White Paper
Decoding Modern
DNS Threats
A modern and advanced approach to
DNS security and performance
© 2023 Zscaler, Inc. All rights reserved.
Cyberattacks and breaches are often attributed to
compromised credentials or misconfigurations.
However, more than 70% of modern attacks involve
Domain Name System (DNS) in the attack sequence. It’s
no surprise because adversaries will deploy a number
of tactics, techniques, and procedures (TTPs) to achieve
their objectives. They exploit DNS in particular to initiate
Command and Control (C2) communications or create
malicious tunnels to exfiltrate data.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
Introduction
2
Attacks using DNS can take the form of spoofing,
exfiltration, amplification, cache poisoning, and
tunneling. Adversaries can use DNS to gather
actionable information about targeted victims or
enterprises, they can set up their own malicious
DNS servers, or they can communicate using
legitimate DNS application layer protocol to avoid
detection and network filtering.
In an IDC 2021 Global DNS Threat Report, 87% of
organizations experienced a DNS attack. To avoid
business application and cloud service downtime,
businesses—regardless of size or industry—
must mitigate against today’s and tomorrow’s
DNS threats.
DNS remains a popular vector among attackers
for various reasons:
• Its function is vital to using the internet—
meaning we can’t simply turn it off—yet, DNS
was not originally designed with security in
mind.
• Surges in overall traffic from remote work,
cloud applications, and IoT/OT devices drive
exponential surges in DNS resolutions—and
create too many requests for regular firewalls to
screen effectively.
• Attackers are delivering and masking
sophisticated DNS threats in encrypted traffic,
overwhelming traditional and next-gen
Part I: The Challenge with Modern DNS
Security and Performance
Controlling risks from DNS abuse requires context
and dynamic policy changes and enforcements.
However, achieving this utopian protection with
yesterday’s solutions will be met with tradeoffs, such as insufficient protection,
performance degradation, lack of visibility, or
unexpected costs.
The challenge and scope of accessing internetbased resources continues to broaden:
• Applications and workloads are no longer solely
in company-controlled data centers. Instead,
they are increasingly deployed natively in private
and public clouds and as SaaS applications.
• Work-from-anywhere (WFA) users connect to
corporate networks while on the move, making
the internet the new corporate network.
• Backhauling traffic from mobile and cloud
services through regional data centers and
centralized security stacks before breaking out
to the internet results in delayed DNS resolution
and poor user experience.
• Widespread adoption of DNS over HTTPS
(DoH) and the lack of monitoring and control
enables adversaries to perform command and
control (C2) communication undetected.
firewalls (NGFW).
• DNS abuse makes a great smokescreen or
stepping-stone to other, more devious multilayered attacks.
This white paper will address today’s DNS
challenges while detailing a modern approach
for security and performance controls to protect
against DNS threats at cloud scale.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
3
Legacy architecture enables DNS abuse
As services and users move beyond an organization’s perimeter to cloud services—software as a service
(SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), serverless—network and security
operations lose control over both risk and the user experience. Organizations relying on castle-and-moat
architecture will find that the volumetric DNS traffic generated by cloud and SaaS applications, remote
users, and IT/OT and bring your own devices (BYOD) overwhelm existing infrastructure and capacity limits.
When DNS resolution relies on being routed back to a common centralized architecture, latency increases,
and impacts user experience and productivity.
Some vendors attempt to resolve shortcomings by offering a virtualized approach that “lifts and shifts”
traditional firewall capabilities to the cloud. Unfortunately, this still requires hairpinning traffic back to
regional data centers, extending your network outward while requiring instances on every egress and
ingress point in your cloud architecture. This not-really-cloud approach adds to administrative complexity
and does not solve problems fueled by latency, encryption, and a scarcity of specialized skills.
