Default DNS Security Policy Overview

Default DNS Security Policy Overview

You are in 100% control as to how DigitalStakeout PDNS protects your systems.  Below is a detailed overview the your default security policy options.

The default security policy is a good starting point for protecting your network and endpoints from the most common Internet threats.

Policy Settings
Policy Name - Name the policy as you wish.
Policy Description - Describe the policy as you wish.
Private Network Resolution - Enable or disable domains from resolving to private networks.
Response TTL - Block page time to live in seconds.
Require DNSSEC - Requires DNSSEC for all DNS queries.
Default Action - Implicitly allow or deny DNS queries.
Targeted Proxy - Enable or disable inspection of high-risk URLS.
Block Page - Select the Type of Block Page to be displayed.
 
 * If you are not going to use the DigitalStakeout PDNS Client, the DigitalStakeout PDNS Root CA must be installed on endpoints for this to function properly.
 
Security Settings

DigitalStakeout PDNS offers out-of-the box protection to the following types of domains. These domains are maintained by our security operations team 24x7. We recommend all these categories be checked for all your policies at all times.

Block Phishing - Domains hosting an active phishing site.
Block Poor Reputation - Domains controlled by spammers and bad actors.
Block Zero Reputation - New registered domains and dormant domains.
Block Domain Algorithm - Domains generated by an algorithm.
Block Adware - Domains hosting malicious adware.
Block Bad Nameserver - DNS servers with bad reputation.
Block Botnet Command - Domains hosting a botnet C&C.
Block Botnet Resource - Domains hosting a botnet component.
Block Malware Host - Domains hosting downloadable malware.
Block Covid Threat - Domains associated to Covid-19 related cyber crime.
Block Crypto Mining - Domains hosting crypto-mining scripts.
Block High Risk Networks - Domain hosted on globally blocklisted ip or network.
Block Porn - Domains that host pornographic content.
Block Public DoH - Public DNS over HTTPS sites.
Block Typosquatting - Typosquatting domains that target top sites.
Block Sinkhole Domains - Domains pointing to an intelligence & surveillance sinkhole.

 
Zero Trust Settings
Graph Defenseā„¢ (Beta)
 
Graph defense is proprietary ranking & domain trustworthiness system developed by DigitalStakeout.
 
Greywall Enforce - Inherited company setting: Greywall temporary blocking status.
 
Greywall Time - Inherited company setting: Greywall temporary block time from first observation.
 
 
Allow/Block List Settings
Custom Domain Block List - Blocked hosts or domains will be immediately blocked with no additional processing.
 
Custom Domain Allow List - Allow list hosts or domains will be immediately allowed with no additional processing.
 
Custom Network Block List - Records resolving to the attached network list will be immediately blocked no additional processing.
 
Custom Network Allow List - Records resolving to the attached network list will be immediately accepted no additional processing.

 
External Logging Settings

Push logs in real-time to a XDR, SIEM or logging tool over HTTP. To assure uniform logging across all your policies, external logging settings are globally controlled through your company settings.
 
HTTP Logging - Inherited company setting
 
Authentication Token - Inherited company setting: Authorization Bearer token.
 
HTTP(S) Webhook URL - Inherited company setting: URL of the HTTP logging endpoint.
 
 
Saving Your Security Policy

When you save your security policy, it will be published in real-time.

If you have networks, virtual sites, or devices mapped to the policy, it will go live immediately across the DigitalStakeout PDNS global network.

    • Related Articles

    • Protective DNS Dashboard Overview

      Note: Each company (tenant) has a unique dashboard.  Learn more about companies. The DigitalStakeout PDNS dashboard provides administrators with a high-level time-based summary into key security metrics and information about a company's underlying ...

    • Implicit Deny ALL for DNS Resolution

      The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority, requires a process or function must be able to access only the information and resources that are necessary for its ...

    • Managing DNS Security Threat Categories

      DigitalStakeout PDNS offers out-of-the box protection to the following types of malicious domains. These threat categories are maintained 24x7 and sourced from a global network of real-time threat intelligence including customer reports, partner ...

    • DNS Acronyms

      These acronyms and terms are frequently used when discussing securing DNS. DNS: Domain Name System. This is a system that translates human-readable domain names (such as www.example.com) into numerical IP addresses that computers can use to ...

    • Configure DNS-over-HTTPS in Firefox

      REQUIRED: MOBILE DOH ADDRESS PREFIX REPLACE {DOH PREFIX} with your DoH prefix. Configuring DNS-over-HTTPS with Firefox Manually     Click the menu button Menu and select Preferences.     In the General panel, scroll down to Network Settings and click ...