DNS Filtering Essentials

DNS filtering is a powerful tool that you can use to protect your business from malware. You can block access to websites known to contain malware or other harmful content by using DNS filters. Doing so ensures that your employees and customers are safe from potential harm.

What is the Domain Name System?

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It is how Internet domain names are located and translated into Internet Protocol (IP) addresses.

A DNS server works by matching the domain name that a user enters into their web browser with the server's IP address hosting the website. This allows users to access websites without remembering the IP addresses of each site they visit.

The steps involved in discovering the IP address and loading the website are:

1. A user enters a domain name into their web browser. Then, the user's device contacts the DNS server and requests the IP address for that domain via a DNS query.
2. The DNS server looks up the IP address for the requested domain by checking its cache or querying other DNS servers.
3. If the DNS server doesn't have the IP address cached, it will query a root name server. The root name server then responds with the IP address of a Top-Level Domain (TLD) server. A TLD is the last part of a domain name, such as .com or .org.
4. The DNS resolver then queries the TLD server for the IP address of the requested domain. The TLD server responds with the IP address of the web server that is hosting the website.
5. The server then begins hosting the content of the website.

The Domain Name System is a critical part of the Internet, as it is responsible for translating domain names into IP addresses. This process is essential for users to be able to access websites.

However, the Domain Name System also needs to filter content. This is because many malicious websites can spread malware or viruses. Therefore, it is vital to use a DNS filter to block access to these dangerous websites.

How a DNS filter works

DNS filtering works by blocking access to websites known to be harmful. The DNS resolver does this by matching the domain name of a website with a list of known malicious websites. If there is a match, the DNS filter will block access to that website.

DNS filtering by domain name

Since all DNS queries pass through the DNS resolver, some resolvers are specifically configured to filter DNS traffic. This is done by using a blocklist of known malicious websites.

When a DNS query is made for a website on the blocklist, the DNS resolver will not resolve the IP address for that domain. Instead, it will return an error message indicating that the website is blocked.

For example, if a member of your organization opens a phishing email and clicks on a link to a malicious website, the DNS resolver will block access to that website. Before the content on the linked page loads, you will first send the query to the resolving service. If the hypothetical malicious site is on the DNS blocklist, the server will deny access to it.

DNS filtering by IP address

You can also implement DNS filtering at the network level by blocking access to IP addresses that are associated with malicious websites. This is done by configuring the DNS server not to resolve the DNS queries for those IP addresses.

For example, if a DNS query is made for an IP address on the blocklist, the DNS server will not resolve the DNS query. Instead, it will return an error message indicating that the IP address is blocked.

This approach can block access to a malicious website even if the DNS query is not made using the DNS resolver. However, it can be more challenging to maintain because IP addresses can change over time.

What is a blocklist?

A blocklist is a list of DNS queries associated with dangerous or malicious websites in terms of DNS filtering. These could be both IP addresses and domain names. DNS filters use blocklists to determine which websites to block access to.

There are many different DNS blocklists, each with its own focus. For example, some blocklists focus on malicious websites, phishing websites, or even botnets. You can also use them to filter content that is not necessarily malicious but does contain explicit content or is otherwise inappropriate for specific audiences.

The reverse of a blocklist is an allowlist, a list of DNS queries known to be safe. DNS filters can use allowlists to determine which websites to allow access to.

How to implement DNS filtering

You can implement DNS filtering in numerous ways. One way is to use a DNS firewall, a piece of hardware that sits between the DNS server and the Internet. The DNS firewall will block DNS queries that are on the blocklist. In addition, DNS firewalls include features such as DNS caching and DNS forwarding, which can improve the performance of DNS queries.

Another way to implement DNS filtering is to use a DNS proxy. A DNS proxy is a software application that sits on the network and intercepts DNS queries. The DNS proxy will block DNS queries that are on the blocklist. An example of a DNS proxy is the DNSFilter App.

You can also implement DNS filtering at the DNS server level. This can be done by configuring the DNS server not to resolve DNS queries for websites on the blocklist.

The best way to implement DNS filtering will depend on your organization's specific needs.

How DNS filtering helps businesses

There are a few different ways that DNS filtering benefits your business:

It blocks malicious websites

Perhaps the most apparent benefit of DNS filtering is that it blocks access to websites that are known to be malicious. This can protect your organization from downloading programs that contain malware or from having sensitive information stolen by phishing attacks.

Malicious websites include spoofed domains, typosquatted domains, and phishing websites.

It blocks DNS queries for known botnets

Another benefit of DNS filtering is blocking DNS queries for known botnets. A botnet is a network of infected computers that a malicious actor controls. By blocking DNS queries for known botnets, you can prevent your organization from being used for attacks against other organizations.

It can improve DNS performance

Another benefit of DNS filtering is that it can improve DNS performance. DNS caching and DNS forwarding can help reduce the time it takes for a DNS query to be resolved. This can improve the overall performance of your network.

It can block inappropriate content

DNS filtering can also block access to websites that contain explicit or inappropriate content. This can be beneficial for organizations that want to restrict employee access to certain types of content.

What makes a DNS server secure?

A secure DNS resolver is not susceptible to DNS cache poisoning. It can happen if the DNS server fails to validate DNS responses. Some DNS servers offer upgraded privacy settings to protect user data.

A secure DNS resolver is also one that uses DNSSEC. DNSSEC is a security protocol that authenticates DNS data and ensures that it has not been tampered with. Using it is particularly beneficial since the DNS was not designed with security in mind. The DNSSEC protocol works by digitally signing DNS data. DNS clients can then verify this signature to ensure that the data has not been tampered with.

DNS filtering vs web filtering

DNS filtering and web filtering are two different types of content filtering. DNS filtering blocks access to websites based on DNS queries. Web filtering blocks access to websites based on their URL. We generally consider DNS filtering to be more effective than web filtering, as it can block access to websites before they are even loaded.

Web filters are also generally less accurate than DNS filters. This is because DNS queries are typically more specific than URLs. For example, a DNS query for "facebook.com" will always resolve to the same IP address. However, the URL for Facebook can change depending on which country you are in. It can also vary based on whether you are logged in or not.

DNS filtering is generally faster than web filtering. This is because DNS queries are typically resolved faster than URLs. DNS filtering can also block access to websites that use encrypted connections (HTTPS).

DNS filtering can be beneficial for organizations of all sizes. It can improve DNS performance, block malicious websites, and block DNS queries for known botnets. Businesses can also use it to block access to websites that contain explicit or inappropriate content. When choosing a DNS server, it is essential to choose one that is secure and offers the features you need.