Protective Domain Name Service (PDNS)

PDNS is designed to protect networks from malicious websites by looking up the IP address of sites that a system tries to access against a blacklist of suspicious sites and blocking access to them.

Official government PDNS solutions are not available globally and where they are access will be restricted to sensitive institutions.  In the UK the service is free and access can be granted to government, Ministry of Defence and NHS bodies.  The equivalent system in the USA is available to those with existing access to secure Department of Defence information.

An organisation will need to apply to use the UK PDNS.  Changes will then need to be made to the local network DNS entries so that domain resolution requests point to the PDNS server IP addresses.  At the resolution end requests will only be processed if the sender’s IP has been added to their PDNS records.  For workers who need to use PDNS remotely and are not accessing websites from within listed router addresses a PDNS Digital Roaming application (or its specific equivalent) is required.  In the UK this solution only works on Windows 10. UK access to PDNS can be verified by accessing the test page which will report if the PDNS system is accessible.

The concept behind PDNS is not restricted to government level access.  Commercial organisations offer a similar service.  The NSA identified 9 candidate commercial PDNS solutions in February 2021 all of whom met common standards for PDNS solutions.  These included blocking malware and phishing domains and some means of customising device or network policies.  Limited versions of some of these services are available for free but any benefits or constraints should be considered before adopting them.

Any solution requires that the database of IP addresses to block be kept up to date with new records added and false positives removed.  This depends on the resources of the organisation hosting the service together with reports and feedback from users and possibly some degree of machine learning.  As it is IP addresses that are blocked not domain names the process is ideal for blocking multiple domains running on the same IP address.  This is a common and legal practice that can be demonstrated by reverse IP lookup.  For example at the time of writing there are 26 domains, including sharing the same IP address.

A criminal might take advantage of a shared IP by running multiple domains each with a slight variation of some well-known name to spoof the original from the same address.  Any suspect activity will risk the reputation of other sites sharing that IP.  This is already the case where activity on one site can lead to blocks and warnings from providers such as Google affecting traffic to others sharing the same IP address.  With a PDNS solution access to some legitimate sites may be blocked together with suspect sites on that same IP address.

Unwarranted blocks can be avoided by investing in the more expensive dedicated IP option.  With a shared IP the site owner will need to deal with the domain provider, site host and ssl certificate provider to move to another IP address.  These entities are often the same body but that may not be the case.  Providers will usually warn site owners if they have concerns but it is good practice to regularly check that sites are running properly and that Google searches are returning a site as unsafe .

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus