Education

This week NCSC have begun accepting UK schools for access to the PDNS.

https://www.ncsc.gov.uk/blog-post/introducing-pdns-for-schools

to register (if you are eligible) use this URL: https://www.protectivedns.service.ncsc.gov.uk/pdns

you can view the terms and conditions here: https://www.signin.service.ncsc.gov.uk/terms-and-conditions

PDNS is a protective DNS service which helps protect public sector organisations (and private sector services who deliver government services)

  • Government
  • Healthcare
  • Local Authorities
  • MOD

https://www.ncsc.gov.uk/information/pdns

PDNS is delivered by Nominet.

“PDNS was built to hamper the use of DNS for malware distribution and operation. It has been created by the National Cyber Security Centre (NCSC), and is implemented by Nominet.”

A screenshot of a computer

Description automatically generated

https://nominetcyber.com/delivering-uk-pdns/

PDNS is part of the NCSC Active Cyber Defence capabilities:

https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk

You can see a video about PDNS here:

https://youtu.be/RosdXTLtpcg

Benefits

  • It’s public funded (free at the point of use)
  • It helps protect from cyber threats.
    • For example, if you try and visit a known (to PDNS) domain it will redirect you to the sinkhole IP instead of the malicious IP
  • It enables reporting.
  • It supports cyber defence processes for your organisations

How does it work?

When you visit a website (e.g. www.google.co.uk) your web browser makes a DNS request to convert a domain name into an IP address. It does this via a DNS client and DNS server.

Modern browsers may leverage an integrated DNS client or they may use the one embedded into the operating system of the device. So, system administrators should understand that they may need to configure the OS and the device (see the onboarding process as you sign up)

Keeping safe by leveraging DNS sinkholes stop your devices connecting to known bad domain names. It also enables, alerting and reporting.

Is it safe?

It’s a commercial platform run on behalf of the UK via Nominet. So it’s probably as safe as anything in the world of cyber security. (I would use it if I had to protect a School network).

My children’s school are using this, are the rights and freedoms of my children internet usage protected?

There are robust controls in place to protect users’ rights in line with UK law.

If you see the terms and conditions here that may help you understand the service with regards to data privacy and protection:

https://www.signin.service.ncsc.gov.uk/terms-and-conditions

A document with text on it

Description automatically generated

DNS and Data Privacy

I’m not a legal advisor, I don’t run the PDNS service, I’ve had interfaces to it for work.

If you are worried about its usage in a School, I’d suggest speaking to the school in question.

I do want to call out one thing, DNS data always goes somewhere (this will get a bit technical).

Most orgs use a company such as Cloudflare or Google for DNS (they may use the local ISP DNS but honestly, I more often see USA firms being used).

At some point the signals go from a device to a resolver (usually inside the network) and then they are forwarded to a downstream resolver (which then in turn my forward again).

The internet also has DNS resolution via root hints, I’m not going to dig into that now.

Long and short of this, your DNS data when you use the internet leaves your network. You can choose to send that to a corporate organisation, another public resolver or you can leverage this service.

As a school I would like to think you would want to consider the options:

  1. Use your ISP resolver and the data may be sold onwards anyway (it will depend)
  2. Use a company like Cloudflare or google who will likely leverage the data for their own commercial benefit.
  3. Use PDNS (and get the additional security and safety capabilities it provides)
  4. Do something custom (I can’t imagine why any school would want to do this)

The people in the UK intelligence services’ job are to help keep the country safe. It is made up of people like any other organisation. They are trying to keep you safe in cyberspace.

I’m not a fan of intrusive surveillance, I am a security professional who always tries to consider the rights and freedoms and I believe in respecting people’s privacy. I do realise it’s a hard task, in my line of work I am often inside systems and networks where I have significant access to data, I also work on projects that are highly sensitive in nature.

I can’t say nothing will go wrong, I can say that the people charged with their jobs (in my experience) work hard and are simply trying to do good.

It’s a taxpayer funded service, it’s free at the point of use, it’s optional, it can help you defend your schools’ networks and protect the students (and children) from harm (and help make the UK safer in Cyber Space! and who doesn’t wan’t that!?)

To help people understand a common topology for DNS resolution I have made the following diagram (it is not perfect, there are a significant number of variables that can change which data/metadata is visible to downstream DNS Servers). You should also consider the PDNS Roaming service (this may have a different pattern). There are almost certainly models that may enable Nominet staff (don’t quote me on that I don’t know how it’s segmented) to see client name, egress IP, DNS request etc. But that’s the same /similar as how Google or Cloudflare staff can also see the data. Then downstream other parties will likely see data. (at some point as well, some other parties have to see data, that’s how public DNS works).

A diagram of a computer

Description automatically generated

The service is operated by Nominet for the NCSC. There are a significant number of controls and policies in place to ensure the service is operated in accordance with UK laws. Anyone that has worked with anything do with Government, Law

In the end I’m a security pro who just wants people (and the country) to be safe (and have its human rights respected).

Whilst you might read news articles and have seen snippets of documents from leaks, the real world of keeping people safe really is not Hollywood and isn’t filled with sinister, people. It’s good people working hard to do the right thing.

Or go with the USA “free” public DNS or another commercial entity/option. (and there are some good commercial PDNS providers out in the wild). Either way, if you are a school, you should probably do a privacy impact assessment, and the typical due diligence when implementing a new system.

I’ll shut up now.. to me it’s pretty obvious what route I’d be looking at. it’s free at the point of use, it’s helping protect kids, it’s helping keep our country safer in cyberspace.