Cygna Labs
SIGN IN

CYGNA DDI SECURITY

Cygna Protective DNS

Reinforce your cybersecurity defenses with a suite of protective DNS measures to improve the robustness, performance, and availability of your DNS services.

Cygna Protective DNS header image

The DNS CIA triad

Cygna Protective DNS fulfills the entire CIA triad, supporting confidentiality with DNS over TLS (DoT) or HTTPS (DoH), integrity with TSIG signatures and DNSSEC, and availability with multi-master, high availability, and multi-cloud DNS services support. Cygna DDI systems support these diverse DNS protections natively, without compromising their raison d’être, seamlessly managing DNS zones and resource record configurations.

AI-driven protections

Cygna Protective DNS is increasingly incorporating AI-assisted detection mechanisms to improve threat detections and services availability. Cygna DDI Guard supports an AI model to identify potential domain generation algorithm (DGA) queries. Malware miscreants use DGA domains to evade detection and shutdown by regularly modifying malware site domain names. Cygna DDI Guard reports on detected DGAs with the querying source IP address to provide actionable intelligence to mitigate the resolver. AI-driven appliance diagnostics are also provided to provide advanced warning of potential service-affecting performance issues.

DNS threat protections

Cygna DNS services support response policy zones (RPZs) at no extra cost. You can define up to sixty-four RPZs to manage allowed domain name queries and those that should be blocked or otherwise treated in accordance with RPZ policies. Cygna Labs also offers a DNS Threat Protection service to regularly update identified malware names and sources for a designated RPZ to block malware queries from potentially infected devices. The source IP address of the query originator allows rapid identification of the suspect malware device.

Data theft protection

Cygna DDI Guard supports DNS tunnel signature-based detection to quickly identify and shutdown connections using the DNS protocol to exfiltrate sensitive data from the organization. Seemingly innocuous large DNS queries and responses could be masking data encoding and transmission to a malware site. Cygna Sapphire appliances add in-line entropy-based analytics to identify and shutdown DNS tunneling in real time.

Data theft protection illustration

DNS cyberthreat intelligence

Cygna DDI Guard archives all DNS transactions for reporting and compliance. Drill into live DNS packet streams and filter data based on packet header parameters such as IP address, transaction ID, etc. for troubleshooting or cyberthreat investigations. Filter our unremarkable DNS data to forward only relevant and potentially interesting DNS transaction data to third-party SIEM systems. Filtering can vastly reduce SIEM ingest volumes, processing requirements, and overall costs.

DNS cyberthreat intelligence illustration

DNS protocol security

Cygna Protective DNS supports DNS over TLS and DNS over HTTPS to encrypt DNS queries, responses, and transfers. Cygna DNS appliances also support DNSSEC signing and validation to create and verify resource record set digital signatures respectively. Implicit Cygna DDI support of cloud DNS services enables you to diversify your DNS providers to improve DNS services availability. Secure DNS appliances protect against operating systems level and various denial of service attacks.

DNS protocol security illustration

Let Us Help You Tackle Your IT Challenges

Schedule your demo today to see what's possible.