top of page

DNS Security & Logging Best Practices with Securd's Greywall


dns seucrity logging best practices

DNS is the foundation of the Internet, connecting users to the Internet's vast resources. However, this makes it a prime target for cyber adversaries, as an exponentially expansive world of domains makes it easy for attackers to leverage compromised and disposable domains. Securd's Greywall offers a proactive approach by adding zero trust to DNS filtering. By adhering to these best practices, organizations can significantly enhance their cybersecurity posture, protecting their assets from the ever-growing cyber threats. In the complex world of cybersecurity, an adaptable and forward-thinking tool like Greywall, paired with vigilant best practices, is invaluable in safeguarding digital assets.


Here are the essential DNS Security and logging best practices for Securd users:

Intelligent Threat Assessment

Use Greywall's ability to learn domains by zone. After learning mode is disabled, Greywall will block every unknown hostname - established domain or DGA; every out-of-scope DNS query will be blocked.


securd grey wall dashboard

Temporary Block Duration

Setting an appropriate temporary block duration can be a game-changer. It's recommended to adjust this based on the potential risk and frequency of domain interaction, with the option of blocking from an hour to 90 days. Endpoints with few modifications should have longer duration configured in resolution delay time.


securd greywall settings

Isolate Greywalls

Create multiple companies, ensuring that each Greywall operates in isolation that maximizes your use of zero-trust principles. This DNS compartmentalization ensures that each domain observation and analytics process is specific to its tenant, eliminating the risk of less sensitive endpoints influencing your aggregate DNS security posture.


Endpoint-Based Interaction

Understand the significance of domain interactions with your endpoints rather than relying solely on global observations. Focus on the first interaction time and correlate this data with other logs to see why DNS queries occur.

Configure Rules for New Domains

Don't allow blind and domain resolution. Your endpoints will only resolve a fraction of the DNS. Why would you permit them to resolve and connect to anything in this threat environment? Use Greywall's capability to set specific rules for new domains, ensuring they are observed and analyzed before being trusted.



Active Logging and Analysis

Constantly monitor and log all DNS queries, especially those that are blocked. Real-time DNS Logging will offer insight into potential threats and provide valuable data for threat intelligence.

securd dns log analysis

Continual Re-evaluation

Once the temporary block duration ends, don't automatically assume the domain is safe. Use Greywall to re-evaluate and subject it to further security checks. Leverage DNS rank and other threat intelligence and data enrichment to determine the trustworthiness of a hostname.


Educate and Inform

Users are the first line of defense. Educate them about potential threats, ensuring they understand the significance of the block pages they might encounter. Custom block pages in Securd allow you to create teachable moments to educate your users about the activity they just engaged in.


securd block page


Regular Review and Audit

Threat actors will adapt to your defenses. Periodically review DNS logs, blocked traffic, and your Greywall configurations. Continuous review ensures DNS security optimization and timely identification of patterns that might indicate emerging threats.


We hope these high-level best practices provide a roadmap to improving your endpoint security posture, reducing the frequency of malware incidents, and accelerating incident response and threat hunting.

Comments


Post: Blog2_Post
bottom of page