Why DNS security is flawed by design

DNS firewalls are designed to protect organizations against dangerous Internet addresses that are used in phishing-led attacks such as data breaches, malware, ransomware, fraud and online identity theft. DNS security is designed to block access to domains or URLs that are classified as “dangerous”. Access is permitted to all other Internet addresses.

When first introduced, DNS firewalls were very effective and reliable. That’s probably why Cisco acquired OpenDNS for $635M in 2015. While this type of security continues to add huge value to society, it’s becoming less effective with every day that passes, and organizations are left exposed to simple attacks that take minutes to setup.

DNS firewalls can block dangerous domains, even when they’re encrypted. They can also block URLs that are classified as dangerous, but ONLY if they belong to unencrypted domains.

HTTPS:// = Encrypted

HTTP:// = Not encrypted

What DNS firewalls can block ✅

Dangerous domain — https://dangerousdomain.com (encrypted)
Dangerous domain — http://dangerousdomain.com (not encrypted) Dangerous URL — http://safedomain/accountname/dangerousfile.html

What DNS firewalls can NOT block ⛔️

Dangerous URL https://github.com/account-name/known-danger.html ️ Dangerous URL https://account.microsoft.com/bad/known-danger.html

DNS firewalls cannot check the classification of URLs that belong to encrypted domains.

Today, over 85% of all websites start with HTTPS. It will soon be 100% because mainstream browsers are starting to block access to sites that use HTTP instead of HTTPS. This is why criminals like to launch attacks using dangerous URLs that belong to trusted domains such as google.com microsoft.com linkedin.com twitter.com facebook.com instagram.com slack.com telegram.com — you know, the world’s most widely used websites.

Ironically, as the web becomes more privacy-respecting it also becomes less safe. As more domains become encrypted, DNS firewalls become less reliable and less effective.

Why this is a major problem

Over 90% of the world’s cyberattacks involve phishing. According to ProofPoint, dangerous email links outnumber dangerous attachments 5 to 1. The data paints a bleak picture, dangerous links is still the #1 vector for phishing, and phishing is the #1 problem in cybersecurity today.

The CA Security Council represents the security vendors that sell SSL Certificates. They invited me to write an in-depth article on the impact of the browser padlock on Internet security. If you enjoyed my DNS article I think you’ll like to read about “The insecure elephant in the room”.

The solution

DNS firewalls should be coupled with a security layer that offers protection against dangerous URLs on trusted domains. I believe the entire threat model is broken, that’s why we’re building MetaCert, but that’s for a different story.




MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Episode #11: *PSA* Cut off your fingers, now!

CoinWind Mining Tutorial — Web

{UPDATE} Lost Bubble - Pop Bubbles Hack Free Resources Generator

Newscrypto Ecosystem: Weekly Digest (29th June - 3rd July 2020)

MongoDB, your free DDOS companion

DRIVER — HackTheBox WriteUp

AMA Recap: Learn about DAO Ignition Campaign and how community involvement can take Swash to the…

Online Scams To Increase In Coming Years

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul Walsh

Paul Walsh

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.

More from Medium

Marker-Based Augmented Reality: No Code vs Full Code (Code your AR!)

CRODO: It’s benefits over other IDO’s. A MUST KNOW!!

Happy Coding with Joyful Team

We can both care — we just don’t need to care in the same way.