How to block unauthorized external DNS resolvers for strengthening enterprise security

By PG Menon, Senior Director of product marketing, Infoblox

PG Menon, senior director of product marketing, Infoblox

Using external DNS providers has always been a questionable idea for an enterprise. The Internet Domain Name System (DNS) helps end-user applications acquire the IP address of their destinations. Enterprises want to enforce policy controls regarding Internet access that align with their business needs, and the associated policy controls are most effectively implemented using authorized, internal corporate DNS servers.


Implementing Corporate Security Policies

Learn from Infoblox’s solution note on blocking access to unauthorized cloud DNS services to ensure that corporate security policies are consistently enforced.

Solution Note: DoT and DoH Present New Challenges


Firefox and Chrome have begun supporting external DNS resolvers in the cloud. The use of these DNS services bypasses the controls that enterprise IT organizations put in place to prevent end users from visiting unauthorized Internet destinations. Also, certain operating systems and browsers use new encryption technologies—DNS over TLS (DoT) and DNS over HTTPS (DoH)—in the query response handshake with these unauthorized DNS services that make them harder to block.


Figure 1: Use Infoblox DoT today

As the industry leader in commercial DNS, Infoblox has the solution to this problem. Organizations can use Infoblox’s recommended best practices to block encrypted DNS queries from end-user devices to unauthorized public DNS services, forcing the devices to fall back to their original and controlled DNS behavior. This approach consistently enforces corporate policy and reduces business risk.


Figure 2: Block DoH today

Partners can help enterprises enforce better corporate compliance and policies by blocking access to unauthorized DoH resolvers in several ways: at the application or browser, at the stub resolver in the operating system, at the firewall or at the proxy server in network. Thus ensuring that even in the era of remote working, organizations are at the top of their cybersecurity game. 

Author Bio: PG Menon, senior director of product marketing at Infoblox

PG Menon is a senior director of product marketing at Infoblox. He was most recently a Senior Director, at Aruba Networks, a Hewlett Packard Company where he was product marketing lead for its $1.2B switching product line. Before Aruba, PG was senior director of technology strategy at Brocade Communications where he led several corporate initiatives such as SDN and DevOps for cloud and datacenter markets. Prior to Brocade, PG was a founding executive in numerous startups that resulted in M&A with major corporations such as ARRIS International and Cabletron Systems. PG Menon has an MS EE from Rensselaer Polytechnic Institute and BS in EE from IIT, Varanasi, India.