Public DNS Server
DNS
VM-FW
VM-FW
SWG
SaaS
Internet
VM-FW
INTERNET
BRANCH
HQ
SWG
PARTNER
SWG
SWG
Sandbox
Email Security
NGFW
DLP
IDS/IPS
MS Exchange Server
SOAR
DNS
EDR
SAP Server
Private
DNS Server
SOC
DMZ
Network
Scanners
Asset
Management
VM-FW
NAC Server
Internal Applications
IT
MFA
FIN
Monitoring
System
App Build Server
App Build Server
The sheer scale, complexity, and distributed nature of the challenge makes it easy for traditional DNS controls to get bypassed or circumvented.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
4
Legacy DNS solutions can’t deliver zero trust
In addition to architecture deficiencies, zero trust
strategies cannot be achieved with legacy
DNS solutions.
The zero trust security approach is based on
the principle of “never trust, always verify” and
least-privileged access, establishing access and
enforcing policies based on context and trusted
identity. When trust is not implicit, a dynamic
view of context including user ID, geolocation,
IP address, device posture, time of the day, and
more, as well as strict user authentication and
continual policy checks at each step are required.
Organizations view zero trust as a way to optimize
Criteria to gain back DNS control
For Zscaler, DNS Control is a combination of
DNS security and DNS performance. Therefore, a
modern solution should provide:
• 100% visibility to see, verify, report on, and
log all DNS traffic for all users everywhere,
regardless of whether the traffic is standard
DNS or encrypted DNS over HTTPS (DoH).
• 100% security coverage to quickly detect and
shut down phishing, malware, and botnets
while preventing DNS bypass and block
attempts to build tunnels and exfiltrate data.
• Resolver-agnostic security that filters,
security to better address varied environments
categorizes, and blocks communications to
and a distributed workforce.
bad domains and compromised IP addresses,
Legacy DNS and firewall solutions have DNS on
port 53 and DNS over HTTP/S on port 80/443
on allow lists. This results in hidden threats being
delivered over DoH. Additionally, legacy solutions
let security risks, coming from both inside and
outside the network, go undetected. When
DNS security can be the first line of defense,
ineffective protection can allow DNS to be a tool
regardless of the DNS service targeted by the
user, endpoint, or branch.
• True cloud-scale flexibility and control
to apply and change security policies on a
worldwide scale—all traffic for all users,
devices, and protocols regardless of volume and
encryption—from a single convenient UI.
• Cost-efficiencies that maximize investment
for adversaries to conduct DDoS, phishing, drive-
value and minimize overhead tied to
bys, spoofing, and other evergreen techniques for
equipment, operations, and bandwidth
distributing malware and exfiltrating data.
including backhauling to DNS resolvers.
Balancing security and performance for DNS
DNS is the crucial first step to connecting to web
and non-web applications. Addressing challenges
with DNS security and performance will require
• Compliance with various industry, regional, and
federal government standards and industry best
practices for data retention and logging, and
evolving standards like protective DNS (PDNS).
organizations to overcome the inherent limitations
of using legacy firewall appliances and castleand-moat architecture that cannot scale to
address threats or natively inspect DNS traffic to
filter out threats.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
5
Part II: Enhancing DNS Security
DNS is a powerful tool that can provide early indications of an attack. Unfortunately, of the 99% of
organizations IDC surveyed that used some form of security for DNS, an astounding 43% admit they do
not have a dedicated security solution built into their DNS servers.
