In today’s blog, we’ll take a deeper dive into DNS-layer security — what it is, how it works, and how it can transform your network security for the better.
The basics of DNS
First, let’s review some fundamentals. The domain name service (DNS) is often referred to as the “phone book” of the Internet. Every computer on the Internet identifies itself with an “Internet Protocol” or “IP” address, which is a series of numbers. All servers that host websites and apps have IP addresses, too. For example, the IP of the Cisco Umbrella website is 67.215.70.40. You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in umbrella.cisco.com.
DNS was invented so that people didn’t need to remember long IP address numbers (like phone numbers) and could look up websites by human-friendly names like umbrella.cisco.com instead. There are too many sites on the Internet for each computer to keep a complete list, so DNS servers power the directory to make things easier for humans. You probably use DNS about a thousand times every single day – websites, software updates, and mobile phone apps all rely on the service. That’s why we sometimes refer to it as the foundation of the internet.
Recursive versus authoritative DNS servers
There are two types of DNS servers. Let’s go back to the phone book analogy. Imagine you sit down at your computer and type umbrella.cisco.com into your browser. First, your browser connects to a recursive DNS server. There are many thousands of recursive DNS servers in the world. Which one you use is configured in the settings of your computer or network. If you have never tinkered with your recursive DNS in the past, you probably use the recursive DNS servers of whoever provides your Internet. At your house, this may be a cable company. On your phone, it is your cellular provider. At the coffee shop down the street, it’s their Internet Service Provider.
Once your computer connects to the recursive DNS server, it asks the question “what’s the IP address assigned to umbrella.cisco.com?” The recursive DNS server doesn’t have a copy of the phone book, but it does know where to find one. So it connects to another type of DNS server. The second type of DNS server holds a copy of the phone book that matches IP addresses with domain names. These are called authoritative DNS servers.
The authoritative DNS server tells the recursive DNS server about the correct IP address assigned to the domain name, and the recursive DNS server sends that information back to the computer (and browser) that requested it. The computer connects to the IP address, and the website loads, leading to one happy user. Whew, that was easy! This all happens so quickly that you might not even notice it happening at all unless something is broken.
Not all DNS services are created equally. If the recursive DNS service you use breaks for some reason, you won’t be able to connect to websites. If the recursive DNS service you use is slow, then your connection to websites will be slow. If your DNS servers are not up-to-date, then you may not be able to connect correctly to websites.
Cisco Umbrella (formerly known as OpenDNS) started its recursive DNS service to provide everybody with the most reliable, safest, smartest, and fastest Internet connectivity in the world. Umbrella has a highly resilient recursive DNS network that boasts 100% uptime since 2006. Our 30-plus worldwide data centers use Anycast routing, so requests are transparently sent to the fastest available data center with automatic failover.
By configuring your network to use Umbrella’s recursive DNS service, you’ll get the fastest and most reliable connectivity you can imagine. But that’s not all Cisco Umbrella can do. That brings us to our next topic: DNS-layer security.
DNS-layer security
Your computer uses recursive DNS as the first step to connect to places on the Internet. Unfortunately, so do cyber criminals. Malware, ransomware, phishing and other scams use DNS servers to look up and connect to infrastructure that is set up by cyber criminals to power these attacks.
Monitoring DNS requests, as well as subsequent IP connections, is an easy way to provide better accuracy and detection of malicious activity and compromised systems, improving security visibility and network protection. Nothing stops attacks earlier than DNS-layer security. After all, DNS is the first step in making a connection on the Internet, and if a connection is blocked at the DNS layer, then it stops there.
Cyber attacks have many phases. Before launching, the attacker first needs to stage internet infrastructure to support each phase of the attack. Then, the target needs to be connected to that infrastructure. Many attacks use email attachments or direct payload downloads, or use malicious links in phishing attacks. Attacks with an objective to exfiltrate data must initiate a command & control callback, where the malware on a network communicates back with the attacker infrastructure, which then takes command of the targeted machine.
DNS-layer security identifies where these domains and other internet infrastructures are staged, and blocks requests over any port or protocol, preventing both infiltration and exfiltration attempts. It stops malware earlier and prevents callbacks to attackers if infected machines connect to your network.

Figure 1: The blue shields show where DNS-layer security stops attacker communications
Why Cisco Umbrella for DNS-layer security?
As a leading provider of network security and recursive DNS services, Cisco Umbrella provides the quickest, most effective way to improve your security stack. From small businesses without dedicated security professionals to multinational enterprises with complex environments, it only takes minutes to gain a new layer of breach protection and internet-wide visibility on and off your network.
Here are just some of the benefits you’ll gain by using Cisco Umbrella for DNS-layer security.
Block threats before they reach you
Traditional security appliances and agents must wait until malware reaches the perimeter or endpoint before they can detect or prevent it. With DNS-layer security from Cisco Umbrella, you can stop attacks earlier in the kill chain.
By enforcing security at the DNS layer, Umbrella stops threats before they ever reach your network or endpoints. By analyzing and learning from internet activity patterns, Umbrella automatically uncovers attacker infrastructure staged for current and emerging threats, and proactively blocks requests to malicious destinations before a connection is even established or a malicious file downloaded. Umbrella can also stop compromised systems from exfiltrating data via command & control (C2) callbacks to the attacker’s botnet infrastructure, over any port or protocol.
Unlike appliances, our cloud security platform protects devices both on and off the corporate network. Unlike agents, the DNS layer protection extends to every device connected to the network — even IoT. Umbrella really can be deployed everywhere, since all internet-connected devices use recursive DNS services.
Leverage the power of machine learning
Cisco Umbrella uses machine learning to search for, identify, or even predict malicious domains. Umbrella learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat, and blocks these domains proactively.
We analyze terabytes of data in real-time across all markets, geographies, and protocols. This diversity provides internet-wide visibility into where threats are coming from, who is launching them, where they call back to, how widespread it is, when was the first and last time we saw it, and much more. We combine human intelligence with 3D visualizations to learn new patterns. Then, we apply statistical models to categorize these patterns, detect anomalies, and automatically identify known and emergent threats.

Figure 2: How our machine learning model works
Our statistical models predict which domains and IPs will be malicious — often before any other security vendor. For example, one model uses natural language processing to detect domain names that spoof brand and tech terms in real time (cs.co/NLPRank). Another uses sound wave analysis concepts to detect domains that have spikes in their DNS request patterns (cs.co/SPRank).
Power up your incident response and investigations
Umbrella logs all DNS activity, both normal and malicious, to simplify investigations. Umbrella reduces the number of infections and alerts you see from other security products by stopping threats at the earliest point. And Cisco Threat Response automates integrations across Cisco products for even quicker answers.
The Umbrella Investigate console and API provides real-time context on malware, phishing, botnets, and other threats, enabling faster incident investigation and response. Imagine having the strength of over 300 security researchers on your team — that’s what you get with Cisco Talos threat intelligence, which is built right into Cisco Umbrella.
Get started today
Cisco Umbrella is the simplest cloud security service you’ll ever deploy. There is no hardware to install or software to manually update, and the browser-based interface provides quick setup and ongoing management. And more importantly – it works! Brand new third-party research from AV-TEST reveals that Cisco Umbrella is the industry leader in DNS-layer security. You can learn more about the efficacy of our DNS-layer security in our recent blog post.
Share