Skip to main content

Table of contents



Executive summary

Cyber attacks continue to grow at an alarming rate with ransomware and botnets being the latest and biggest forms of malware striking organizations.

The combination of a profit motive, easy-to-use tools, monetization options in terms of cryptocurrencies and dark web markets has fueled a global growth in thieves targeting Canadian organizations. In view of this changing landscape organizations of all sizes are looking at their defensive strategies.

A DNS firewall or a “cloud” firewall is now forming a critical part of defence because it provides a different view on the threat landscape and protection outside your corporate perimeter. When combined with threat blocking that leverages unique data science it provides important depth to your defensive strategy.

How DNS Firewall adds defence in depth

For larger organizations and MSPs (managed service providers), IT security has grown into its own team, often with a contributory role in premise and physical security. For those teams, this type of framework helps to describe how things work to their peers and to non-technical people across the organization. For those IT departments in smaller organizations that are boot-strapping together security solutions, we hope this guide can help you understand the role of the DNS in a defence-in-depth scenario.

The threat landscape is more complicated than ever

In the entire scope of security we often include money, technology, processes, premises and people. For technology there is a fairly common understanding of the layers involved in a typical stack and these layers all need to consider security in their design and development.

Within the technology framework there are also subcategories for hardware and network equipment that need management and patching. While this creates an administrative burden, it is the responsibility of individuals and if the time is planned it can be managed more easily. What is harder to manage is the behaviour of your users and that of thieves targeting your organization.

With a massive upward trend of connected devices and shadow IT combined with increasing threats fueled by a profit motive, a defence in depth strategy is necessary. Organizations benefit from multiple tools because the hackers are motivated to deploy their own multi-vector frameworks.


What is “defence in depth”?

The term has its origins in the military, where defensive layers protect themselves, each other, and the core. In the case of a DNS firewall, it exists outside the organization and could be analagous to air-cover over a battlefield. It has a unique view and response to the threat landscape.

Common attacks and their motivations. While ransomare garners the headlines, the threat landscape has all sorts of motivations.

source: Nominum Data Science

How defensive layers work together

Let’s start deep inside the perimeter. Every application runs on hardware and software that needs to updated/patched with the latest versions. With today’s connected landscape compounded by an IoT push, more and more devices are being added to your network backbone compounding the effort. Every one of these creates the opportunity to exploit your network and many put you in the position of relying on an outside vendor to issue a patch and for you to deploy it. This growing complexity is demanded by the business, often without full consideration of the security and ongoing maintenance required.

The same for protecting end users – which will be the focus of the rest of this review. The IT department can take care of patching systems but for some reason they aren’t allowed to patch humans. All they can do is train them and support them.

DNS Defensive layers 

So what do they do? Option 1 is to go back to the paper and pencil days. Option 2 is to help the end user protect from malware with automatic updating for their software, anti-virus software for their computer, email filtering tools for their communications, and a firewall for outbound browsing and application access. And also to block malware that gets in from communicating.

On premise solutions rely on your IT department to manage and so today’s best practice for defence in depth includes a cloud firewall that leverages the DNS (the fabric of the internet) to further protect from malware.

Layer Vendor H/W and S/W patches Threat Data Threat Library Updates

* depends on how systems are managed

Spam Filters Vendor A Local IT* Source A Vendor A + IT
Anti-Virus Vendor B Local IT* Source B Vendor B + IT
Perimeter Firewall Vendor C Local IT* Source C Vendor C + IT
DNS Firewall Cloud Vendor Cloud Vendor Source D Real time

Let’s look at how four common solutions work together and who is responsible: In reviewing who is responsible, you realize that if you are only leveraging one or two layers of security then you are relying on only one or two points of failure. Remember, in these systems every single part has a security stack of its own that is managed somewhere. While it is tempting to feel that you can off-load responsibility to a vendor, they are not the one answering questions when a failure happens – or taking credit for when it is averted. Individual IT managers within the organization have to take responsibility for the whole system.

