• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

SASE breakdown: Using DNS-layer security to block unwanted or malicious content

Author avatar of Chloe WhitakerChloe Whitaker
Updated — February 27, 2023 • 5 minute read
View blog >

Spend enough time in cybersecurity and you’re bound to have heard colleagues, analysts, and consultants suggest adding DNS-layer protection to your security stack. It’s easy to understand the appeal – using the internet’s infrastructure to block connections to malicious or unwanted domains can help protect any network from online hazards. But recently, with the conversation shifting from single-point solutions to the integrated networking and security services of Gartner’s SASE model, you may find yourself wondering where a secure DNS solution fits in.

Hailed as the future of cybersecurity and network connectivity – a Jetsons-esque model that can revolutionize stone-age infrastructure – Gartner’s SASE framework converges traditional siloed networking and cybersecurity solutions into a single, cloud-delivered service. The approach streamlines operations, enhancing functionality by making it easy to deploy and manage both networking and security systems. While not necessary to a basic SASE solution, integrated DNS-layer security can enhance the security elements of your SASE solution by blocking threats before they reach your network or endpoints.

If your organization is like most, Gartner’s SASE model may be more aspirational than ready to implement. After all, most enterprises boast an architecture characterized by fragmented, siloed solutions and overlapping technologies that are difficult to manage. That’s why many security teams choose to implement SASE in stages, starting by updating their security infrastructure. And there’s no better place to begin that process than at the DNS layer. When you partner with the right provider, securing your DNS resolvers can be accomplished in as little as 30 minutes and provide cloud-based security without latency while you update the rest of your security stack.

In our eBook A Roadmap to SASE: Navigating the challenges of network security beyond the data center, we discuss how an organization can implement a cybersecurity stack that fits into Gartner’s SASE architecture. But if you’d like to learn more about how to begin your journey with DNS-layer security, this article is for you.

Why should you implement security at the DNS-layer?

Often referred to as the foundation of the internet, the domain name system (DNS) serves as the bedrock for internet connectivity. Every time you type a domain name into an internet browser or open up an internet-enabled application, recursive and authoritative DNS servers retrieve the associated internet protocol (IP) addresses. This allows your device to connect to the servers hosting the domain you want to access.

Despite the fact that DNS plays an integral role in internet infrastructure, most organizations do precious little to secure the DNS layer from threats. In fact, unless you have DNS-layer security, odds are the DNS packets typically used to communicate IP addresses won’t even be inspected as they move through your network. What’s more, most cybersecurity solutions don’t even register anomalous DNS activity – like DNS tunneling – that can indicate an in-progress attack.

As you can imagine, this makes the DNS layer the perfect avenue for bad actors to use when infiltrating networks. In many of today’s more sophisticated ransomware attacks, for example, bad actors will use DNS packets to upload malware to a device. Then, they’ll establish DNS tunnels between their servers and their victims’ devices. This connection between attacker and victim allows for the exfiltration of sensitive data and the execution of command and control operations. These kinds of attacks can cripple an entire network within hours, and most SecOps teams won’t even notice the anomalous DNS-layer activity until it’s too late.

How does DNS-layer security work?

When you partner with a recursive DNS-layer security provider, all DNS activity occurring in your network will be facilitated by proprietary recursive DNS servers (also known as resolvers) that the vendor operates. Your secure DNS provider will configure these resolvers to protect against threats to your network by:

Graphic illustrating how DNS-layer security filters DNS requests into safe requests, which are completed, and dangerous requests, which are blocked.
  • Identifying risky or dangerous domains and preventing your users from connecting to them
  • Preventing users from connecting to non-sanctioned domains where the risk of data loss is higher
  • Identifying anomalous DNS-layer activity on a network that can indicate an in-progress attack

Whether your SecOps team is using DNS-layer security to block attacks before they can begin or mitigate attacks before they can cause widespread damage, it’s easy to see the value of this security solution. But when you partner with a SASE provider to secure DNS activity in your network, the benefits increase exponentially.

How do these solutions fit into a SASE security stack?

Graphic illustrating how DNS-layer security fits into a security stack, working with CDFW and SWG to block threats to a network.

Remember, the point of Gartner’s SASE model is to streamline both networking and security operations by converging them into a single, comprehensive service. With goal as a guiding principle, it’s easy to understand why DNS-layer security – which serves as an easy-to-implement, easy-to-manage first line of defense against threats – plays an important role in enhancing the security elements of a SASE solution.

When backed by a robust threat detection network – a critical part of security infrastructure in a SASE solution – secure DNS resolvers can identify the risky domains that threat actors use to host malware. These DNS resolvers can be easily configured to block user connections to these domains. Preventing attacks before they even begin lessens the strain on other parts of a security stack, reducing the number of alerts a SecOps team has to deal with and streamlining security operations on the whole.

Choosing secure DNS you can integrate into a SASE solution

As we mentioned earlier, you may not be ready to upgrade your networking and security infrastructure to fully align with Gartner’s SASE model. But investing in a secure DNS solution can be the perfect way to start your journey towards SASE, enhancing your security posture in the present while laying the groundwork for a more comprehensive and integrated system in the future.

When investing in DNS-layer security as a stepping-stone to SASE, keep these principles in mind:

Partner with a SASE vendor that offers a product that secures the DNS layer

One of the key principles of Gartner’s SASE model is integration, whether that’s an integrated security stack that can be managed from a single interface or integrated security and networking solutions designed to operate seamlessly together. This is why it makes sense to purchase DNS-layer security from a SASE vendor. These vendors will work with you to upgrade your security stack and network architecture over time, ensuring you won’t need to switch vendors or solutions down the line. These vendors also know how to best deploy DNS-layer security in the present so that you can enjoy some degree of cloud-native protection for the duration of your SASE journey.

Find a DNS-layer security solution that integrates extra functionality

SASE vendors design converged security solutions. So, if you’re getting secure DNS services from a SASE vendor, they may have already integrated some of that converged functionality into the DNS protection package you’re purchasing.

For example, the Cisco Umbrella DNS Advantage package also allows users to enjoy limited secure web gateway (SWG) and cloud access security broker (CASB) functionality. Security teams can proxy web traffic associated with risky domains or perform app discovery and control activities – enhanced security functionality typically associated with SWG or CASB. Unlike appliances, our cloud-native service protects devices both on and off the corporate network. And unlike agents, the DNS-layer protection extends to every device connected to the network – even IoT. Cisco Umbrella really can be deployed everywhere, since the majority of internet-connected devices use recursive DNS services.

It’s time to start your journey to SASE with secure DNS

Your journey towards Gartner’s SASE model may take time, but investing in a forward-thinking DNS-layer security solution can also allow you to enjoy immediate results. After all, what other solution can quickly, easily, and cost-effectively improve an organization’s security posture for both on-premises and remote workers?

Download our eBook A Roadmap to SASE: Navigating the challenges of network security beyond the data center today to start plotting out your SASE journey. Or, sign up for our Cisco Umbrella free trial to learn how implementing a solution that secures the DNS layer can benefit your organization in the present with easy-to-use controls and effortless integration.

Many security teams choose to implement SASE in stages and there’s no better place to begin than at the DNS layer. It can be accomplished in as little as 30 minutes and provide cloud-based security without latency while you update the rest of your security stack.

Tweet this quote

Additional Resources

  • A Roadmap to SASE: Navigating the challenges of network security beyond the data center
  • Signup for a free trial

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella