Architecture

How DNS PATROL works

DNS PATROL is a solution that protects organizations from security threats related to Domain Name System (DNS) traffic. This system enables secure domain translation, DNS traffic monitoring, and detection of potential attacks.

Main functions of the system:

  1. DNS traffic monitoring and overview

    • The system monitors DNS queries and provides clear statistics, logs, and detection for network administrators.

  2. Secure domain translation

    • DNS PATROL ensures that all requests for internet domain translation are carried out securely and safely – whether within the company network or outside it.

  3. Detection and blocking of anomalies and threats

    DNS PATROL uses Threat Intelligence database to protect your organization from known and emerging threats, including:

    • Phishing (including homographic attacks),
    • DNS tunneling (misuse of DNS for data transfer),
    • DGA attacks (randomly generated domains for malware).

  4. Advanced threat analysis using specialized modules

    • DNS PATROL uses separate modules based on machine learning and rules.

How the system works:

  1. DNS resolver (domain name translator) (open source)
    • High availability (HA), DNSSEC support
    • Uses anycast technology
    • Deployment on-premises or as a virtual appliance
    • Responds only to queries from authorized networks
  2. Administration portal (open source)
    • Detailed overview of operations
    • Security policy settings
    • Event logging and analysis
    • Displaying and filtering DNS queries
    • List of connected devices and their status
  3. Endpoint agent (open source)
    • Installs on Android, iOS, Windows
    • Automatically configures DNS resolver
    • Optionally supports encryption via DNS-over-TLS
    • Protects users even outside the organization's network
  4. Threat Intelligence database
    • Kombinuje data z různých zdrojů pro detekci škodlivých domén
    • Využívá komerční i veřejné databáze hrozeb (např. náš projekt Deny Listy)
    • Obsahuje seznamy zakázaných domén dle české legislativy (např. hazard, nelegální léky)
    • Pravidelně se aktualizuje podle vývoje hrozeb
  5. Integration with existing systems
    • The system is connected to security monitoring tools for collecting and evaluating events.
    • Support for defining alerts and notifications for administrators
    • Allows exporting DNS logs for analysis and long-term monitoring

Deployment modes:

  • Blocking harmful domains – detected domains are blocked immediately
  • Audit mode – logging only, no intervention
  • Optional risk-based policies – the administrator defines protection levels (e.g., blocking that will only be applied to selected types of threats)

Benefits of using DNS PATROL:

DNS PATROL enables organizations to protect their network from cyber threats, ensures secure operation, and provides a detailed overview of their DNS traffic.

  • Protection against phishing, malware, and other online threats
  • Secure DNS translation even outside the organization's network
  • Detailed monitoring and analysis of DNS traffic
  • Easy management through a clear administration portal
  • Open-source solution with the possibility of customization and integration into existing systems

Case Study:

DNS PATROL was piloted as part of a project for the Vysočina Region. In practice, attempts at targeted phishing and advanced low-frequency attacks have already been detected.