As a follow-up of yesterday’s post where I discussed different methods that you can use to verify the authenticity of a website, a second questions comes up is there a way to protect yourself without checking the website itself? Since most of these websites are based upon scamming people, some sites are also setup in order to do a phising attack, so trying to lure your to enter sensitive information to a web page.
Many of these phising websites, like look like familiar Facebook login sites, Office 365 login sites and so on, which might make it difficult for the average end-user to notice. So how can we block or detect these types of attacks? Since these phising domains themselves are not used to do an direct attack it will not be detected my most security products which are aimed at look at on-going attacks. Most Browsers as well have some form of reputation feature which will block access against some domains which are known phising domains.
But doing this on a DNS level is even more efficient since it works regardless of browser/application on a system. The simplest way to block these types of attacks is to a some form of domain reputation protection, essentially having a service that looks at the reputation of the domain and blocks access on a DNS level.
DNS lookup for a known phising domain against Quad9 open database.
Most homeusers have a defined DNS server configured from their ISP. This DNS configuration for most ISP is pretty simple and is only in place to allow DNS lookup’s for end-users and does in most cases not provide any additional security services.
Luckily there are free online DNS services that end-users can use for free and which provides DNS reputation capabilities. Providers such as Quad9, Cloudflare, Cleanbrowsing.org provides an open DNS server lookup and many of them have Points of presence around the world to allow for even faster DNS lookup’s as shown here –> https://www.dnsperf.com/#!dns-resolvers
As an example I configured my own personal computer to use my ISP based DNS servers to using Cleanbrowsing DNS servers since they had a PoP in Norway and provided the lowest latency. This made my machine to block requests on a DNS level directly against known phising domains.
Many of these providers also provide some form of advanced filters using payed options, but most of them have a free option as well.
Secondly now moving forward, Google is working on testing the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53.
For this initial test, Google has also mentioned that they would switch to DoH instead of regular DNS only for a few DNS providers, and not all. The list of supported DNS providers includes among Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, and Quad9. So with this it means that moving your DNS to one of these services will 1: Provide encrypted queries of DNS lookups. 2: Provide better protection against phising domains using one of the services blacklist option.