Learning Library

← Back to Library

Secure DNS: Preventing Poisoning and Phishing

Key Points

  • Secure DNS protects users by ensuring that domain name lookups aren’t hijacked or poisoned, which could otherwise redirect users to malicious sites.
  • DNS poisoning allows attackers to supply false IP addresses, leading victims to phishing pages, ransomware downloads, or data‑stealing sites.
  • Phishing emails often exploit subtle domain changes, relying on compromised DNS resolution to silently send users to counterfeit websites.
  • Solutions like Quad9 replace the default DNS resolver with a security‑focused service that blocks known malicious domains using a maintained blacklist.
  • When a request matches a blacklisted site, the secure DNS returns an error (e.g., 404), preventing the user from ever reaching the harmful destination.

Full Transcript

# Secure DNS: Preventing Poisoning and Phishing **Source:** [https://www.youtube.com/watch?v=iV8FYhYrUxI](https://www.youtube.com/watch?v=iV8FYhYrUxI) **Duration:** 00:05:39 ## Summary - Secure DNS protects users by ensuring that domain name lookups aren’t hijacked or poisoned, which could otherwise redirect users to malicious sites. - DNS poisoning allows attackers to supply false IP addresses, leading victims to phishing pages, ransomware downloads, or data‑stealing sites. - Phishing emails often exploit subtle domain changes, relying on compromised DNS resolution to silently send users to counterfeit websites. - Solutions like Quad9 replace the default DNS resolver with a security‑focused service that blocks known malicious domains using a maintained blacklist. - When a request matches a blacklisted site, the secure DNS returns an error (e.g., 404), preventing the user from ever reaching the harmful destination. ## Sections - [00:00:00](https://www.youtube.com/watch?v=iV8FYhYrUxI&t=0s) **Secure DNS and Poisoning Risks** - The speakers explain DNS basics, illustrate how DNS poisoning and related phishing attacks can redirect users to malicious sites, and emphasize the importance of securing DNS. - [00:03:05](https://www.youtube.com/watch?v=iV8FYhYrUxI&t=185s) **Quad9 DNS: Privacy and Non‑Profit Model** - The speaker explains that Quad9, a nonprofit DNS service based in Switzerland, protects users from phishing without monetizing their data, leveraging strict Swiss privacy laws to enhance security and anonymity. ## Full Transcript
0:00Today's topic is Secure DNS. 0:02Before the end of this video, you're going to know what it is, how it works and why it's important. 0:06Now, Jeff "the security guy", you proposed this topic. 0:09And at first, what I thought you meant was just DNS, where you have a user, which visits a website say, for example, ibm.com. 0:21And then this DNS server maps that back into an IP address. 0:28Maybe you meant like the encryption or something like that. 0:30And that then allows them to return to the page they want to see. 0:36But that's not what you were talking about. [Jeff] No. 0:37What's the security implication here that I'm concerned about? 0:40Yeah, so what could happen is if you had a bad guy, let's say up here, and the bad guy were to get into the DNS and poison it. 0:48In other words, make it so that it doesn't point to the actual IBM address. 0:53In fact, it gives a resolution that goes back to this guy and points him to some other place that is not the actual website. 1:01Then he's going to come up here to the hacker-controlled website, and now he's basically a victim. 1:08He could end up entering his personal information in a place he didn't mean to. 1:11He could end up in downloading ransomware or other malware. 1:16That's one use case where there's been a poisoning that's occurred here. 1:20Now, that doesn't happen all that frequently, but there is also the possibility that this guy could send an email over here. 1:26So we're talking about phishing now, right? 1:28Exactly. 1:29And in the email, it might say click here for ibm.com. 1:33But in fact, it's obscured. 1:35And what it's actually going to point to is this. 1:38So this is some other web site; this is some kind of fake web site. 1:42And the resolution is going to come in to here. 1:45This DNS is going to faithfully resolve that and give him back an IP address that points him to the wrong place. 1:52So instead of being ibm.com, it's ibmfakehack.com or something like that. 1:58And he's not going to be aware of it. 1:59That's like what you see in a phishing email where they have one little change of a letter, 2:04which at first glance looks perfect legit, but in fact is taking you off somewhere else. 2:08Okay, so how is it we're going to address that problem? 2:11So a better way to do this is to have a DNS that is more trustworthy, 2:15that's designed for security, designed for privacy, designed for all of these kinds of things. 2:20And an example of that is something that comes from an organization called Quad9. 2:25In Quad9, you would replace the DNS here, and instead send your domain names, your URLs, to Quad9. Quad9 then resolves them. 2:36And what Quad9 is doing is maintaining a blacklist of known bad websites. 2:41So this bogus website up here would be in the blacklist, and when you sent the request down to get resolution, 2:49you would not get back anything. 2:51You get like a 404 or server not found? 2:53Yeah, something along those lines. So in other words, there's literally no way for you to get to there 2:57because you don't even know what the numeric IP address is for that site. 3:02This thing was looking out for you and blocked you from ever getting there in the first place. 3:05So that essentially protects me from a potential phishing attack. 3:08Exactly. 3:09But there's also, you look at other parts of this, the performance and privacy considerations. 3:15Like right now, today, you probably have your DNS is through your ISP, or if you have a mobile phone through them, right? 3:22And honestly, we also know that they have a potential profit motive there. 3:27How does that picture play out here with Quad9? 3:30Well, the good news is Quad9 is a nonprofit organization. 3:33So they don't profit from your information. 3:36There's an old saying that says "if you're not paying for it, you're the product, not the customer." Well, in this case, that's not the case. 3:44Because, in fact, you're not paying for Quad9. 3:46But in fact, what they're doing is it's a nonprofit and they're trying to improve security and privacy for everyone. 3:53The organization that runs Quad9 is headquartered in Switzerland, 3:57which is a country that is known for privacy, all the way to your financial privacy and these kinds of things. 4:03They actually have stronger privacy regulations than there are in the rest of Europe. 4:08In the European Union, they have the Generalized Data Protection Regulation standard, GDPR. 4:14And in fact, that's very strict. 4:16The laws in Switzerland, are even stricter, and carry actual criminal penalties for violations. 4:22So it's in a place where there is there's no desire to monetize you. 4:28The desire is to take your information, anonymized, and use it to enhance this blacklist. And we get sources, other sources that feed into this. 4:40One of those other sources is IBM's X-Force Security Research Group. 4:44So this all enriches the database and that information is then shared. 4:48So everyone that comes along benefits from everyone else's contribution to this. 4:53Think of it as a crowdsourcing. 4:55But your information is still anonymized. 4:57And no more profit motive. 4:59None of that. 4:59Because the best thing here about this is the whole thing is in fact free. 5:04You don't pay for it, yet you benefit from it. 5:07And in fact, everyone benefits from this with the security capabilities it adds. 5:12Excellent. 5:12So that's the message you need to take away, is that go into your network settings 5:16and whether it be Windows or MacOS and you can change your DNS to be... 5:239.9.9.9. 5:25Therefore Quad9. 5:27So it's easy to remember. 5:29Well, thanks a lot, Jeff. 5:30You bet. 5:32Thanks for watching. 5:33If you found this video interesting and would like to learn more about cybersecurity, please remember to hit like and subscribe to this channel.