Protective DNS for governments
Protective DNS services are security services that analyze DNS queries and block access to malicious websites and other harmful online content. As technology becomes increasingly vital for public sector operations, government departments are looking to adopt these cybersecurity services to bolster incident detection and response, and to build more resilient enterprise networks. Traditionally, deploying this type of solution posed significant challenges due to the reliance on legacy systems that required costly on-premises hardware. This makes it difficult to deploy and manage, and introduces post-deployment struggles with scalability and availability.
Today, these limitations can be addressed through cloud-based solutions like Cloudflare Gateway, our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's extensive threat intelligence ↗, government agencies can effectively safeguard their end users from accessing potentially harmful domains. Additionally, agencies can further strengthen these defenses by integrating their own threat intelligence data ↗ into the policies.
Finally, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on Cloudflare's 1.1.1.1 public DNS resolver, one of the fastest ↗ and most widely used DNS resolvers in the world.
Cloudflare provides flexible DNS deployment models, delivering robust protection for every user, regardless of location. The service supports both office-based and remote users, offering the adaptability needed to address diverse operational requirements.
IT administrators forward public DNS requests to Cloudflare where they are filtered and logged in accordance with the configured DNS filtering policies. DNS forwarders can either be the agency's private DNS infrastructure or networking appliances, such as routers deployed at remote sites and configured as local DNS servers.
To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location.
DNS filtering is then enforced through policies set up by the administrator to detect domains linked to security risks. Cloudflare continuously updates the list of high risk domains using its extensive threat intelligence ↗. When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a 'Block,' where Gateway responds with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, or displays a custom block page hosted by Cloudflare. Alternatively, an Override action can redirect the DNS query to a block page hosted by the government agency.
Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a threat feed provider to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, publicly available custom indicator feeds can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities.
For users not connected to an agency network, you can redirect DNS requests to Cloudflare by using the DNS over HTTPS (DoH) hostname provided by a location. This requires configuration on each device, which can be done using existing management solutions. This approach can be enhanced by incorporating a user-specific authentication token. These tokens enable Cloudflare to attribute DNS queries to individual users, providing granular visibility and facilitating the application of user-specific policies.
For more advanced identity-based DNS policies, Cloudflare's device agent can be deployed. In this setup, users authenticate to the device agent via an identity provider integrated with Cloudflare. The agent is then configured in Gateway with DoH mode, ensuring that all public DNS queries from the device are forwarded to Cloudflare. These queries include the user identity from the device, enabling identity-based policy enforcement.
The following policy shows how group information from the Identity provider can be used to apply specific protective DNS policies.
The device agent is compatible with the leading desktop and mobile operating systems, making it a solution for both managed and unmanaged devices. This versatility enables DNS security services to be extended, for example, to personal devices of high-risk individuals, ensuring a consistent level of protection regardless of location or device. For managed IT devices, our agent supports managed deployments tools, for ease of deployment and upgrades.
To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domain policies. By setting these policies with lower precedence than the Security Risks policy, the agency can override the Security Risks policy for specific domains.
To streamline the management of allowed and blocked domains, use lists. Lists are easily updated through the dashboard or via APIs, making policy adjustments more efficient.
One of the key advantages of adopting Cloudflare Gateway as a protective DNS service is the enhanced visibility it provides IT administrators into existing and emerging threats impacting governmental departments and agencies. All DNS queries sent to Cloudflare Gateway are logged, and when an identity is associated with a query, it is mapped to the corresponding user in the logs.
These logs are accessible directly through Cloudflare's dashboard or can be exported to external systems for further analysis via Logpush. Cloudflare also offers robust analytics capabilities, empowering IT administrators to detect trends and identify indicators of compromise. A built-in analytics dashboard is available in Cloudflare's dashboard, and custom dashboards can be created using any GraphQL-compatible tool using Cloudflare's GraphQL API.
Cloudflare Gateway offers a comprehensive suite of services that go beyond protective DNS, functioning as a full-featured Secure Web Gateway ↗. It supports HTTP inspection, providing deeper visibility into user traffic, and expands the scope of threat protection and data security capabilities available to users.
When inspecting HTTP traffic, Cloudflare prevents interference by decrypting, inspecting, and re-encrypting HTTPS requests in our data centers. Cloudflare Gateway only stores eligible cache content at rest and all cache disks are encrypted at rest. Furthermore, it is also possible to configure the geographical region of the servers where TLS decryption takes place with Regional Services in the Cloudflare Data Localization Suite (DLS) and organizations have the ability to choose between adding a Cloudflare certificate on devices or using their own certificate (BYOPKI) for user traffic decryption and inspection.
When Cloudflare Gateway is performing HTTP inspection, it extends protection beyond DNS security by enabling additional capabilities to safeguard users as they browse the Internet:
- Anti-virus scanning (AV): Users are protected when downloading or uploading files to or from the Internet. Files are scanned in real time to detect malicious content.
- Sandboxing: For files not previously seen, Cloudflare Gateway can quarantine them in a secure sandbox environment for analysis. In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected.
- Remote Browser Isolation (RBI): Isolation policies can be configured to safeguard users when accessing potentially risky websites. For example, if a user attempts to visit a newly seen domain that triggers an isolation policy, the website's active content is executed in a secure, isolated browser hosted in the nearest Cloudflare data center. This ensures that zero-day attacks and malware are mitigated before they can impact the user. This remote browsing experience is seamless and transparent, allowing users to continue using their preferred browsers and workflows. Every browser tab and window is automatically isolated, and sessions are deleted when closed.
In addition to threat protection, Cloudflare Gateway enables the implementation of robust data protection policies during HTTP inspection, including:
- File upload controls: Administrators can enforce policies that monitor and restrict file uploads to the Internet, preventing the inadvertent sharing of sensitive data.
- Data Loss Prevention (DLP): DLP policies can be deployed to identify and block unauthorized sharing of confidential or classified information. For more details, see securing data in transit.
- Remote Browser Isolation (RBI): Beyond threat protection, isolation policies can enforce user action restrictions, such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, refer to securing data in use.
Expanding Cloudflare Gateway from a protective DNS service to a full-featured Secure Web Gateway is a straightforward process. Using Cloudflare's dashboard, IT administrators would configure HTTP policies in addition to existing DNS policies. These HTTP policies would enable the additional protections, namely, Antivirus Scanning, Sandboxing, Remote Browser Isolation (RBI), and Data Loss Prevention (DLP).
From the user's perspective, remote Workers would continue using the same device agent. To leverage these enhanced protections, they simply need to switch the device agent mode to Gateway with WARP. This mode can also be enforced when using device management to deploy the agent.
For office and site-based users, a network appliance can be configured to establish an IPsec or GRE tunnel to Cloudflare. This setup routes all Internet-bound traffic through Cloudflare Gateway, ensuring that security policies are applied before the traffic exits to the internet. Alternatively, Proxy Auto-Configuration files (PAC) can be used to forward DNS and HTTP/S traffic towards Cloudflare.
- Evolving to a SASE architecture with Cloudflare
- Using a zero trust framework to secure SaaS applications
- Learning path: Secure your Internet traffic and SaaS apps