How to best secure DNS? There's more than one approach
Article 1 of 3
Why secure DNS? A total DNS failure would make it impossible to look up an IP address for a domain name, effectively bringing the internet to a halt. It's extraordinarily unlikely but theoretically possible since there is no practical substitute service for DNS.
Translating domain names into IP addresses is the primary purpose of DNS. Doing so reliably on a global level is what allows networks to deliver content from a single domain to clients worldwide.
But DNS also makes it possible for bad actors to build botnet command and control (C&C) networks that can evade detection and craft malicious domains for phishing or collecting ransomware payments. Fortunately, passive DNS can help with defenses.
Like air and water sustain life on Earth, DNS enables everything that happens online, and it nourishes online activity without judgment. Malicious use of DNS has been rightly seen as something that could be remedied with new protocols, like the DNS Security Extensions suite of protocols.
But criminal activity on the internet depends on DNS for the same reason that legitimate internet activity does: DNS provides a platform to exchange system reachability data. Criminals exploit this to carry out attacks on legitimate users and systems, but defenders are finding new ways to use DNS to thwart the attackers.
So how to secure DNS? Passive DNS uses networks of sensors to monitor the DNS ecosystem for suspicious domain name activity and issues alerts to block botnet C&C traffic, phishing and ransomware traffic. Defenders using passive DNS are transforming DNS from an attack vector that needs to be defended into a security tool that can detect and defeat attacks before they are carried out.
So, in our efforts to secure DNS, the cat-and-mouse security game continues. For now, defenders have regained the upper hand, and attackers seek new exploits.