Overview
Make DNS work for you—not for bad actors
Uncover and stop hidden threats
that deliver malware, steal data, and disrupt operations
Ensure unbeatable performance
and availability with rapid DNS resolution
Maintain complete visibility
over DNS traffic, including detailed, context-rich logs
The Problem
Legacy firewalls let attacks like DNS tunneling and DNS spoofing go undetected
70%
90%
80%
Solution Overview
Stop DNS-based attacks with monitoring and protection at scale
Zscaler DNS Security filters risky and malicious domains and stops the use of DNS tunneling to distribute malware and steal data. As part of the cloud native Zscaler Zero Trust Firewall, it provides full coverage across all ports and protocols without compromising performance.
01
Best-in-class filtering and AI-powered DoH inspection
Inspect all DNS traffic and enforce inline DNS tunnel protection. Detect and stop data theft, stop attacks hiding in DoH, and comply with domain and IP address categorization.
02
Complete visibility over all DNS traffic
Investigate DNS transactions with confidence through context-rich data and forensically complete logs. Support zero trust with context, strict authentication, continual policy checks, and adaptive real-time enforcement.
03
Lightning-fast, secure DNS resolution and high availability
Support productivity and reliable access to location-based content for all users and devices. Ensure a great user experience with DNS gateway to third-party resolvers.
Benefits
Empower and secure your workforce and operations
Gain robust protection
against attacks such as DNS spoofing, DNS tunneling, phishing, malware distribution, DDoS, and more.
Ensure a great user experience
with requests resolved at the edge, and content delivered by the optimal CDN in local language and currency.
Simplify regulatory compliance
with various mandates and practices for data retention and logging, as well as evolving standards like Protective DNS (PDNS).
Reduce total cost of ownership (TCO)
with no hardware or software to manage. 100% cloud-delivered DNS Security lets admins focus on impactful tasks over maintenance.
Solution Details
Strengthen DNS security and optimize performance
Key offerings
Prevent or thwart DNS-based attacks with customizable actions and granular filtering rules for DNS queries sent over any protocol.
Find and stop hidden attacks. Unlimited inline traffic inspection, machine learning, and native TLS/SSL decryption prevent stealthy threats and terminate malicious connections.
Speed up DNS resolution and improve the user experience. Zscaler Trusted Resolvers (ZTR) are delivered as close to the user as possible from more than 150 edge locations.
Translate plaintext DNS requests to DoH for privacy and security. Direct DoH traffic to PDNS resolvers that analyze and block requests to malicious domains.
Find and stop DNS tunnels used to control malware and exfiltrate data with an advanced detection engine.
Ensure users maintain reliable, high-speed access with automatic failover options and configurable error handling to support high availability.
Use Cases
Outsmart adversaries while improving user experience
Detect threats early and throughout the attack life cycle. Provide inline protection against advanced DNS tunneling and data exfiltration techniques.
Enhance incident response, investigation, and threat hunting with forensically complete logs and contextually rich data.
Increase business agility and resilience to support digital transformation and cloud adoption with a segmentation-centric, identity- and access-focused framework.
Give your users first-rate, highly available DNS resolution and location-based content through EDNS Client Subnet (ECS) injection, no matter where they connect.
Scopri il potere di Zscaler Zero Trust Exchange
Una piattaforma completa per proteggere, semplificare e trasformare il tuo business
01 Operazioni di sicurezza
Riduci il rischio, rileva le violazioni e contienile con informazioni utili fornite da una piattaforma unificata
02 Protezione dalle minacce informatiche
Proteggi utenti, dispositivi e workload da compromissioni e movimento laterale delle minacce
03 Sicurezza dei dati
Impiega l'ispezione TLS/SSL completa su larga scala per ottenere una sicurezza integrale dei dati in tutta la piattaforma SSE
04 Zero Trust per filiali e cloud
Connetti utenti, dispositivi e workload all'interno delle filiali e tra queste, cloud e data center
FAQ
DNS spoofing (also called DNS cache poisoning) occurs when an attacker corrupts the records in a DNS resolver's cache, causing it to return incorrect IP addresses. This allows the attacker to redirect users to malicious websites that appear legitimate. DNS spoofing can lead to various cyberattacks, including phishing, malware distribution, and man-in-the-middle attacks.
DNS amplification is a type of distributed denial of service (DDoS) attack in which an attacker sends small queries to the DNS using the spoofed IP address of their target. DNS resolvers send the target a much larger response that can overwhelm its servers. DNS amplification attacks can cause network congestion, degraded performance, and service disruptions or outages.
A DNS tunneling attack involves using encrypted DNS queries and responses to stealthily transmit data between a compromised device and a target server. Because traditional tools often overlook DNS security, this technique allows attackers to exfiltrate sensitive data undetected. DNS tunneling can also help attackers establish network backdoors for malware delivery, command-and-control communication, or lateral movement.
Request a demo
Let our experts show you how you can prevent DNS-based attacks with powerful DNS security and control.