For the most effective defense, your DNS solution must enable your organization to do the following:
Visibility
• Inspect and decrypt all DNS traffic, including encrypted DNS over HTTPS for all
users, all the time, wherever they’re currently located
• Distinguish and verify whether traffic is legitimate DNS or a malicious protocol
masquerading as legitimate DNS to set up tunnels
Flexibility and Control
• Automatically apply security policies across all DNS destination
resolvers—trusted or untrusted, sanctioned or unsanctioned by corporate
network operations
• Offer DNS resolution that supports DNSSEC to any and all requests
• Provide reliable data for incident response (IR), forensics, and threat hunting
Cost Efficiency
• Achieve all the above while reducing the cost to operate infrastructure and
requirement for specialized skills needed to maintain the highest-level risk
reduction policies
Zscaler provides enriched logs with details about users, requests, responses,
services used, categorizations, and rules that aid with deep investigation
and trend analysis. The logs feature a wide variety of columns that include
byte counts, requested domain, responded IP, user and device information,
all 5-tuple information, and more. Convenient, comprehensive data replaces
the need for laborious packet captures (PCAPs) and parsing to provide a
“forensically complete” logging solution. And if needed, customers may
extend storage or export logs to cloud or on-prem SIEMs, XDRs, log stores,
or other threat intelligence platforms quickly and cost-effectively.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
6
Reducing risks across the attack kill chain
Cyberattacks follow a fairly prescriptive sequence of events. DNS security can stop attacks from
progressing while capturing insights critical to response and prevention, for example:
• In the early stages of attacks, DNS security blocks attempts to reach malicious destinations that may
start in a variety of ways—for example, by clicking on phishing links—and prevents them from ever
reaching their target destinations.
• As lateral movement progresses following initial compromise, or post-infection, advanced DNS security
policies and rules help detect attempts to connect to command and control (C2) servers to get further
instructions or install more malware.
• During later stages, once attacks are in process or reaching their targeting conclusions, solutions such
as the Zscaler Firewall with DNS Control can detect tunnels and block adversaries and malicious insiders
from exfiltrating traffic.
DNS Security Across the Kill Chain
Early Stage
Mid Stage
Late Stage
Example: Block risky and malicious domains
like Illegal/Questionable, Phishing, Adult
Content, Known Malicious.
Example: Stop C2 Botnet Callbacks and Newly
Registered and Observed Domains and IPs.
Filter DNS request types (MX, TXT etc.)
Example: Identify and categorize DNS Tunnels
and Unclassified Domains and IPs, stop
resolutions to certain countries/geographies
• DNS Control, URL Filtering
• Cloud-Gen Firewall and IPS Control
• Cloud Sandbox
• Malware Protection, File Type Control
Command and control
Lateral movement
Phishing Email
w/malicious link
Delivery
document
CS
Strager
Identify domain
controller
Steal
Credentials
Compromise
additional system
Steal
Data
Install
ransomware
payloads
Action on
objective
• DNS Control
• Cloud Sandbox
• ZPA
• DNS Control
• Cloud Browser Isolation
• Malware Protection,
File Type Control
• ZWS
• Cloud Sandbox
• Deception
• Malware Protection
• IPS Control / Advanced
Threat Protection
• URL Filtering
• IPS Control / Advanced
Threat Protection
• File Type Control
• IPS Control / Advanced
Threat Protection
SSL/TLS Inspection
© 2023 Zscaler, Inc. All rights reserved.
White Paper
7
Category classification
Effective DNS control starts with blocking requested and resolved categories of domains or IP addresses
that are inappropriate or should not be accessed by users or contractors on managed devices. These types
of policies prevent users from reaching sites that may add liabilities to the business or put the company at
risk of reputation and financial harm.
Administrators can use the same URL categorization capabilities combined with a cloud secure web
gateway (SWG) to block categories of domain and IP addresses and issue warnings regarding any
categories that apply to web browsing. Administrators might consider blocking entire categories, such
as “Miscellaneous” or “Newly Registered and Observed Domains” (NROD). NRODs are often part of
attack chains serving as termination points for DNS tunnel exfiltrations or hosting drive-by and other
malware before classifications can be done. Choosing a vendor with flexible options for blocking unwanted
exchange allows for secure browsing and more control of the user experience.
