Introducing Advanced DNS Resolver: Unifying DNS Security for Your Distributed Enterprise

DNS: The Internet's Vulnerable Backbone

The internet's naming system, DNS, is constantly under attack. It's a critical service for internet operation and that’s what makes it a prime target for abuse. 85% of malware uses DNS for command and control. In fact, the 2023 IDC Global DNS Threat Report found that 90% of organizations experienced a DNS attack, resulting in an average cost of $1.1 million each. With the advent of AI-driven attack tools, these threats—from data exfiltration to sophisticated hijacking—often go undetected by traditional security.

Our Advanced DNS Security (ADNS) has a strong track record as a premier solution, consistently delivering real-time DNS threat prevention for our existing customer base. The ADNS platform analyzes over 1.1 billion new domains daily, enabling us to prevent up-to 7.7 million new malicious domains and stop up-to 2.06 billion threats inline every 24 hours. This powerful capability is further enhanced by a network effect: our Precision AI models are continuously trained by shared threat data from 70K customers, extensive third-party threat databases, and user DNS traffic. However, the evolving nature of enterprise networks presents new challenges. The shift towards multi-cloud, widespread branch deployments, and a remote workforce, along with intricate multi-vendor security ecosystems and Mergers & Acquisitions, necessitates an evolution of ADNS to ensure we can provide truly consistent, seamless, and ever-present DNS security for all customer segments, regardless of their environment.

Introducing Advanced DNS Resolver (ADNSR)

The Advanced DNS Resolver (ADNSR) is specifically designed for this modern, distributed enterprise and brings intelligent, cloud-native DNS-layer threat prevention to your entire distributed enterprise. It simplifies deployment, provides flexibility and ensures consistent security everywhere. Simply redirecting your DNS traffic to ADNSR  provides you comprehensive DNS inspection and content categorization, defending your hybrid, multi-cloud environments.

What truly sets ADNSR apart?  

ADNSR distinguishes itself by providing unparalleled DNS security and resolution that integrates seamlessly with any firewall, even in mixed environments. This cloud-delivered solution leverages advanced AI, including deep learning, to proactively stop sophisticated threats like DNS hijacking by inspecting both DNS requests and responses in real-time. This ensures complete visibility and consistent protection for all your devices. It's also a standalone solution and doesn’t require a Palo Alto Firewall. It is simple to deploy and manage, allowing you to enhance your security without disrupting your existing IT infrastructure.

Revolutionary Capabilities Driven by Precision AI™

At the heart of ADNSR's is our Advanced DNS Security (ADNS) service powered by Precision AI™. Our solution  leverages Precision-AI to analyze DNS traffic in real time—detecting and blocking advanced threats with exceptional accuracy. This allows us to catch and block even the most sophisticated threats closer to their origin, often before they can even reach your network. ADNS security, powered by Precision AI,provides 2x the threat coverage compared to the nearest  competitor, preventing up-to 2.06 billion threats inline every day. By preventing "patient zero" scenarios, it significantly reduces your organization's risk profile and avoids costly security incidents.

What are the Key Capabilities provided by ADNSR?  

• Global High performance DNS Resolution & Enterprise-Grade SLAs: Our ADNS Resolver PoPs (Points of Presence) are strategically distributed globally across the Americas, EMEA, and JAPAC regions to ensure optimal performance and low latency for your users. Our infrastructure is built for maximum resilience with a 99.999% uptime SLA.

• Simplified Onboarding: Setup is incredibly easy: simply configure your local DNS server to point to the ADNS Resolver's Anycast IPs 96.9.97.9 and 96.9.96.9 and verify the egress IP of the network. Later, you can attach a predefined or customized security profile.

• Flexible deployment across hybrid, multi-vendor, and cloud-native architectures without added complexity or dependence on perimeter-based enforcement.

• Inline Inspection of DNS Requests and Responses: Provides greater insights and protection against advanced and unknown DNS-layer threats, including DNS hijacking attacks, all in real-time.

• Consistent Real-time AI-powered Protection, Anywhere: Our platform defends against 35 different DNS-layer attack techniques, a number that is continuously growing to counter emerging threats. It is continuously trained on rich data to ensure faster and more accurate detection. This delivers intelligent, adaptive DNS-layer security that safeguards your environment, protecting both branch sites and cloud workloads.

• Content Filtering:  Gain granular control by allowing or blocking access to unwanted content directly at the DNS resolver level. We support 60+ categories, providing options to allow, alert, block, or sinkhole traffic based on your policies. This enables organizations to enforce acceptable use policies and ensure compliance.

• Centralized Management, Logging, and Analytics: Management is streamlined and centralized through Strata Cloud Manager (SCM). This ensures consistent policies and high reliability. The ADNS Resolver offers comprehensive logging capabilities, including both benign and malicious requests, with up to one year of log retention for auditing and troubleshooting. You can access contextualized logging and reporting through SCM, even utilizing the Activity Insights Threats and Domains pages.

• External Dynamic Lists (EDLs): Enhance your security posture by leveraging third-party threat feeds and other domain lists. You can integrate these as External Dynamic Lists, enabling the resolver to dynamically import and update domains for allowlisting or blocklisting. These EDLs are executed before any other security or content rules.

• Flexible Sinkhole Settings: For malicious or suspicious DNS queries, ADNSR can forge DNS responses to direct traffic to a controlled IP address (sinkhole). It supports both default and customizable block pages, providing clear notification to users and also provides an option to point to a custom sinkhole server.

• Threat Intelligence & User Context: Integrates anonymized threat intelligence from a global network of 70,000+ customer deployments, Passive DNS, WHOIS, and various Cloud-Delivered Security services (CDSS). This robust intelligence fusion provides highly accurate detection outputs. For granular visibility, our solution can be complemented by a Palo Alto Networks NGFW in Tap Mode with User-ID enabled, allowing you to see which specific user initiated a DNS query, even when internal DNS servers mask client IPs.

Why ADNSR is Critical for Your Security Posture

The Advanced DNS Resolver empowers organizations to boost security, streamline operations, and reduce risk across their entire infrastructure. It provides unrivaled DNS security, resolution, and content categorization with maximum flexibility. By stopping threats closer to their origin, often before they reach your network, it delivers a proactive, high-fidelity security posture that significantly reduces your organization's risk profile and avoids costly security incidents

This solution fits right into diverse environments, whether you have Palo Alto Networks firewalls, a mix of vendors, or are dealing with acquisitions, helping to consolidate security and simplify architecture.

Conclusion

The Advanced DNS Resolver represents a pivotal step in securing your network against the evolving landscape of DNS-based threats. By providing a flexible deployment and real-time, AI-powered inspection of both DNS requests and responses, coupled with unparalleled visibility, it redefines what comprehensive DNS resolution service and security looks like. We believe this solution will significantly enhance your security posture, reduce operational overhead, and provide the deep insights necessary for proactive threat hunting.

Looking to simplify DNS security and extend protection across your entire environment? Contact your Palo Alto Networks representative or visit our Advanced DNS Security page to get started.