UK Public Sector DNS Service

Today the UK government (via the National Cyber Security Centre (NCSC)) announced that the DNS service it has been working on for public sector organisations within the country is now available. This is an interesting move and I think it’s worth discussing.

First let me provide you with some useful links for background reading –

I will also quote a brief section from the NCSC website so we have their own words to describe the service –

‘The UK public sector DNS service protects users simply by being configured to not resolve any lookups for domains known to be used for malware distribution or operation.

For the service to remain effective it will be continually updated with knowledge of malicious domains. The NCSC uses a range of government, commercial and community sources to ensure the service benefits from the best possible information.’

 

Consider services such as OpenDNS which includes the ability to filter adult websites as well as extended features to help block malicious content. In my case I could compare it to my pfSense gateway using pfBlockerNG to filter requests to malicious hosts as well as annoying adverts. Essentially the UK government is building its own DNS infrastructure to aid public sector organisations in protecting their users. Ensuring DNS lookups can only go to these approved resolvers can help prevent access to undesirable or malicious content. Something I will certainly be watching closely is the plan to encourage UK ISPs to implement similar DNS protection using either the NCSC filters or their own. There will be options to opt out but for the vast majority of the general public this in my mind would be a positive change. The Internet was built as an open system with implicit trust between endpoints and users – while this may have worked in the past things have moved on and we now face many dangers. Providing layered defences with minimal end-user knowledge or action helps to keep ‘the herd’ safe.

I find the Active Cyber Defence (ACD) strategy quite interesting and am keen to see how it develops, as well as how much uptake there is within the public sector. My feeling is that proactive organisations will jump onboard quickly while others may have to be dragged along. Personally I think this is a great opportunity to provide another layer of defence, I certainly wouldn’t use it as a replacement for other threat protection but every little helps.

Finally should you be wondering whether you can leverage this service please see the output below from NCSC –

Organisations that can use the DNS service include, but are not limited to

  • Central government
  • Devolved governments
  • Local authorities
  • Health authorities
  • Emergency services
  • Non-departmental public bodies
  • Any other PSN-connected organisation not covered by the above

 

If you are a public sector employee in the IT field what are your thoughts? I’m sure there may be some ‘big brother’ cries but I’m very open to debating the merits of this strategy so please feel free to comment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.