DNS CONTROL HELPS MITIGATE RISK
Potential Threat Detected
Modern DNS Control Enables
Unwanted, legal liability, questionable domains, or IP
addresses like adult, hate, and violence
• Domains accurately categorized and policies applied
Newly registered, newly observed, strategically
aged domains: Risky domains created (<30 days),
established domains that suddenly become active
• Geo-blocking by IP
Phantom domains or domain lockups: Deliberately
slow authoritative nameservers
• Highly available resolvers
• ML algorithms, threat feed monitoring to detect
and categorize
• IPS detections identify C2/botnet communications
Undesired geo domain hosting: Domains hosted in
high-risk countries
Domain Generation Algorithms (DGAs) or dictionary
DGAs: Generated domains used for C2 or other
malicious activity
Botnet callbacks or discovered/known malicious:
Compromised endpoints connect to botnets for
C2 instructions
Parked domains: Inactive sites used to host ads and
promotional content
© 2023 Zscaler, Inc. All rights reserved.
White Paper
8
Visibility for all DNS traffic
DNS logging and reporting
Organizations monitoring DNS should filter
Visibility goes hand-in-hand with ensuring
for traffic beyond port 53. It will remain a best
that your organization is logging every DNS
practice to monitor plain-text DNS over UDP or
transaction. Ensure that the logs and reports
TCP, but it is now imperative to monitor DNS
generated are forensically complete to equip your
over port 80/443. By doing so, organizations are
compliance managers, threat hunters, forensics
able to gain visibility on all DNS traffic to better
specialists, and other security experts with the
detect and mitigate threats before they reach the
data they need to view and analyze transactions
user and spread across the network. This will
historically and as they happen.
also ensure inspection or control of all key record
types of DNS (A, AAAA, PTR, MX, TXT, etc.)
with added visibility into recursive and iterative
requests to third parties.
Visibility and alerting will help to reduce dwell
and response time, which is crucial to preventing
and stopping DNS-based attacks, including C2
communication and data exfiltration activities.
DNS over HTTP/S (DoH) protocol has become
Without forensically complete logging, it is
an internet standard for Mozilla Firefox and
difficult to triage, and this can allow attackers
Google Chrome browsers. Windows and MacOS
to patiently unfold over weeks, months, or even
have also started to adopt this standard. DoH
years. Defenders must store and be able to access
democratizes encrypted DNS by allowing the
logs for a minimum of six months, often longer,
user or browser to choose which DNS resolver
and optionally export logs to threat intelligence,
to use. Touted as a way to prevent ISP tracking,
SIEMs, or XDR systems on-prem or in the cloud.
encrypted DNS queries are sent to specific DoH
resolvers instead of internet service
providers (ISPs).
Checklist to ensure visibility at scale
Choose a DNS security vendor–or a cloud native
firewall vendor with DNS security capabilities–
that can perform inline traffic decryption and
inspection at cloud scale.
• Decrypts and inspects all traffic going to any
DoH provider
• Extends and applies security controls and
policies to all encrypted traffic to and from all
users, devices, locations
• Redirects and ensures no DNS bypasses
controls via malicious tunnels
• Categorizes and blocks communications based
on both domains (on the request) and IPs (on
DNS Control in Zscaler
Internet Access (ZIA) can
simply block the DNS
exchange or be configured
to forge the A/AAAA
responses and resolve the
domain to the IP address
of the administrator’s
choosing where an end user
notification is presented.
the response)
© 2023 Zscaler, Inc. All rights reserved.
White Paper
9
Ensure compliance
Advanced protection against DNS tunneling
Logging every DNS transaction aids in incident
Adversaries use DNS to initiate inbound requests
response and the extended retention aligns with
that communicate with malware on infected
guidelines from the National Institute of Standards
endpoints and outbound responses that carry
and Technology (NIST) and Cyber Security
privileged information outside the company. DNS
Maturity Model (CMMC). DNS filtering helps
tunneling toolkits can be obtained on the dark
companies comply with requirements to prevent
web and elsewhere making it easy for attackers
interaction with malicious sites. By securing all
to gain control of servers and start initiating
DNS requests and responses, regardless of type
requests.
and resolver, organizations ensure compliance
with domain and IP address categorization. The
ability to demonstrate compliance in turn helps
in qualifying for lower cyber insurance premiums
and avoiding liability moving forward.