When defining failure, there should be a very low bar. We are not talking about a system going down, because that is a bestcase scenario. Why? If something breaks then maybe the end user simply “goes down” and cannot work – but they also can’t be exploited by hackers! In security terms, a failure is something not happening in time. For instance, how quickly does a vendor update their definitions to catch the latest zero-day malware? How quickly does the IT department or the cloud vendor patch their own systems? A worst-case scenario is when everything appears fine, but underneath horrors are happening.

“Ransomware continues to increase as organizations rely on endpoint protection and traditional firewalls – showing that they aren’t enough.”

Mark Gaudet
CIRA Product Manager

In addition to a multi-stack approach you get the benefit of different vendors having a different understanding of the security landscape. What do we mean? Our own analysis shows that less than half of zero-day malware was caught by traditional anti-virus solutions so update speed is critical. Secondly, in the “fog of war” when zero-day malware is discovered, often assumptions and mistakes are made by individual vendors and industry wide. For example, in the minutes after the much publicized explosion of WannaCry happened, its method of attack and the clever way it was neutralized by a DNS kill switch, was in flux. Whether you blocked or unblocked that kill-switch could have depended on how you were protected. Importantly, different vendors responded at different rates. We aren’t even saying that CIRA was first – truth is, we don’t think anyone knows who reacted properly first – but importantly we are plugged into the DNS data and the security community so we could react quickly. As a cloud service, we updated our definitions for all users as soon as the information was analyzed and understood.

This speed matters because attacks and infections are increasingly happening in explosive global events using massively deployed botnets like Necurs or Reaper. It is a cat and mouse game played at the speed of fiber-optics.

A global view helps protect faster

Multi-vendor = multi-protection

With a single vendor’s threat feeds you are relying on a single data set that has its own unique view on the landscape and this presents holes.

Nominum Data Science ran an analysis on 17 anti-virus solutions to measure how many known malicious domains were blocked to demonstrate this problem. We see that the many were ineffective in blocking top strains. This is not to say that their solutions aren’t good, only that they were inconsistent in their blocking and that many missed problems that the DNS Firewall caught.

A lot of security solutions leverage common feeds of the latest threats and where they differentiate is either on how they deploy those feeds or on the additional threat intelligence they apply to them. The latter is important because you don’t really have depth in threat defence if the source(s) of the data is the same between vendors. In the DNS Firewall case, we leverage public and commercial threat feeds with additional intelligence through our own data science.

In short, the benefit of multi-vendor stacks is to:

a) Reduce the risk of a single point of failure
b) Improve the breadth of malware you are blocking

DNS Firewall works beyond the corporate network to provide a defensive layer that functions on the internet’s DNS infrastructure. It has two important features in the security for organizations. First, data feeds are in near real time and based on analysis of over 100 billion queries every day. This is made possible from the global deployments in large Internet Service Providers that constantly collect data. These data feeds typically add over 100,000 new threats to the block list every day. It is this speed of response that often protects you sooner than other solutions.

In addition to commercial and public data sources, our analysis adds new core domains that are filtered based on patterns and further analyzed. Malware domains are analyzed according to a proprietary Domain Reputation System (DRS) that detects nefarious looking domain activity. This runs through an anomaly detection engine that compares to historical information and live activity on the domain. The tools use machine learning to detect and block cluster families of malicious domains.

An unexpected benefit

Organizations that have deployed good defence in- depth processes have reported that they have lower IT support costs in fixing employee desktops.

To understand this, there are two types that get blocked:

  1. Unresolving domains often associated with botnets and malware command and control.
  2. Resolving domains with a type that is often associated with adware, malvertising, phishing and more.

Multiple data feeds plus unique data sources makes our threat avert science unique and effective.

Importantly, 84% of daily additions to the block list are based on primary research, so it is suggests very little overlap from other security solutions when threats are detected. Research and practice shows that in all security systems some threats get through one layer that are then stopped at another.


Adding DNS Firewall to your defensive strategy provides advanced data science and protection with no systems to manage and no negative impact on users and performance. In many cases, the ISP-grade recursive servers that we deploy can actually improve end user experience due to the high cache hit rate on browsing. When considering the relatively low cost of this type of perimeter defence versus the other security deployed it becomes imperative for all organizations to test a DNS firewall as part of their defensive strategy today.