DNS-Based Security – Who Are You Kidding?

The proliferation of unsecured devices in the home presents a lucrative target for cybercrime with ransomware and cryptojacking just two common monetization methods out of many. Consumer security is a massive $6.5B market and with the growth of connected appliances in the home, the security industry is going through a transformation. Gone are the days when anti-virus software was a one-stop solution. Security is moving into the network.

But not all network-based security is equal. The two main approaches provide different results and face different challenges imposed by the changing environment in which they operate.

The first approach is DNS-based and is implemented on the service provider’s DNS system. It secures end users by inspecting their DNS requests before fulfilling their requests. If the DNS request is for a known* malicious domain, such as a phishing web site, or its content is inappropriate in a parental control service, the user is redirected to safety. The problems that this approach faces are significant, here are a couple of examples.

Writers of malware avoid the use of DNS. In fact, security researchers at Allot have observed that out of 1,700,000 sample downloads, only 850 used DNS for payload download—99.95% don’t use DNS! A second issue is that children easily avoid DNS-based parental control with apps like Google/Jigsaw that opens an encrypted tunnel to the Google DNS system, circumventing the SPs system without any remedy.

The second approach is in-line network-based security. As opposed to DNS-based systems, it sits in line and inspects all the requests coming from the end user including DNS and HTTP/S. It too redirects the user to safety if the domain in question is known to be malicious or its content is categorized as inappropriate.

The first advantage of in-line security is that it cannot be bypassed. It will see and inspect the DNS and HTTP/S request. The second advantage is that in-line security can also inspect the downstream traffic with anti-malware engines to recognize and block malicious code or scripts.

But in-line security also faces a challenge. Encryption not only hides the consumer’s personal data, it also hides malware and viruses from detection. So, where is the evidence that inline inspection and prevention of malware downloads is effective at all?

A recent survey performed by Allot professional services on behalf of four European SPs that protect 15 million mobile customers with an in-line security service, found that the service activated on average 140 million protections a month, over a period of six months.

On average three million unique customers were protected a month, based on matching their requests to threat intelligence systems. Furthermore, an additional 450,000 unique customers were protected from in-line detection and protection of malware downloads.

Although 3% of the protected 15 million may seem like a relatively low percentage, there is no doubt that 450,000 unique infected customers a month would have a significant negative impact on the service. This would manifest as a rise in call center complaints, dissatisfaction voiced on social media, and ultimately service attrition.

The following list of arguments shows why users should not rely on DNS-based security:

  • DNS parental control is easy to bypass
  • IoT malware does not rely on DNS
  • DNS over HTTPS direct to Google bypasses the ISPs DNS based security
  • It is not relevant for IoT security and the connected home
  • It is not future proof

Unlike DNS-based security, inline, network-based security cannot be bypassed and despite the wide adoption of encryption, in-line anti-malware engines are still effective. The evidence points to an inline security solution being the best option to protect the mass market against the growing threat of cyberattacks.

Are you concerned about DNS insecurity? Allot’s HomeSecure or NetworkSecure can assist—Contact Allot.

*Both DNS-based and in-line systems employ threat intelligence feeds that frequently update a database of malicious domains in addition to web content categorization.

*** This is a Security Bloggers Network syndicated blog from Allot Blog authored by Moshe Elias. Read the original post at:

Avatar photo

Moshe Elias

Moshe Elias is responsible for marketing Allot’s security solutions and security-as-a-service platforms to communication service providers and cloud providers that protect consumer and enterprise customers. Moshe has more than 26 years’ experience in security and information technology working with a range of customers from SMBs and enterprises and to governments and communication service providers and has a customer-centric approach to doing business. Prior to his role at Allot, Moshe served as a solution expert for Check Point Software Technologies where he was responsible for developing the Check Point Software Defined Protection (SDP) Data Center architecture for the Private and Public Cloud. Moshe began his career in IT at Cisco Systems, serving in roles that spanned the IT and security spectrum from engineering and business development to sales and marketing over a 12-year period.

moshe-elias has 7 posts and counting.See all posts by moshe-elias