For an effective defense, ensure that your
firewall and DNS security solution identifies
both legitimate DNS traffic that might be
communicating with external C2 servers and
malicious traffic posing as DNS. Legacy solutions
Actionable insights from analytics
that perform security only when they function
Logs can show you how your workforce is using
as the recursive DNS resolver are not enough.
(and abusing) DNS by providing insight into traffic
Detecting traffic representing itself as DNS
timeline, domain origins, and detailed data and
requires deep packet inspection (DPI) and detailed
context to support triaging and response in the
DNS parsing at high rates and for various-sized
event of an attack. Defenders can use DNS logs
packets. Using machine learning (ML) can speed
and reporting for ongoing policy creation that
up the detection of threats.
answer questions such as:
• Who are the top DNS talkers?
• What DNS protocols are being used?
• What categories are users hitting?
• Who are the top blocked users?
• Were there attempts of DNS tunneling and
data exfiltration?
© 2023 Zscaler, Inc. All rights reserved.
DNS translates domain
names to IP addresses
used by servers and other
devices to route traffic to
destination sites. Since
DNS is part of nearly every
application, web and nonweb, and is integral to
how we use the internet,
it is an accessible vector
for attackers to gain
access to networks and
exfiltrate data.
White Paper
10
An advanced DNS security solution must identify and guard against:
What is it?
What are the risks?
DNS Control
Requirements
DNS tunneling attacks
Non-standard DNS or
non-DNS posing as DNS
By using legitimate DNS
requests and responses
and illegitimate DNS
tunnels, attackers can
communicate with
external C2 or exfiltration
servers (via authoritative
DNS servers).
DNS tunneling enables
attackers to perform
C2 and data exfiltration
activities.
Examples of this in the
wild include Iodine or
DNScat.
Without blocking
malicious DNS
connections .
Non-DNS traffic
masquerades as normal,
legitimate DNS requests
and thereby potentially
being “tunneled”
over DNS.
DNS on port 53 and DNS
over HTTP/S on port
80/443 are commonly
found in many firewalls’
“allow list” with little or
insufficient inspections
and protections enabled
or able to be enabled.
DoH traffic may only
be filtered by a limited
number of known
DoH providers rather
than by the actual
content of a domain
request and IP response
communication.
Attackers also control
authoritative DNS servers
as exfiltration point of
files or the C2 location.
Identify DNS tunnels and
categorize into good,
bad, & unknown.
IPS detection for certain
tunnels like DNScat and
Iodine.
Categorize and block
based on both domains
(on request) and IPs (on
response).
Redirect and ensure no
DNS bypasses, block
malicious tunnels.
Monitor DNS for RFC
spec compliance.
DPI-based detection for
traffic masquerading
as DNS.
This “allow listing”
creates a handy blind
spot for sneaking into
or out of your network
undisturbed and
unobserved.
By using machine learning algorithms, Zscaler detects infected endpoints and
hosts attempting to communicate with Command and Control servers via
a tunnel through the ISP’s DNS server. Analysts can visualize DNS tunneling
activities and adversary intent to exfiltrate and offers granular flexibility and
control in blocking malicious activity.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
11
Attacker registers a domain
evilpurple.com and points NS record
to C&C server
ISP DNS
resolver
DNS request
TXT/RR record of
DNS request is used
to encode and
exfiltrate data
www.evilpurple.com
MRZGS3TLEBWW64T.
evilpurple.com
Port 53
Typically on-prem
firewall allow UDP:53
DNS
DNS response is used by
attacker to command
SDTREXZXXBNZSQ.
evilpruple.com.TXT?<data>
User
Infected user machine sends
DNS query to communicate
with C&C server
Advanced protection against poisoning, spoofing, and other targeted techniques
Besides tunneling, adversaries will use multiple DNS techniques to achieve their objectives.
