Top 8 Domain Name System (DNS) Security Tools
Cisco UmbrellaInfoblox BloxOne Threat DefenseTitanHQ WebTitanPalo Alto Networks DNS SecurityInfoblox Advanced DNS ProtectionWebroot DNS ProtectionF5 BIG-IP DNSBlueCat DNS Edge
There is much differentiation within the licensing so if anyone wants DNS security from the DNS security log, we are there already, and if anyone wants to go to a secure internet gateway, that is also available. We can get the integrated cloud DLP license keys. That is a good benefit with Cisco Umbrella. You can get a complete solution in a single licensing.
Using the reporting, we can tell that we have gained an extra layer of protection. Just by looking at it, we can see what is being blocked before it even makes it to the firewall. It is definitely working.
The web content filter is the most valuable feature.
The solution offers very good self-authentication. It has a lot of protocols and ways to authenticate users by ID, or by Active Directory Integration. It's able to take credentials from the Active Directory Domain Controllers.
We now have insight into our DNS requests and we can actively see how many thousands of malicious requests have gotten knocked down in the last day or week that we didn't have before. There's more insight for both security and more insight.
The most valuable features of Infoblox Advanced DNS Protection are the services, DHCP, and debugging. Additionally, we can use APIs and ansible scripts.
When compared with other products, Webroot DNS Protection is the best to secure the end users.
The dashboard of the solution is a valuable feature.
It is easy to administer.
F5 technical support is quite good and they follow up if there are any issues.
It allows us to easily monitor our subnets and routers.
How does DNSSEC work?
Domain name system security (DNSSEC) adds a level of protection to the DNS by using two digital keys to authenticate any address retrieved by the DNS. One of the keys is held privately by the owner of the website and revealed to no one. The other key is present in the code of the web page where anyone can access it publicly. These keys attempt to verify the authenticity of a signature on the web page data that the DNS pulls up. A search for a web page prompts the DNS to retrieve and attempt to match the public key to a digital signature that stamps the data. If the key confirms that the signature is valid, then the information is returned to the person who issued the query. However, if the key is unable to verify the data as valid, then the data is rejected. The system will assume that it is under attack and will issue an error message.
What is the purpose of DNSSEC?
The reason that domain name system security is necessary is that by itself the DNS is not secure. It is possible for hackers to manipulate the DNS and send users to any web page that they desire. An unsuspecting person can be redirected to a site which can maliciously target them. Hackers have the ability to forge DNS data and make it so that the IP address appears to be anything that they want. The computer that launches the query ordinarily would not have any way to determine the true source of the data. The development of DNSSEC created a way of securing the DNS against data forgery.
What is the difference between DNS and DNSSEC?
A domain name system (DNS) is an object in itself. This is a program that takes domain names and transforms it into a format that computers are able to read. It exists as its own independent entity and requires nothing else for it to be meaningful. Domain name system security (DNSSEC) is a protocol that exists as an addition to DNS. DNSSEC provides a layer of security to the DNS which is otherwise pretty insecure. For this reason, DNSSEC only has meaning when seen as an add-on to the DNS.
There are a number of benefits that come with the use of domain name system security (DNSSEC). It can:
- Bring a greater level of peace of mind to computer users. Users do not have to worry as much that they are going to be receiving malicious data.
- Make computers safer from attack by hackers than those not employing this DNS extension. With DNSSEC, non-authentic data is rejected and not allowed to infect the computer that it may be targeting.
- Build a greater level of trust, which will allow for more services to migrate online in the future.