Overview
Make DNS work for you—not for bad actors
Uncover and stop hidden threats
that deliver malware, steal data, and disrupt operations
Ensure unbeatable performance
and availability with rapid DNS resolution
Maintain complete visibility
over DNS traffic, including detailed, context-rich logs
The Problem
Legacy firewalls let attacks like DNS tunneling and DNS spoofing go undetected
70%
90%
80%
Solution Overview
Stop DNS-based attacks with monitoring and protection at scale
Zscaler DNS Security filters risky and malicious domains and stops the use of DNS tunneling to distribute malware and steal data. As part of the cloud native Zscaler Zero Trust Firewall, it provides full coverage across all ports and protocols without compromising performance.
01
Best-in-class filtering and AI-powered DoH inspection
Inspect all DNS traffic and enforce inline DNS tunnel protection. Detect and stop data theft, stop attacks hiding in DoH, and comply with domain and IP address categorization.
02
Complete visibility over all DNS traffic
Investigate DNS transactions with confidence through context-rich data and forensically complete logs. Support zero trust with context, strict authentication, continual policy checks, and adaptive real-time enforcement.
03
Lightning-fast, secure DNS resolution and high availability
Support productivity and reliable access to location-based content for all users and devices. Ensure a great user experience with DNS gateway to third-party resolvers.
Benefits
Empower and secure your workforce and operations
Gain robust protection
against attacks such as DNS spoofing, DNS tunneling, phishing, malware distribution, DDoS, and more.
Ensure a great user experience
with requests resolved at the edge, and content delivered by the optimal CDN in local language and currency.
Simplify regulatory compliance
with various mandates and practices for data retention and logging, as well as evolving standards like Protective DNS (PDNS).
Reduce total cost of ownership (TCO)
with no hardware or software to manage. 100% cloud-delivered DNS Security lets admins focus on impactful tasks over maintenance.
Solution Details
Strengthen DNS security and optimize performance
Key offerings
Prevent or thwart DNS-based attacks with customizable actions and granular filtering rules for DNS queries sent over any protocol.
Find and stop hidden attacks. Unlimited inline traffic inspection, machine learning, and native TLS/SSL decryption prevent stealthy threats and terminate malicious connections.
Speed up DNS resolution and improve the user experience. Zscaler Trusted Resolvers (ZTR) are delivered as close to the user as possible from more than 150 edge locations.
Translate plaintext DNS requests to DoH for privacy and security. Direct DoH traffic to PDNS resolvers that analyze and block requests to malicious domains.
Find and stop DNS tunnels used to control malware and exfiltrate data with an advanced detection engine.
Ensure users maintain reliable, high-speed access with automatic failover options and configurable error handling to support high availability.
Use Cases
Outsmart adversaries while improving user experience
Detect threats early and throughout the attack life cycle. Provide inline protection against advanced DNS tunneling and data exfiltration techniques.
Enhance incident response, investigation, and threat hunting with forensically complete logs and contextually rich data.
Increase business agility and resilience to support digital transformation and cloud adoption with a segmentation-centric, identity- and access-focused framework.
Give your users first-rate, highly available DNS resolution and location-based content through EDNS Client Subnet (ECS) injection, no matter where they connect.
Experimente el poder de Zero Trust Exchange de Zscaler
Una plataforma integral para proteger, simplificar y transformar su negocio.
01 Operaciones de seguridad
Reduzca el riesgo y detecte y contenga las infracciones, con información procesable de una plataforma unificada
02 Protección contra la amenaza cibernética
Proteja a los usuarios, los dispositivos y las cargas de trabajo para evitar verse comprometido y el movimiento lateral de amenazas
03 Seguridad de los datos
Benefíciese de una inspección completa de TLS/SSL a escala para una protección de datos completa en toda la plataforma SSE
04 Zero Trust para sucursales y la nube
Conecte usuarios, dispositivos y cargas de trabajo en la sucursal, la nube y el centro de datos, y entre estos elementos.
FAQ
DNS spoofing (also called DNS cache poisoning) occurs when an attacker corrupts the records in a DNS resolver's cache, causing it to return incorrect IP addresses. This allows the attacker to redirect users to malicious websites that appear legitimate. DNS spoofing can lead to various cyberattacks, including phishing, malware distribution, and man-in-the-middle attacks.
DNS amplification is a type of distributed denial of service (DDoS) attack in which an attacker sends small queries to the DNS using the spoofed IP address of their target. DNS resolvers send the target a much larger response that can overwhelm its servers. DNS amplification attacks can cause network congestion, degraded performance, and service disruptions or outages.
A DNS tunneling attack involves using encrypted DNS queries and responses to stealthily transmit data between a compromised device and a target server. Because traditional tools often overlook DNS security, this technique allows attackers to exfiltrate sensitive data undetected. DNS tunneling can also help attackers establish network backdoors for malware delivery, command-and-control communication, or lateral movement.
Request a demo
Let our experts show you how you can prevent DNS-based attacks with powerful DNS security and control.