DNS attacks
Mitigation strategy
DNS hijacking: Clients go to third-party resolvers
internationally or via broadband routers at hotspots
(coffee shops, airports, etc.). Compromised devices are
directed to malicious DNS servers.
• Direct DNS requests to trusted public resolvers,
DNS flood attack: Valid but spoofed DNS requests to
flood and overwhelm servers and max out available
bandwidth potentially leading to outages.
Cache poisoning, DNS spoofing: DNS resolvers
get pointed to malicious IP addresses for legitimate
domains
or trusted resolvers such as Zscaler
• Accurately categorize and block suspicious
requests based on both domains (on request)
and IPs (on response)
• Redirect DNS traffic ensuring no DNS bypasses
control policies
• Detect and block malicious tunnels
Fast flux: Uses malware to quickly cycle through
domains and IPs to avoid detection.
DNS amplification: Uses public DNS resolvers to
conduct Distributed Denial of Service (DDoS) attacks
and overwhelm a target with DNS response traffic.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
12
Part III: Optimizing DNS Performance
DNS is a powerful tool to guarantee availability and integrity of the network, with nearly every
application–web and non-web–system and device performing a DNS lookup. By delivering high
availability (HA) DNS clusters distributed close to the user or devices to direct DNS requests, organizations
achieve low-latency responses and easy centralized management that streamlines operations and reduces
cost. Superior user experience reduces the likelihood
of employees bypassing corporate DNS security
and controls.
Rapid resolution for mobile and work-from-anywhere users
To prevent latency and inaccurate context, avoid hairpinning traffic back to regional data centers and
centralized security stacks. Hairpinning DNS traffic deprives users of the most relevant context and IP
addresses for their present location. For example, a user in Tokyo should receive Japanese language and
local content. Provide the best experience by delivering geo-localized DNS resolution for all users and
devices.
Cloud-based solutions make it easy for users to change resolvers wherever they are and whenever they
choose. Zscaler, for example, uniquely extends all security policies to cover the use of any and all resolvers,
trusted and otherwise.
UX Goal
Challenges
Performance Impact
DNS Control Solution
Reliable access
• BUncertain recursive
DNS availability
• UHigh latency
• DoS request flood
• Poor network and
firewall utilization
Highly available DNS
request/response in
each DC
• NXDOMAIN attack
client
Resolution quality
Mobile clients not
optimized to users’
current locations
• Poor UX
High bearer path latency
Resolve DNS requests
locally from a centralized,
cloud-based solution
ECS injection
Zscaler Firewall allows admins to
customize responses according to DNS
categories and automate responses
based on DNS traffic types.
© 2023 Zscaler, Inc. All rights reserved.
White Paper
13
Centralized policy management
A modern approach to DNS Control streamlines
centralized administration of worldwide networks
and security infrastructures and minimizes
total cost of ownership (TCO) throughout the
deployment life cycle. Managing DNS Control
centrally in an easy-to-understand UI for all user
traffic, wherever they are in the world, produces
CapEx and OpEx reduction
Unifying and optimizing network and firewall
utilization, as well as reducing configuration
and management cycles, makes you more
operationally efficient. Analysts of different skill
levels can create strong security policies that
reduce overall risk and, in turn, the likelihood of
misconfiguration or excessive permissions.
the highest risk reduction and best security
At the outset, companies don’t need to purchase
outcomes with reduced time invested and fewer
and provision multiple devices to mitigate risk
specialized security skills required. Operating
and achieve localized worldwide coverage. With a
global deployments from one powerful console
SaaS approach, the provider assumes the burden
streamlines effort and reduces the margin for
of deploying, operationalizing, and maintaining
administrative error, another potential source of
firewall and DNS security. This eliminates the
risk and downtime.
need for MPLS and maintaining equipment at the
Prioritize business activities with category
categorization
edge reduces ongoing costs to funnel traffic back
to centralized inspection and analysis tools.
