The best way of understanding the Domain Name System (DNS) is to think of it as the central telephone directory of the Internet, which contains all the world’s public Internet domain names and Internet Protocol (IP) addresses related to them. When we want to find information online we think and search in domain names, such as www.bbc.com or www.london.gov.uk. However, every device connected to the Internet (such as your laptop) has a unique IP address, like 192.168.1.1, with which other devices find it. So while it’s easier for us to remember domain names, devices and web browsers think and interact through IP addresses. Thus the core purpose of the DNS is to translate the domain names we use into the IP addresses our browsers and devices use. The result? All the technology quickly connects up and you get the information you were searching for. The trouble is, ever since DNS was created in 1987, it’s been largely unencrypted. Which means everyone between your device and the DNS resolver (which links domain names to IP addresses) can look in on or even modify your online searches and responses, including anyone in your local Wi-Fi network, your Internet Service Provider (ISP) and the data carriers. This, of course, put the privacy and integrity of your browsing and the information you’re receiving back at risk. So in this blog post we’re going to ask the question ‘What is DNS encryption and what does it do for your business?’
What is DNS encryption, what does it do for the cybersecurity of your business and why you should care?
Put simply, DNS encryption makes it much harder for snoopers, hackers, cybercriminals or threat actors, to look into or corrupt your DNS messages while they are in transit. So when you wonder what is DNS encryption, what does it do for the cybersecurity of your business and why you should care, it’s because it keeps your privacy and data safer online
Why a quick look at the past helps us to understand the present
OK, so imagine for a moment that DNS is a translating system bridging the divide between the human (using domain names) and the computer (using IP addresses) worlds. Now imagine that the ‘wiring’ of that translating system has a fault, in that it lacks built-in security and this puts Internet users at risk.
In fact, it was only the proliferation of DNS attacks and breaches throughout the world that helped to raise awareness of this deep-rooted issue.
Now, just as the web moved from unencrypted HTTP to encrypted HTTPS (the S means secure), there are now upgrades to the DNS protocol that encrypt DNS itself and encrypting DNS will enhance your privacy.
How a DNS server works
DNS servers basically work like this: whenever you type a search or the domain name of a website into your browser, your machine follows a series of steps in order for it to convert your request into an IP address which enables you to access that particular website. And this happens every time you want to stream content online, send emails or check websites.
When you type in a search term or domain name into your browser, the first thing your device does is look at the DNS cache (which acts like a store for all the DNS information your device has searched for and queried in the past) to see if it’s there. If it isn’t, the device will put a fresh DNS request, based on your search term or domain name, out into the web and bring you the response.
Why encrypting DNS servers matters
First and foremost, encrypted DNS servers improve online security by ensuring that all queries go through a specific DNS server, so individuals and businesses are better protected against any external attacks. This is especially advantageous for small and medium-sized businesses, that can’t always afford to implement the latest cybersecurity measures.
DNS servers give you the added advantage of being able to block access to certain sites from the devices in your home or work network. As a result, you can protect your children or your business colleagues from searching for and viewing inappropriate content. There are even public DNS servers (like OpenDNS, for example), which can help you leverage this feature for even greater peace of mind.
DNS can help you to access-restricted web content that is, for example, out of bounds to you because of the region or country in which you live or work.
As Internet censorship is usually achieved by blocking access to particular sites through an ISP’s DNS, a simple way to bypass this is by changing the DNS servers your computer uses. Alternatively, some DNS servers achieve the same result by replacing your IP address with one of theirs, thereby tricking the restricted website into thinking that you are actually in a territory where access to that content is allowed.
Changing your DNS servers, rather than changing your ISP, can be a simple, rapid and cost effective way of improving the speed of your network, browsing and downloading.
As a bonus, there are tools that can help you check whether your current DNS server is up to speed and recommend DNS servers better suited to your needs.
What are the next steps in DNS security and the potential pitfalls
As mentioned above, in the early days of DNS servers their communications went unencrypted leaving them vulnerable to hackers. One way that’s been developed to protect their operations is securing the DNS over HTTPS, a process which is better known as DoH, and was introduced a couple of years ago. Already big brand web browsers such as Google Chrome and Mozilla Firefox are utilising DoH.
Traditionally, DNS requests and replies were sent in plain text. However, this did have the advantage of letting the Security Operations Center (SOC) teams overseeing larger, corporate networks easily able to monitor the domains being queried and block users from accessing malicious websites. So although those plain text DNS requests were less private they provided valuable intelligence to those supervising the security of a network.
How a loss of visibility could equal less security
Now though, with the introduction of DoH and DNS requests being encrypted via the HTTPS protocol, malware communication can more easily masquerade as normal HTTPS traffic, making it much harder to detect.
The irony of this won’t be lost on you – DNS encryption through HTTPS strengthens some protections but actually weakens others!
Don’t worry though, because this primarily affects the larger networks of big, blue chip enterprises, rather than the small to medium-sized businesses here in London or elsewhere.
Why you cannot rely on DNS encryption alone
These days, cybersecurity is a mission critical issue for business of every size, in every sector, in London and beyond. Let us give you some idea of the scale of the cybersecurity threat facing your enterprise. Recent research by business insurer Hiscox, found that one small business in the UK is successfully hacked every 19 seconds. That adds up to 65,000 attempts to hack a small to medium-sized business (SMB) in this country every day, and around 4,500 of those attacks are successful.
The bottom line is that you should invest in a range of security measures to protect your IT infrastructure, data, IP and confidential customer information. Using encrypted DNS servers alone doesn’t hack it against determined hackers.
From firewalls and anti-virus software to endpoint detection and response (EDR) tools, you need affordable, best-fit, best-in-class multi-layered security solutions in place to protect your assets against cybersecurity criminals and threats that continue to evolve and become every more sophisticated.
Where to turn for award-winning IT security solutions and advice
Here at totality services we’re highly experienced and expert cybersecurity specialists and we’re committed to keeping your technology and data secure so that it delivers the business continuity, productivity and profitability you need to succeed, today and tomorrow.
As the leading and accolade-winning managed IT support team for London, we’ve earned Feefo Gold Trusted Service awards twice in the last two years, plus Five Star customer service ratings from TrustPilot and Google, as well as a 98% client retention rate.
So if you’d like to know more about the best ways to protect your IT, data, IP and private customer information, why not have a confidential, no obligation chat to us about your cybersecuirity requirements?