Tips & Advice

How to best secure your DNS

David Strom, 12 November 2020

Getting serious about DNS protection means understanding the risks and educating yourself about service features

By now, most of us know what a distributed denial of service (DDoS) attack is and how they are accomplished, through leveraging legions of endpoints sending large amounts of network traffic at a target.

But what is less well known is how this is just one of many misuses of the Domain Name System, or DNS. Sadly, DNS attacks are on the rise, increasing in sophistication and also just in terms of raw numbers. We have already written this information piece on protecting DNS on our Avast Business site. It discusses how to best repel this and other kinds of DNS attacks.

But the bad guys are getting cleverer. Recently, a group of academics have written about a new DNS attack method using cache poisoning. What this means is that the typical DNS server maintains a list of prior requests in its memory. When a new request comes in to match a domain name, such as google.com, with its appropriate DNS entry, the server first checks to see if it has already done the work in its memory and sends the request on its way. But what if you could change these remembered addresses and use destinations that were under the control of bad actors? That is essentially what cache poisoning does. In the past, poisoning attacks were thwarted by adding encryption and other tricks to the DNS processing. However, the researchers found ways to get around this, and that a third of DNS providers are vulnerable, a figure that includes the most popular DNS services.


Further reading:
How to change your router DNS settings and avoid hijacking


These attacks aren’t completely unexpected. For example, back in 2016, attackers figured out how to use DNSSEC for DDoS amplification attacks. DNSSEC is just one of the many advanced DNS protective features and protocols that are now used to protect DNS. Others include DNSCrypt and DNS over HTTPS.

Paul Vixie is one of the key developers of DNS. He told me that “an IT manager could build better defenses against all kinds of attacks if they learn how to monitor what is happening across their DNS infrastructure. This is because the bad guys are going to have to create DNS content if they want to reach their victims.”

So let’s look at some alternative DNS providers. Techradar has reviewed many of them that offer both free and paid subscription plans. There are a range of different providers, and before considering a paid plan, you should try out several of the free services and see what you get.

But if you are serious about DNS protection, you should review what features the paid vendors offer and what their fees will be. Some offer near-real-time traffic analysis, some have more sophisticated geofencing rules that can be used to prevent some phishing attacks and some have load balancing and other content proxies to make your network operate more efficiently. Some vendors will tell you where their DNS servers are physically located, and some won’t, so keep that in mind as well. Geekflare has a set of performance comparison services, most of them free, that can show you if switching to another DNS provider will help improve your network response time and reduce latency. While these aren’t security issues, there is no point in using an alternate DNS provider that doesn’t improve response times.

The major cloud vendors such as Google, Amazon and Microsoft Azure all have their own specialty DNS offerings. If you deploy significant infrastructure across any of these cloud systems, you should definitely make use of their DNS services.

Importantly, there are several Avast products that can help protect your DNS. These include Avast SecureLine VPN, Avast Secure Browser and Avast Antivirus, which each offer various DNS protective features.