Organizations can use category categorization
For example, Zscaler’s tight integration of DNS
to ensure quality of service and prioritization of
control policies within the firewall platform means
business activities. Policies such as blocking or
you simply switch on the DNS service without
limiting bandwidth heavy categories, including
having to reroute traffic to external resolvers. IT
online game sites, improve productivity and user
can easily point traffic to local or trusted resolvers,
experience to sites and applications like Microsoft
just as users can, while ops teams gain granular
Teams and Zoom.
control to detect and prevent DNS tunneling.
TCO Challenge
Examples
Impact
Solution
Management and
• Buying and deploying
DNS boxes
• Upfront CapEx cost
(on day one)
• Ongoing updates and
patching
• Skillset needed to
stand up, configure,
and maintain
infrastructure
• DNS cluster globally
operated and
managed by Zscaler
operation of DNS
infrastructure
• Building global and
local DNS capacity for
availability
Maintaining highsecurity DNS policies
with little training
• Non-specialist ability
to define high-security
DNS policies
• Too many tasks, not
enough time
• Pay just for what you
need, scale when you
need it
• Adding new capacity
• Highest skilled IT and
SecOps resources
needed to combine
and coordinate
• Easily achievable
expertise and highrisk reduction via
simple UI with minimal
expertise
• Define DNS security
policies once, deploy
everywhere
© 2023 Zscaler, Inc. All rights reserved.
White Paper
14
Part IV: DNS Control with Zscaler Firewall
Sanctioned
DNS Resolvers
Shadow
DNS Resolvers
DNS
DNS
Zero Trust
Exchange
Performance
Available, Fast,
Geo-proximate DNS
resolution
Zscaler Cloud Firewall
Block the bad, allow the good
DNS
Any DNS request, Any DNS response, Any user, Any device, Any location
Zscaler Trusted
Resolvers
Zscaler Firewall and DNS Control offer a modern
app, location, and resolved IP country, blocking
and advanced approach to DNS security and
users from malicious domains and detecting
performance. Users connect to sanctioned
and preventing DNS-based attacks. By filtering,
DNS resolvers or Zscaler Trusted Resolvers
decrypting, and applying DNS Control policies
(ZTRs) for secure and fast resolution by pairing
from the cloud, Zscaler offloads processing-
geographically local apps. By delivering DNS-as-
intensive functionalities from your firewalls and
a-service, Zscaler minimizes latency, optimizes
other inline security tools. Security teams can
cloud app performance, secures local internet
turn on more advanced features and load balance
breakouts using full proxies for all DNS traffic, and
requests to mitigate the risk of dropped requests
leverages machine learning to detect and block
and DNS bypass, and as a result, may not need to
data exfiltration tunnel activity.
invest in more firewalls as quickly or dedicate as
Centralized policy management and granular
many skills and cycles to managing firewalls.
rules and policies can be set based on user,
© 2023 Zscaler, Inc. All rights reserved.
White Paper
15
Purpose-built for today’s digital world, Zscaler
The findings are deployed in a close-loop
Firewall ensures you can securely access the
automated manner. DNS tunnel exfiltration points
internet and handle all web and non-web traffic,
get classified into “known malicious,” “known
across all ports and protocols, with infinite elastic
legitimate,” and “unknown” categories. Requests
scalability and unbeatable performance. DNS
to particular categorized locations can be
Control enables customers to:
blocked in the first DNS packet immediately (and
• Leverage and meet the growing demands of
globally) so there is no chance of data leakage or
the cloud
• Resolve and secure all requests and responses
to and from any location
• Apply and change policies anywhere in
the world
• Minimize effort and cost throughout the
deployment life cycle
beaconing post-discovery.
DNSSEC support
The DNS Security Extensions (DNSSEC) protocol
deflects attacks by verifying and digitally signing
data. Signing occurs at each iteration of the DNS
lookup starting from the core 13 root resolvers.
