Get answers to the most commonly asked questions about us and our products.
What is the main difference between DNSSense and Infoblox?
As the name suggests, DNSEye only analyses and reports on DNS data. Unlike Infoblox, DNSSense inspects existing DNS servers’ logs without needing any changes to be implemented in your network. It reveals security risks in the network to SOC teams with simple and understandable reports by performing all-around security-oriented analyses and triggering necessary alarms in SIEM and SOAR.
We already have Fortinet, Palo Alto, Symantec Bluecoat, a Forcepoint Next-Generation Firewall, etc. Why should we buy DNSSense?
100% of our customers already have security solutions such as Fortinet, Palo Alto, Symantec Bluecoat and Forcepoint. Acting as an additional layer of security at the DNS level, DNSSense offers different functionalities than these products and so is not to be used as a replacement.
Our "Security Gap" feature reports the malicious traffic undetected by your existing security solutions. Almost all of our PoC customers wish to continue working with us, knowing that their security investment in our product will bring much added value to their enterprise.
Do you offer an authoritative DNS service?
No. We serve as a DNS forwarder rather than offering an authoritative DNS service.
Do you offer a DDI service?
No. We do not offer a DDI service.
What is your licencing model?
The products are sold with a one- or three-year ethical licence. The number of licences is equal to the number of devices having access to the Internet.
Can I buy the products separately, or are they all purchased at once?
“DNSDome”, “DNSEye”, and “Cyber X-Ray” are different products and can be purchased separately or together.
How long does it Take to deploy the products, and is it necessary to have a constant administrator (admin) control?
It takes 5 minutes to deploy “DNSDome” and 1 hour to install “DNSEye”. An admin is not necessary; any IT personnel can run these solutions to receive periodic reports.
What is DGA? Is it possible to block?
DGA stands for Domain Generation Algorithm. It is an algorithm frequently used to generate domain names for malware domains. DNSSense detects DGA-created domains and then blocks the malicious traffic.
Why should we adopt DNS-level protection?
Because the DNS Layer is at the bottom of the application layer. Blocking malicious traffic at the DNS level should therefore be the first line of defence in your network before it spreads to other layers. In addition, DNS is used by other protocols such as HTTP, HTTPS, SMTP, and IoT. DNS traffic provides information about the application layer and your entire network.
Moreover, some malicious traffic can only be detected and prevented by DNS-level protection. For example, 80% of malware domains currently do not have an IP address. Malware requests lacking an IP address can only be detected in the DNS log. Also, DNS tunnelling can only be prevented by DNS-level protection.
What is the “Security Gap” feature?
The “Security Gap” feature reports malicious traffic that the existing security devices (UTM Firewall, Proxy, DNS Firewall, etc.) cannot detect.
Security Gap simulates connection to the malicious domain to test the network security in 3 different ways as follows:
1- Test with DNS query from the existing DNS server
2- Tests with HTTP/HTTPS request via the proxy server
3- Tests to reach a malicious domain using a direct HTTP/HTTPS connection through Gateway.
DNSEye VM appliance in your network sends a malicious connection request to DNSSense’s cloud-based malicious simulation service, with a specific metadata:
Security Gap = Blocked, malicious traffic has been blocked
In case DNSSense’s simulation service does not receive the metadata, which means the malicious connection has been blocked by Security Gap, it is reported as an instance of a blocked attack along with information on the device (Proxy or UTM) that has successfully blocked the malicious traffic.
What are the advantages of your smart SIEM integration?
Instead of forwarding all DNS data to SIEM, we only forward to the SIEM product domain queries for malicious domains together with information on the real user and the implemented machine. In this way, we can reduce the number of correlations required in the SIEM device as well as the number of EPS by 95%+, allowing a significant cut in the licence cost of the SIEM product.
Which SIEM products do you provide integration with?
In addition to our direct integration with products such as IBM QRadar, Microsoft ArcSight, and Splunk, we also provide integration with any of your SIEM products that send data in SYSLOG format.
Which DNS products do you read with “DNSEye”?
Microsoft DNS Server, Linux BIND Server, F5, Citrix NetScaler, Efficient IP, BlueCat and common DNS server types.
Why is DNS visibility important?
With DNS level protection, you can prevent attacks but cannot detect the actual machine that generates the malicious traffic. Given the varying nature of client IP addresses, they are not suitable for retroactive verification. They should be enriched with a continuous flow of information about the computers and users in question. DNS visibility lets you detect the device and user behind the related DNS queries. Such information on the actual device and user is critical for SOC teams.
Is there a feature to block unknown (firstly-seen) domains?
Yes. DNSSense’s "Positive Security Model" temporarily blocks any network connection attempt to a "Firstly-Seen" domain for a maximum of 10 minutes until it is categorised as "Allowed" according to your security policies. The connection will not be allowed if the relevant domain falls into the ‘Blocked’ category. Users can only access it after it has been labelled "Allowed" or "Whitelisted".
Can the “Roaming Client” disable itself when it enters the local network?
Yes. It has the auto-disable option. In addition, it does not cause any disruptions when the active device in Roaming Client is connected to the local network.
Is there any protection against users disabling the “Roaming Client”?
Yes. Since protection is maintained at the Kernel level, DNSDome continues to run even if users disable the Roaming Client module.
Does “Roaming Client” cause any issues in system performance?
Our “Roaming Client” module is a lightweight agent written in the C programming language with an almost negligible load on the system.
Which platforms does “Roaming Client” support?
Roaming Client is supported on macOS, Windows, and iOS.
Is it possible to give access to a blocked domain?
DNSDome offers blacklisting and whitelisting features. If you add any domains to the whitelist or blacklist, all systems’ caches will be cleared within a maximum of 5 seconds.
Is it possible to block specific categories or certain user groups?
There are 72 different categories in the DNSSense domain classification platform. For security purposes, categories such as Malware and Phishing are blocked on all users and devices. Additional policies can be applied to devices with the "Roaming Client" feature installed or to users if there is Active Directory integration.
Is there a DNS tunnelling protection feature?
Yes. DNSSense has a DNS tunnelling protection solution.
Can DNSSense detect phishing domains?
Yes. Thanks to its native AI classification platform, DNSSense detects and blocks the domains used in phishing attacks in a short time.
What is your false positive rate in domain classification?
Our domain categorisation success rate is 99%, taking rival products in the market and customer feedback into account. On average, we merely receive one or two categorisation requests from our clients who make millions of domain queries daily.
You claim that you categorise better than other companies. How can you prove this?
We use Cyber X-Ray, our own 100% artificial intelligence-based domain categorisation platform. We monitor and store the entire Internet historically and relationally up to five years back. We have such a high confidence in this method that we have added a feature called "Security Gap" to our "DNSEye" product. The "Security Gap" feature gives you a report revealing the malicious traffic that your security devices have failed to detect. Thanks to this feature, the added value that we bring to your company becomes fully evident. In addition, we provide domain categorisation services to three of the top firewall vendors in the world.