GigaOm Key Criteria for Evaluating DNS Security Solutionsv2.0

1. Executive Summary

The domain name system (DNS) is fundamental to every modern organization. It’s the backbone of computer network communications and the way clients connect with services both internally and externally. Without it, communication networks, including the internet, could not function.

A service so fundamental to the basic day-to-day operations of every network and service should be designed to be ultra-secure and resilient. However, the reality is that a DNS is vulnerable. Attack types such as cache poisoning, DNS hijacking, amplification, spoofing, and tunneling continue to increase in volume and severity.

The impact of a DNS cyberattack on an enterprise can be severe. It can result in the loss of sensitive data, deployment of malicious code, and denial of access to key services, all of which can result in significant financial losses and reputational damage.

Addressing DNS threats can be simple and provide significant value. Identifying threats early in the chain allows for mitigation and isolation steps to be taken much earlier, lessening the potential impact of an attack. Besides securing DNS against attacks, some solutions also offer the ability to improve its performance and resilience.

DNS communication is critical to IT infrastructure, and protecting it should be a core part of any organization’s data security approach.

There are several routes to tackling this challenge. For this evaluation, we’re reviewing solutions that primarily protect the DNS client experience, protecting users and therefore organizations from DNS security threats, as well as solutions that protect existing DNS infrastructure. An alternative approach is to use third-party authoritative DNS platforms that have security and protection built into the platform design, and customers move their DNS infrastructure to these platforms. While this approach is valid, it’s fundamentally different and is out of scope for this research.

The solutions evaluated in the companion Radar report must offer a standalone DNS security service that can be enabled by customers. It may be acceptable for a solution to use proprietary hardware (such as firewalls), but it must be available as an individual service and cannot only be available as part of another one. It must also be able to protect standard DNS traffic and cannot only be a primary DNS service in itself where security is only available if all DNS services are moved to it.

Business Imperative
A good DNS security solution is a low-risk investment, and it is often easy to deploy. Because it helps tackle threats early in the attack chain, DNS security can be an extremely effective tool, identifying and mitigating threats before they become problems. This means DNS security usually delivers a rapid time to value and an extremely good return on investment (ROI).

Securing DNS helps organizations to:

• Improve overall security posture.
• Reduce the risks of many common attack vectors, such as phishing and man-in-the-middle attacks.
• Reduce the risk posed by accessing inappropriate websites that may be a host for malicious content.
• Improve the resilience and performance of DNS for all clients.

DNS is essential to all organizations. The breach or loss of DNS can have a severe impact on business operations. DNS security tools offer a low-risk, high-value solution to improve the security, resilience, and performance of a company’s DNS infrastructure, offering strong value as a technology investment.

Sector Adoption Score
To help executives and decision-makers assess the potential impact and value of a DNS security solution deployment to the business, this GigaOm Key Criteria report provides a structured assessment of the sector across five factors: benefit, maturity, urgency, impact, and effort. By scoring each factor based on how strongly it compels or deters adoption of a DNS security solution, we provide an overall Sector Adoption Score (Figure 1) of 4.6 out of 5, with 5 indicating the strongest possible recommendation to adopt. This indicates that a DNS security solution is a credible candidate for deployment and worth thoughtful consideration.

The factors contributing to the Sector Adoption Score for DNS security are explained in more detail in the Sector Brief section that follows.

Figure 1. Sector Adoption Score for DNS Security

This is the second year that GigaOm has reported on the DNS security space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key features, and emerging features) and non-functional requirements (business criteria) for selecting an effective DNS security solution. The companion GigaOm Radar report identifies vendors and products that excel in those decision criteria. Together, these reports provide an overview of the market, identify leading DNS security offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.