Zscaler Trusted Resolvers (ZTR) use DNSSEC
when supported to prevent cache poisoning and
AI-powered DNS tunneling detection
other forging techniques. The default policy to
Apply ML and AI-powered protection inline to
intercept DNS traffic and resolve DNS requests
detect DNS tunneling attempts and prevent traffic
at the ZTR needs to be enabled or DNS requests
from bypassing DNS security policies.
need to explicitly target Zscaler global IPs for the
The Zscaler ThreatLabz research team monitors
benefit of DNSSEC to be attained.
all customer traffic worldwide to uncover
DNS Control with zero trust in mind
new cyber tools, techniques, and processes,
Organizations adopting a zero trust strategy
and drives development of new methods of
can proxy all DNS traffic to Zscaler for inline
identifying compromises—including indicators
protection and establish access with context,
of DNS tunneling. Their research updates the ML
strict user authentication, and continual policy
algorithms. Perennial vectors (or “features’’) offer
checks. With adaptive, real-time policy
insight into:
enforcement, malicious traffic connections are
• Entropy and how DNS volume and data change
over time
• Variations in DNS requests in domains and
subdomains and the uniqueness of any given
request and response
terminated. The segmentation-centric and
identity and access-focused framework allows
organizations to increase agility and resiliency,
enabling business initiatives such as digital
transformation and cloud adoption.
• Numbers and distribution of endpoint clients
requesting domain/subdomain sets
• Reputation and co-occurrence of authoritative
nameservers and related reputations
© 2023 Zscaler, Inc. All rights reserved.
White Paper
16
DNS Capabilities
Superior Value
Full DNS visibility
• See all traffic (regardless of original target resolver) to trusted resolvers in 150+
data centers worldwide
and resolution
• Inspect all DNS traffic (including DNS over HTTPS)
• Log every transaction including enriched data like domain categorization, viewed in
UI or export
Flexible DNS policy
• See and control all DNS requests regardless of user source or target destination
definition and control
• Secure encrypted DOH requests sent to unsanctioned, third-party locations
• Define rules by domain and IP categorization, request type, geolocation and more
Reduction of the attack
• Leverage cloud-scale discovery and classification of DNS tunnel usage
surface
• Block malicious attempts and control legitimate DNS tunnels
Automation for
• ML extends value to all customers as Zscaler identifies malicious DNS tunnels
impacting individual customers
economies of scale
The Zscaler Zero Trust Exchange
Zscaler Firewall is fully integrated with Zscaler Internet Access and is part of the holistic Zero Trust
Exchange. The Zscaler Zero Trust Exchange runs on the world’s largest security cloud, operating from
more than 150 data centers globally, delivering comprehensive security with an exceptional user
experience. The platform allows direct and secure connections based on the principle of least-privileged
access, and it inspects content deeply and verifies access rights based on identity and context before
permitting any connection to be made. For more information, visit our pages for Zscaler Internet Access
and Zscaler Firewall, or reach out to your Zscaler representative.
Zscaler maintains and points DNS requests to the nearest
Zscaler Zero Trust Exchange, optimizing performance and
delivering fast, relevant resolutions.
About Zscaler
Zscaler (NASDAQ: ZS) accelerates digital transformation so that customers can be more agile, efficient, resilient,
and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss
by securely connecting users, devices, and applications in any location. Distributed across more than 150 data
centers globally, the SSE-based Zero Trust Exchange is the world’s largest inline cloud security platform. Learn
more at zscaler.com or follow us on Twitter @zscaler.
+1 408.533.0288
Zscaler, Inc. (HQ) • 120 Holger Way • San Jose, CA 95134
© 2023 Zscaler, Inc. All rights reserved. Zscaler™,
Zero Trust Exchange™, Zscaler Internet Access™,
ZIA™, Zscaler Private Access™, and ZPA™ are
either (i) registered trademarks or service marks
or (ii) trademarks or service marks of Zscaler,
Inc. in the United States and/or other countries.
Any other trademarks are the properties of their
respective owners.
zscaler.com