If you have gone through the process of setting up DNS-based security for your home (Pi-Hole) or enterprise (Defender for DNS) network that’s awesome, you have increased the security of that network.

If done right this will give you the visibility to see what is happening and control what’s going on with your network with clients that use internal DNS. If you have not take the time to identify, update, and block clients from using external DNS servers, you have a gap in your DNS security.

nslookup cormier.co 8.8.8.8

This command will bypass your internal DNS server and query Google’s DNS server 8.8.8.8.

Server:         8.8.8.8
Address:        8.8.8.8#53

If the above command returns a response, it’s possible to bypass your internal DNS server and query external DNS servers.

You can identify clients by looking for DNS queries that are not destined to your internal DNS but to external DNS. These clients will require configuration changes to use internal DNS, before implementing any type of access control to block external DNS usage, otherwise these clients will experience DNS resolution issues.

Why is this important?

If you have a DNS-based security solution in place, you have the ability to see and control what is happening on your network. But, if you allow clients to use external DNS, malware and other threats, and legit clients can bypass your DNS-based security solution with direct DNS queries to external DNS.

Leaving you in the dark.

How to fix this?

Identify clients that are using external DNS and update them to use internal DNS. That’s obvious, but that can be a challenge especially in large enterprise networks.

Once you have identified and updated clients to use internal DNS, which would come by the absence of traffic to external DNS, you can implement access control to block external DNS usage.

If after you block external DNS usage, you notice control list counters incrementing, and indication that clients are trying to use external DNS, you will have to identify and update those clients.

Might clients that were missed, new clients with old configuration, or a static configuration that should be updated to use internal DNS.

Conclusion

DNS-based security is a great way to increase the security of your network, but it’s only as good as the weakest link. Leaving yourself open to malware and other threats that can bypass your DNS-based security and is one way.