• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Security

DNS-Layer Security: What It Is and Why You Need It

By Lorraine Bellon
Posted on March 10, 2020
Updated on July 1, 2020

Share

Facebook0Tweet0LinkedIn0

In today’s blog, we’ll take a deeper dive into DNS-layer security — what it is, how it works, and how it can transform your network security for the better.

The basics of DNS

First, let’s review some fundamentals. The domain name service (DNS) is often referred to as the “phone book” of the Internet. Every computer on the Internet identifies itself with an “Internet Protocol” or “IP” address, which is a series of numbers. All servers that host websites and apps have IP addresses, too. For example, the IP of the Cisco Umbrella website is 67.215.70.40. You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in umbrella.cisco.com.

DNS was invented so that people didn’t need to remember long IP address numbers (like phone numbers) and could look up websites by human-friendly names like umbrella.cisco.com instead. There are too many sites on the Internet for each computer to keep a complete list, so DNS servers power the directory to make things easier for humans. You probably use DNS about a thousand times every single day – websites, software updates, and mobile phone apps all rely on the service. That’s why we sometimes refer to it as the foundation of the internet.

Recursive versus authoritative DNS servers

There are two types of DNS servers. Let’s go back to the phone book analogy. Imagine you sit down at your computer and type umbrella.cisco.com into your browser. First, your browser connects to a recursive DNS server. There are many thousands of recursive DNS servers in the world. Which one you use is configured in the settings of your computer or network. If you have never tinkered with your recursive DNS in the past, you probably use the recursive DNS servers of whoever provides your Internet. At your house, this may be a cable company. On your phone, it is your cellular provider. At the coffee shop down the street, it’s their Internet Service Provider.

Once your computer connects to the recursive DNS server, it asks the question “what’s the IP address assigned to umbrella.cisco.com?” The recursive DNS server doesn’t have a copy of the phone book, but it does know where to find one. So it connects to another type of DNS server. The second type of DNS server holds a copy of the phone book that matches IP addresses with domain names. These are called authoritative DNS servers.

The authoritative DNS server tells the recursive DNS server about the correct IP address assigned to the domain name, and the recursive DNS server sends that information back to the computer (and browser) that requested it. The computer connects to the IP address, and the website loads, leading to one happy user. Whew, that was easy! This all happens so quickly that you might not even notice it happening at all unless something is broken.

Not all DNS services are created equally. If the recursive DNS service you use breaks for some reason, you won’t be able to connect to websites. If the recursive DNS service you use is slow, then your connection to websites will be slow. If your DNS servers are not up-to-date, then you may not be able to connect correctly to websites.

Cisco Umbrella (formerly known as OpenDNS) started its recursive DNS service to provide everybody with the most reliable, safest, smartest, and fastest Internet connectivity in the world. Umbrella has a highly resilient recursive DNS network that boasts 100% uptime since 2006. Our 30-plus worldwide data centers use Anycast routing, so requests are transparently sent to the fastest available data center with automatic failover.

By configuring your network to use Umbrella’s recursive DNS service, you’ll get the fastest and most reliable connectivity you can imagine. But that’s not all Cisco Umbrella can do. That brings us to our next topic: DNS-layer security.

DNS-layer security

Your computer uses recursive DNS as the first step to connect to places on the Internet. Unfortunately, so do cyber criminals. Malware, ransomware, phishing and other scams use DNS servers to look up and connect to infrastructure that is set up by cyber criminals to power these attacks.

Monitoring DNS requests, as well as subsequent IP connections, is an easy way to provide better accuracy and detection of malicious activity and compromised systems, improving security visibility and network protection. Nothing stops attacks earlier than DNS-layer security. After all, DNS is the first step in making a connection on the Internet, and if a connection is blocked at the DNS layer, then it stops there.

