access to sites known to host malicious content (those sites often are cataloged in lists called denylists or blocklists).
Opening Discussions with Your Clients About Protective DNS
The most common entry point to DNS protection discussions with clients this past year has revolved around guidelines from the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA) on DNS over HTTPS (DOH). We’ve got a blog devoted to that here, which can help with that.
Another timely entry point for discussions is to point out that DNS protection, when paired with an endpoint protection solution, delivers a powerful two-pronged security solution for remote workers. That’s because the right DNS protection solution can:
- Help secure remote workers
- Stop malware before it reaches endpoints
- Prevent data theft
- Prevent your clients’ network or devices from becoming part of a botnet
- Help to keep customer records from getting breached
- Avoid redirection from authentic sites to phishing sites
- Empower your customers to block access to problematic sites like those with malvertising, gambling, peer-to-peer streaming, etc.
As with all things cyber resilience, selecting the right protective DNS service provider partner is key to your clients achieving resilience as well as your ability to effectively grow your MSP.