Protective DNS uses DNS infrastructure as a cybersecurity control layer to block malicious domains before connections to attacker infrastructure occur.
Protective DNS architecture. A recursive DNS resolver with security policies such as RPZ can block malicious domains before users connect to attacker infrastructure.
Protective DNS is a cybersecurity technique that prevents users and devices from connecting to malicious domains during the DNS resolution process.
Instead of allowing DNS queries to resolve normally, a Protective DNS resolver applies security policies that block domains associated with malware, phishing campaigns, botnets and other cyber threats.
Because almost every Internet connection begins with a DNS lookup, DNS infrastructure provides a powerful control point for preventing connections to dangerous systems across the Internet.
Protective DNS solutions are commonly deployed by:
When a device attempts to connect to a domain, the DNS resolver checks the request against threat intelligence databases that contain domains associated with cybercrime infrastructure.
If the queried domain appears in a threat intelligence feed, the DNS resolver can apply a security action such as:
These actions prevent infected machines or unsuspecting users from connecting to attacker infrastructure.
Protective DNS is often described as a DNS firewall. Just as traditional firewalls control network traffic based on IP addresses and ports, DNS firewalls enforce security policies during DNS resolution.
Technologies such as Response Policy Zones (RPZ) allow DNS resolvers to override normal DNS responses and apply security policies based on threat intelligence feeds.
This makes DNS an effective layer for blocking threats including:
Internet Service Providers face increasing pressure to protect the reputation of their IP address space and reduce abusive traffic originating from infected customer devices.
Without DNS filtering, users may unknowingly access malicious domains through phishing campaigns, compromised websites or malicious advertising networks.
Once infected, these devices may participate in malicious activity such as:
These activities frequently cause ISP IP addresses to appear in reputation systems such as:
Deploying Protective DNS significantly reduces malware infections and outbound abuse traffic, helping ISPs protect the reputation of their networks.
Protective DNS relies heavily on continuously updated threat intelligence feeds.
These feeds contain indicators of compromise such as malicious domains, botnet command-and-control servers and phishing infrastructure discovered by security research organizations.
Threat intelligence sources may include:
These feeds are frequently converted into DNS policy zones used by DNS firewalls.
DNS sits at a strategic location in the Internet architecture. Before a browser, application or device connects to a server, it must first resolve the domain name to an IP address.
Because of this, DNS infrastructure can act as an early security checkpoint capable of blocking many threats before network connections are established.
This approach provides several advantages: