Estimated Reading Time: 11 minutes
The Domain Name System (DNS) makes it possible for users all over the world to remember the web addresses of companies, social media platforms, email, and a multitude of online services that are used everyday. DNS servers all over the world translate domain names (e.g. zvelo.com) into longer and difficult to remember, machine-readable IP addresses (e.g. 220.127.116.11).
DNS has been around for over 30 years, with the original specification dating back to 1987. Yet, despite its age—and the fact that over 4 billion people worldwide rely on it as the underlying identification and address system for the world wide web—there remains some confusion regarding how it works, specifically relating to filtering solutions that improve security. Yes, even within the tech community…
A Brief Overview of DNS
Briefly, before we get into misconceptions… DNS basically works like this.
When a web user attempts to access a website or online service, their machine (typically through a web browser) sends a DNS request out over the internet. DNS resolvers match the requested domain name with an authoritative nameserver which then points to a specific IP address (unique computer address). The IP address is returned in the form of a DNS response and then the user’s browser or machine can connect. DNS works as a sort of digital telephone/address book, connecting users with the content and services provided by other connected machines around the world. Making this possible is a giant network of authoritative DNS servers and resolvers all working in concert (with little credit) to make our digital lives possible, and easier.
On a network using DNS filtering for security, DNS requests are passed through a trusted DNS resolver. In this instance, the resolver will check the domain against a URL database for categorization information. Those category values will inform the DNS filtering solution as to what type of content the domain contains and whether it is considered safe—or alternatively—if it is objectionable (such as pornography or adult content) or malicious (i.e. spreading malware, a phishing site, etc.). Based on the solution’s settings, user or machine profiles, and network configurations, the resolver will either make the connection (allowing the specific user/machine to access the site) or block it. DNS filtering is often used for parental controls and web filtering to prevent users from accessing objectionable content, as well as outright blocking connections to malicious destinations that have the ability to compromise the machine or network. It is also used in brand safety solutions to help prevent advertisements from appearing on sites or next to content that could be damaging to a company’s image.
That’s the short of it. If you have additional questions or are looking for information beyond that brief explanation of how DNS works, please check out the following blog: https://zvelo.com/why-dns-filtering-fast-flexible-and-scalable-network-protection/
Misconceptions and Clarifications Regarding DNS Web Filtering
Now that we have established a baseline, let’s take a look at the six most common misconceptions we encounter when discussing how our industry-leading URL database powers the market’s leading network security and filtering offerings.
1. DNS filtering will proactively protect the network from malicious threats
DNS filtering helps protect your network and its users from reaching malicious or objectionable online content. DNS filtering can identify and block requests to dangerous locations before a connection is made—thereby preventing malware, infections, or compromises. When powered by a highly accurate and frequently updated URL database, the rate of protection against emerging (“zero-day”) threats is improved drastically. That’s proactive!
However, DNS filtering does not “actively” monitor or scan the network for potential intruders, malware, vulnerabilities, etc. Blocking and restriction policies can be set up to notify network administrators when users or machines attempt to connect unsafe or unwanted sites—but it will not help with remediation after compromises or notify administrators of other types of suspicious behavior.
Verdict: False, but it’s complicated. By implementing a premium DNS filtering solution with high accuracy and coverage—you are preventing users from reaching websites with malicious or objectionable content and potentially compromising the network. Still, it’s important to understand that DNS filtering does not actively monitor or scan and cannot protect the network from bad actors who may be leveraging other attack vectors.
2. DNS filtering can protect us from all webpages with malicious or objectionable content
First of all, no cybersecurity measure will provide 100% accuracy and protection. Additionally, DNS filtering can be a powerful tool for network security, but its capabilities are limited by the boundaries of DNS. DNS filtering only works at the domain level, meaning that it isn’t capable of blocking some pages on a website, but not others. At least, not on it’s own. The categorization for every page and path of a domain will be painted with the same broad brush. If for instance, objectionable content is uploaded to a social media network and appears on a few of the domain’s pages (out of millions)—you wouldn’t want the entire domain to be blocked. That would produce a high and undesirable rate of false-positives. The same is true when cyber criminals upload and disseminate malicious payloads using common file sharing systems like Google Drive, OneDrive, Dropbox, etc.
This also highlights a critical component of DNS filtering solutions. The underlying database that supports it.
A DNS filtering solution does not by itself analyze a website’s content. The analysis and classification of the site and its content occurs ahead of time by a categorization engine or process—and is stored in a database leveraged by the filtering solution. The filtering solution simply queries the database for the URL or domain and stored categorization values. That information is used to determine if the site is safe to visit at the time the web request is made.
Premium DNS filtering solutions rely on a highly accurate URL database with broad coverage, language support, and frequent updates to account for the constant change occurring across the internet. The industry’s leading URL databases are supported by AI-powered content categorization, advanced natural language processing techniques, as well as malicious and phishing detection capabilities.
Verdict: False. DNS filtering cannot block or allow individual pages, posts, or articles within a domain and therefore some number of malicious or objectionable pages will make it through. Filtering at the individual page, post, or article level requires additional filtering technologies, such as a proxy service, that can restrict individual requests made based on the full-path web address. This is simply beyond the capabilities of domain-only filtering solutions.
Fortunately, partners like zvelo provide premium categorization and solutions for domains and full-path URLs, as well as supporting hybrid deployment options. This allows companies we work with to implement domain-based filtering that meets current needs—while continuing to develop and implement filtering solutions that go beyond DNS to the full-path level once they are ready.
3. We don’t need DNS filtering. Antivirus software provides sufficient protection for our network.
Antivirus (AV) software can provide excellent protection from viruses, but it can’t replace DNS filtering.
Users often turn off their AV software for various reasons, some valid. AV software that provides real-time protection may require significant computing resources, and can impair performance. Users may also to turn AV software off to install other software. It’s also a REactive solution, only able to identify malicious code that already exists within its purview. Regardless, AV software only looks for malware—it doesn’t filter or attempt to determine if content is inappropriate for work. Sites with content such as porn, gambling, and illegal software contain viruses at higher rates than other content. They’re also often unsafe for work environments. AV software won’t actually block these sites—just keep an eye out for compromises. Furthermore, AV software can only detect viruses or virus-like behavior that it knows to look for. The best hackers in the industry are typically well ahead of the best AV software.
Additionally, company executives are the biggest offenders of antivirus policies, which can make those policies difficult to enforce. From a network administration standpoint, blocking an entire domain is often simpler and more effective than trying to detect viruses on that site. A complete network security solution includes both DNS filtering and antivirus software to provide preventative measures and maximum protection.
Verdict: False. Antivirus is not a replacement for DNS filtering. They are two different layers in a strong cybersecurity defense strategy.
4. Premium DNS filtering solutions are those that offer more queries per second and lower latency.
Commodity offerings provided by ISPs often use their own DNS services. In many cases, they have higher latencies and slower speeds. This is partly due to those DNS servers being designed to monitor and track user’s web traffic and produce valuable web traffic data they can sell for profit. They’re also not intended or optimized for use in large enterprise networks or global DNS services.
Yes, slow DNS resolvers can impact system performance; however, the combination of the right solution and implementation—along with an internal or self-hosted DNS server (resolver) makes speed a non-issue. There is good news. It’s pretty simple to switch to a faster DNS service or even use your own DNS resolver.
In the case of premium DNS filtering solutions, coverage and accuracy are more important than speed. The quality of the data that a DNS filter uses (i.e. the URL database) should be the key consideration during evaluation. Based on your needs, granularity (a high number of categories) will provide the ability to allow or block with more specificity. For instance, an organization may wish to block the majority of “adult” topics, but wish to allow tobacco and/or alcohol-related websites.
Depending on your application, organization’s structure, and internal resources available—you may have a number of other considerations that are more important than speed including:
- Does the solution offer flexible deployment options? These may save time and effort both in implementation and ongoing maintenance costs.
- Does the solution provide dedicated support and engineering resources? Premium solutions are typically backed by highly responsive and dedicated support teams. They will correct miscategorizations, false positives, and address bugs as they arise. They’re also being continuously improved to meet new demands and stay competitive in the marketplace. Premium solutions come with a larger price tag, but they offer significantly higher levels of protection.
- With what frequency (how often) is the underlying URL database updated? And how often can your implementation receive those updates? Solutions with more frequent (or even continuous) updates will also provide better protection, particularly from zero-day, zero-hour, or even zero-minute threats.
In the long run, premium DNS filtering solutions with dedicated engineering teams and responsive support save time and money while providing the highest levels of protection.
Verdict: False. Speed should not be a concern when you’re evaluating a DNS filtering solution. Instead, you should focus on coverage and accuracy—which will impact the effectiveness of your filtering solution.
5. Implementing a DNS filtering solution is expensive and time-consuming.
Many organizations worry that the time involved and costs associated with implementing a DNS solution will be too high. They are often concerned about investing months of engineering efforts only to determine that a solution will not meet their needs. Depending on the use case, business model, customer needs, or other requirements—that is certainly a possibility. However, many cloud-based solutions can be installed and configured in a matter of minutes via a web browser.
zvelo offers a number of flexible and hybrid deployment options for our URL database—enabling our partners to implement and begin testing within an hour or two—if not faster. In terms of evaluating coverage and accuracy, that is an exercise that requires careful attention and planning, which takes a bit longer.
For more information on evaluating a URL database for coverage and accuracy, check out our blog at: https://zvelo.com/evaluate-compare-url-database-classification-dns-web-filtering/
Verdict: False. Implementing a DNS filtering solution doesn’t have to be expensive or time-consuming. Integrating a premium URL database doesn’t either. With flexible integrations like our zveloDB SDK or raw snapshots of the database, our partners have a variety of options are often up and running performance tests and evaluations within hours.
6. All DNS filtering solutions are created equal.
As we’ve highlighted by now, DNS filtering solutions are only as good as the coverage and accuracy of the underlying URL database, the frequency in which its updated, and the support that’s offered.
The most accurate URL databases—and therefore DNS filtering solutions—are supported by AI-based categorization, continuous training and verification by human analysts, advanced natural language processing techniques, as well as malicious and phishing detection capabilities to identify harmful content online. These capabilities are essential for handling the continuously changing web content and “zero-minute” threats of today’s hostile internet environment.
Before you invest time and resources integration a solution, we highly recommend a thorough evaluation of coverage and accuracy. Many commodity offerings will provide 50% to 80%, even 90% coverage, but when it comes to accuracy, rates plummet. We proudly maintain the industry’s leading URL Database both in terms of coverage and accuracy. If security is your primary concern for DNS filtering—we challenge you to find a better solution.
Verdict: False. Premium DNS filtering solutions with high levels of protection cost more than commodity offerings because they deliver substantially higher coverage and accuracy—equating to significantly higher protection. Consider that a single compromised device can result in a data breach—which on average is estimated to cost $3.86 million (USD) in 2019 according to research conducted by IBM and the Ponemon Institute.
All aspects considered, DNS filtering is more than sufficient for many applications such as parental controls, brand safety uses, or business web filtering where it’s important to restrict web access to content that’s considered not safe for work (NSFW). For many cybersecurity applications—page-level classification provides improved control and superior protection.
As a recap:
- DNS filtering protects web queries from your network, but it’s not actively monitoring or protecting your network. It’s just one piece of a comprehensive cybersecurity strategy.
- DNS filtering only works at the domain level. It cannot protect, or restrict, access to certain webpages on a site, but not others.
- Antivirus is not a replacement or alternative for DNS filtering. They are more effective when working together as two layers in your security model.
- High speed and low latency are NOT what makes a premium DNS offering. Coverage and accuracy are most critical. Responsive customer support and engineering support are also of high importance.
- Implementing a DNS solution does not need to be expensive or time consuming.
- All DNS filtering solutions are NOT created equal.
Many of these misconceptions stem from an assumption that DNS filtering—or any other individual technology—alone is sufficient for protecting your network, devices, and users. A comprehensive cybersecurity strategy requires multiple layers of defense to achieve high levels of protection. Integrating a premium DNS filtering solution with a high quality URL database to protect web queries and traffic—along with other solutions—can greatly improve security without negatively impacting performance or sapping profits.
The zveloDB™ URL database offers industry-leading coverage and accuracy and is trusted by many of the market’s premier web filtering, anti-virus, and network security vendors. In fact, it helps make the internet a safer place for over 650 million end users worldwide. By leveraging human-supervised machine learning for topic-based content categorization, malicious detection, and even phishing detection—zveloDB proudly boasts 99.9% coverage of the ActiveWeb (websites and pages that our global user base visits) with over 99% accuracy.
Working with OEM partners in a variety of industries worldwide, we have built and continuously improve upon a scalable cloud-based infrastructure that allows those partners to integrate and deploy our data—making their products and services more competitive and profitable, while remaining lean.
For more information on the zveloDB™ URL Database, visit our product page. Or better yet, test it yourself using zveloLIVE. Contact us for additional integration information or to schedule an evaluation.