Cyber attacks have many phases. Before launching, the attacker first needs to stage internet infrastructure to support each phase of the attack. Then, the target needs to be connected to that infrastructure. Many attacks use email attachments or direct payload downloads, or use malicious links in phishing attacks. Attacks with an objective to exfiltrate data must initiate a command & control callback, where the malware on a network communicates back with the attacker infrastructure, which then takes command of the targeted machine.

DNS-layer security identifies where these domains and other internet infrastructures are staged, and blocks requests over any port or protocol, preventing both infiltration and exfiltration attempts. It stops malware earlier and prevents callbacks to attackers if infected machines connect to your network.

Example showing how DNS-Layer Security stops attacker communications - Cisco Umbrella Blog

Figure 1: The blue shields show where DNS-layer security stops attacker communications

Why Cisco Umbrella for DNS-layer security?

As a leading provider of network security and recursive DNS services, Cisco Umbrella provides the quickest, most effective way to improve your security stack. From small businesses without dedicated security professionals to multinational enterprises with complex environments, it only takes minutes to gain a new layer of breach protection and internet-wide visibility on and off your network.

Here are just some of the benefits you’ll gain by using Cisco Umbrella for DNS-layer security.

Block threats before they reach you

Traditional security appliances and agents must wait until malware reaches the perimeter or endpoint before they can detect or prevent it. With DNS-layer security from Cisco Umbrella, you can stop attacks earlier in the kill chain.

By enforcing security at the DNS layer, Umbrella stops threats before they ever reach your network or endpoints. By analyzing and learning from internet activity patterns, Umbrella automatically uncovers attacker infrastructure staged for current and emerging threats, and proactively blocks requests to malicious destinations before a connection is even established or a malicious file downloaded. Umbrella can also stop compromised systems from exfiltrating data via command & control (C2) callbacks to the attacker’s botnet infrastructure, over any port or protocol.

Unlike appliances, our cloud security platform protects devices both on and off the corporate network. Unlike agents, the DNS layer protection extends to every device connected to the network — even IoT. Umbrella really can be deployed everywhere, since all internet-connected devices use recursive DNS services.

Leverage the power of machine learning

Cisco Umbrella uses machine learning to search for, identify, or even predict malicious domains. Umbrella learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat, and blocks these domains proactively.

We analyze terabytes of data in real-time across all markets, geographies, and protocols. This diversity provides internet-wide visibility into where threats are coming from, who is launching them, where they call back to, how widespread it is, when was the first and last time we saw it, and much more. We combine human intelligence with 3D visualizations to learn new patterns. Then, we apply statistical models to categorize these patterns, detect anomalies, and automatically identify known and emergent threats.

DNS-Layer Security graphic showing how our Cisco Umbrella machine learning model works

Figure 2: How our machine learning model works

Our statistical models predict which domains and IPs will be malicious — often before any other security vendor. For example, one model uses natural language processing to detect domain names that spoof brand and tech terms in real time (cs.co/NLPRank). Another uses sound wave analysis concepts to detect domains that have spikes in their DNS request patterns (cs.co/SPRank).

Power up your incident response and investigations

Umbrella logs all DNS activity, both normal and malicious, to simplify investigations. Umbrella reduces the number of infections and alerts you see from other security products by stopping threats at the earliest point. And Cisco Threat Response automates integrations across Cisco products for even quicker answers.

The Umbrella Investigate console and API provides real-time context on malware, phishing, botnets, and other threats, enabling faster incident investigation and response. Imagine having the strength of over 300 security researchers on your team — that’s what you get with Cisco Talos threat intelligence, which is built right into Cisco Umbrella.

Get started today

Cisco Umbrella is the simplest cloud security service you’ll ever deploy. There is no hardware to install or software to manually update, and the browser-based interface provides quick setup and ongoing management. And more importantly – it works! Brand new third-party research from AV-TEST reveals that Cisco Umbrella is the industry leader in DNS-layer security. You can learn more about the efficacy of our DNS-layer security in our recent blog post.

Ready to get started? Sign up for our free Cisco Umbrella Live Demo and see what a difference DNS-layer security can make for your organization.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella