If you have gone through the process of setting up DNS-based security for your home (Pi-Hole) or enterprise (Cisco Umbrella) network that’s awesome, you have greating increased the security of that network.

If done right this will give you the ability and visibility to see what is happening and control what’s going on with your network with clients that use internal DNS. If you have not take the time to identify, update, and block clients from using external DNS servers, you have a gap in your DNS security.

nslookup cormier.co 8.8.8.8

This command will bypass your internal DNS server and query Google’s DNS server.

Server:         8.8.8.8
Address:        8.8.8.8#53

You can identify clients by looking for DNS queries that are not from your internal DNS server and destined for external DNS servers (8.8.8.8:53/udp). These clients you will have to update to use the internal DNS before implementing any access control to block external DNS usage, otherwise these clients DNS will stop working.

Why is this important?

If you have a DNS-based security solution in place, you have the ability to see and control what is happening on your network.

You are missing the ability to see and control what is happening on your network, if you allow for external DNS use, malware and other threats can bypass your DNS-based security solution.

Leaving you in the dark.

How to fix this?

Identify clients that are using external DNS servers and update them to use internal DNS servers. That’s obvious, but that can be a challenge especially in large enterprise networks.

Once you have identified and updated clients to use internal DNS servers, which would come by the absence of traffic from clients to external DNS, you can implement access control to block external DNS usage.

If after you block external DNS usage, you notice control list counters incrementing, and indication that clients are trying to use external DNS, you will have to identify and update those clients too.

Could be clients that were missed or new clients that were added to the network. A configuration or policy will need to be updated.

Conclusion

DNS-based security is a great way to increase the security of your network, but it’s only as good as the weakest link. Leaving yourself open to malware and other threats that can bypass your DNS-based security.