Why DNS security is flawed by design

DNS firewalls are designed to protect organizations against dangerous Internet addresses that are used in phishing-led attacks such as data breaches, malware, ransomware, fraud and online identity theft. DNS security is designed to block access to domains or URLs that are classified as “dangerous”. Access is permitted to all other Internet addresses.

When first introduced, DNS firewalls were very effective and reliable. That’s probably why Cisco acquired OpenDNS for $635M in 2015. While this type of security continues to add huge value to society, it’s becoming less effective with every day that passes, and organizations are left exposed to simple attacks that take minutes to setup.

DNS firewalls can block dangerous domains, even when they’re encrypted. They can also block URLs that are classified as dangerous, but ONLY if they belong to unencrypted domains.

HTTPS:// = Encrypted

HTTP:// = Not encrypted

Dangerous domain — https://dangerousdomain.com (encrypted)
Dangerous domain — http://dangerousdomain.com (not encrypted) Dangerous URL — http://safedomain/accountname/dangerousfile.html

Dangerous URL https://github.com/account-name/known-danger.html ️ Dangerous URL https://account.microsoft.com/bad/known-danger.html

DNS firewalls cannot check the classification of URLs that belong to encrypted domains.

Today, over 85% of all websites start with HTTPS. It will soon be 100% because mainstream browsers are starting to block access to sites that use HTTP instead of HTTPS. This is why criminals like to launch attacks using dangerous URLs that belong to trusted domains such as google.com microsoft.com linkedin.com twitter.com facebook.com instagram.com slack.com telegram.com — you know, the world’s most widely used websites.

Ironically, as the web becomes more privacy-respecting it also becomes less safe. As more domains become encrypted, DNS firewalls become less reliable and less effective.

Why this is a major problem

Over 90% of the world’s cyberattacks involve phishing. According to ProofPoint, dangerous email links outnumber dangerous attachments 5 to 1. The data paints a bleak picture, dangerous links is still the #1 vector for phishing, and phishing is the #1 problem in cybersecurity today.

The CA Security Council represents the security vendors that sell SSL Certificates. They invited me to write an in-depth article on the impact of the browser padlock on Internet security. If you enjoyed my DNS article I think you’ll like to read about “The insecure elephant in the room”.

The solution

DNS firewalls should be coupled with a security layer that offers protection against dangerous URLs on trusted domains. I believe the entire threat model is broken, that’s why we’re building MetaCert, but that’s for a different story.

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.